KeyFi Privacy Policy

KeyFi Issuer LLC, a Saint Vincent and Grenadines limited liability company, together with its affiliates ("KeyFi," "we," "us," or "our"), are committed to being responsible custodians of information.

This KeyFi Privacy Policy (the "Privacy Policy") describes how we may collect, use, and share information about you and other users ("Users," "you," or "your") of our services.

We recommend that you read this Privacy Policy in full to ensure you are fully informed. If you have any questions about this Privacy Policy or about our data practices, please contact us at info@keyfi.ai.

This Privacy Policy describes:

• the types of information we may collect;
• how we use the information we collect;
• how we may share the information we collect;
• the legal basis for using personal information;
• how we protect and store the information we collect;
• third-party services and content;
• your choices and rights;
• changes to this Privacy Policy; and
• how to contact us.

The Types of Information We Collect

We may collect and receive information about you from various sources, including: (a) directly from you when you provide it to us, (b) indirectly from you when you use our services, and (c) from third-party websites, services, and partners.

"Personal information" is any information that can be used to identify you or that we can link to you as an individual. We collect your personal information when you provide it to us.

Information you provide to us directly

You can use some of our services without providing us with any personal information. However, some of our services require that you register for an account, which requires that you provide us with personal information. Specifically, if you apply for a credential from us regarding your digital identity, this would require by its nature that you provide substantial personal information, including, without limitation, information and documents related to your identity, status, residence and ownership of an address on the Ethereum protocol. We may also collect information as to your location through your internet protocol address (IP address). We may use this information to provide you with content based on your location.

If you contact us directly, we may also receive personal information and other information about you, such as your name, title, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide. We may also receive a confirmation when you open an email from us.

Information we may collect indirectly

We use browser cookies and similar tracking technologies (collectively, "Cookies") to collect and store certain information when you use, access, or interact with our services.

Cookies are small files of information, usually stored on your application, computer or device, that allows our web servers or our third-party services to recognize you. We store information that we collect through Cookies to record your preferences, settings and status for our services and to analyze how you use our services. In some countries, including countries in the European Economic Area ("EEA"), the information referenced above in this paragraph may be considered personal information under applicable data protection laws. (More details below under the section entitled "Your Choices and Rights.")

With Cookies, we may, for example, collect information about the type of device you use to access our services, the operating system and version, your IP address, your general geographic location as indicated by your IP address, your browser type, and data on your interaction with our services (such as search terms you enter or your frequency of usage, including your usage across different websites and applications). We may also collect data regarding the functionality of our services, including system-level metrics, to help us operate, maintain and improve the performance and utilization of our services, to develop new features, protect the security and safety of our services and our customers, and to provide customer support. We also use this data to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.

Information we may collect from third party sources

We may receive information about you from third parties that help us update, expand, and analyze our records, and to prevent or detect fraud. If you choose to link our services to a third-party account, we will receive information about that account, such as your authentication token from the third-party account, to authorize linking. Please note that the information we may receive is governed by the privacy settings, policies, and/or procedures of the third party.

We may also collect information from social media platforms that share information about how you interact with our social media content. Further, we may also receive publicly-available information about you from our third-party partners and combine it with data that we have about you.

If you apply for a credential from us regarding your digital identity, we receive extensive information from our third-party contractors (or subcontractors) regarding your identity status with regard to various "anti-money laundering" and "combating terrorist financing" controls, including, without limitation, whether your identity is listed on various governmental sanctions lists.

How We Use the Information We Collect

We use the information we collect in various ways, including to:

• provide, operate, and maintain our services;
• improve, personalize, and expand our services;
• understand and analyze how you use our services;
• develop new products, services, features, and functionality;
• communicate with you (either directly or through one of our partners) in order to provide customer service, to provide updates and other information relating to our services;
• understand how people use our services, including by generating and analyzing statistics;
• support KeyFi’s business purposes, including data analysis; invoicing, detecting, preventing, and responding to actual or potential fraud, illegal activities, or intellectual property infringement; and
• comply and enforce applicable regulations and agreements, including enforcing our terms of service/terms and conditions, or other legal rights, obligations or provisions, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.

The above uses may involve information that has been aggregated so that the data is no longer capable of identifying an individual. This aggregated data may also be used by us to generate and commercialize insights.

How We May Share the Information We Collect

We may share the personal information we collect with our affiliates and with our third-party contractors or subcontractors. We may also share the information we collect in various ways, including the following:

Other Users. We may share your information with relying parties and other users on the SelfKey web app or mobile apps;

Employees and Contractors of KeyFi. Our employees, contractors and subcontractors may be given access to any information that we collect through our services. Our employees, contractors and subcontractors are required to keep this information confidential and are not permitted to use it for any purposes other than to enable you to use our services or to deal with requests that you submit to us.

Vendors and Service Providers. We may share information with third-party vendors and service providers that provide services on our behalf in order to allow them to assist us in (a) providing our services, (b) promoting and/or marketing our services or other services or products, and (c) providing you with information, such as product announcements, software updates, special offers.

Third-Party Partners. We also share information about users with third-party partners in order to receive additional publicly-available information about you;

Information We Share When You Sign Up Through a Referral. If you sign up for an account through a referral from a friend, we may share information with your referrer to let them know that you used their referral to sign up;

Analytics. We use analytics providers such as Google Analytics. Google Analytics uses cookies to collect non-identifying information. Google provides some additional privacy options regarding its Analytics cookies here;

Business Transfers. Information may be disclosed and otherwise transferred to any potential acquirer, successor, or assignee as part of any proposed merger, acquisition, debt financing, sale of assets, or similar transaction, or in the event of insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets;

As Required By Law and Similar Disclosures. We may also share information to (a) satisfy any applicable law, regulation, legal process, or governmental request; (b) enforce this Privacy Policy, our terms of service or our terms and conditions, including investigation of potential violations hereof or thereof; (c) detect, prevent, or otherwise address fraud, security, or technical issues; (d) respond to your requests; or (e) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention;

With Your Consent. We may share information with your consent;

Aggregate Information. As legally permissible, we may use and share information about Users with our partners in aggregated or de-identified form that cannot reasonably be used to identify you.

Legal Basis for Using Personal Information

Our legal basis for collecting and using personal information will depend on the personal information concerned and the specific context in which we collect it.

However, we normally collect and use your personal information only when doing so (a) is needed in order to perform our contractual or legal obligations to you; (b) is in our legitimate interests and not overridden by your rights; or (c) is done with your consent. We have a legitimate interest in operating our services and communicating with you as necessary to provide these services, for example when responding to your queries, improving our platform, undertaking marketing, or for the purposes of detecting or preventing illegal activities.

If we ask you to provide personal information to comply with a legal requirement or to perform our contractual obligations with you, we will make this clear at the relevant time and will advise you whether the provision of your personal information is mandatory, which includes the possible consequences of not providing your personal information.

When required by applicable law, we will rely on your consent for direct marketing and to collect information from your device or computer. You may withdraw any consent you have granted for use of your personal information by contacting us through the information we provide under the section entitled "Contact Us" below.

Note, however, that if you apply for and receive a digital identity credential from us, some information (or derivative information) about you may remain publicly-available despite you withdrawing consent for use of your personal information. Due to the openly-accessible and possibly permanent nature of the Ethereum protocol, certain information could be derived about you after receiving a digital identity credential, including:

(1) your address on the Ethereum protocol could be tied to a payment for an application for a digital identity credential; and

(2) such an address can be associated with a hash or whitelist of addresses implying that your specific address received a digital identity credential. Any hash associated with your address, however, would be only a cryptographic digest, created via a one way function, and should not feasibly be able to be decrypted to derive any personally identifiable information.

How We Protect and Store The Information We Collect

We deploy administrative, technical, and physical safeguards designed to comply with applicable legal requirements and safeguard the information that we collect.

However, no information system can be 100% secure, so we cannot guarantee the absolute security of your information. Moreover, information you transmit to us over networks that we do not control, including the Internet, wireless networks, and the Ethereum protocol, may be compromised.

Our services are controlled and operated by us out of Saint Vincent and the Grenadines. We may store the information we collect in the EEA (where our hosting is located) or in other countries where we or our service providers have facilities. We may transfer information to countries outside of your country of residence which may have data protection laws and regulations that differ from those in your country.

We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements).

We retain the information we collect for no longer than is reasonably necessary to fulfil the purposes for which we collect the information and to comply with our legal obligations.

Third-party Services And Content

Our services may include integrated content or links to content or services provided by third parties (such as on outside websites). This Privacy Policy does not address the privacy, security, or other practices of the third parties that provide such content or services. We are not responsible for the privacy policies and/or practices of these third parties, and we encourage you to carefully review their privacy policies and their terms of service.

We engage third parties that support the operation of our services, such as analytics providers. These third parties may use technologies to track your online activities over time and across different websites and online platforms.

Your Choices And Rights

You have choices and certain rights that can affect the collection and sharing of your information.

Your Choices

Choices that can affect the collection and sharing of your information include the following:

• You can use some of the features of our services without an account, thereby limiting the type of information that we collect;
• You may unsubscribe from receiving certain promotional emails from us. If you wish to do so, simply follow the instructions found at the end of the email or contact us through the information we provide under the section entitled "Contact Us" below. Even if you unsubscribe to these types of emails, we may still contact you for informational, transactional, account-related, or similar purposes;
• Many browsers have an option for disabling cookies, which may prevent your browser from accepting new cookies or enable selective use of cookies. Some devices allow you to control this via your device settings. Please note that, if you choose not to accept cookies, some features of our services may no longer work for you. Further, you might continue to receive advertising material that is not tailored to your interests.

Your Rights

Subject to local law, you may have certain rights regarding information that we have collected. We encourage you to contact us to update or correct your information if it changes, or if you believe that any information that we have collected about you is inaccurate or out of date. You can also ask us to see what personal information we hold about you, to erase your personal information and you may tell us if you object to our use of your personal information. In some jurisdictions, you may have a right to complain to your local data protection authority. If you would like to discuss or exercise the rights you may have, you may contact us through the information we provide under the section entitled "Contact Us" below.

Your Data Protection Rights Under the General Data Protection Regulation ("GDPR")

If you are a resident of the EEA, you have the following data protection rights, which you may exercise at any time by contacting us through the information we provide under the section entitled "Contact Us" below:

• You may access, correct, update, or request deletion of your personal information;
• You may object to the processing of your personal information, ask us to restrict the processing of your personal information, or request portability of your personal information;
• You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the "unsubscribe" or "opt-out" link in the marketing emails we send you, or by contacting us to to opt-out of other forms of marketing;
• If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing of personal information we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent;
• You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Note, however, that if you apply for and receive a digital identity credential from us, some information (or derivative information) about you may remain publicly-available despite you withdrawing consent for use of your personal information, as described above.

Children Under Thirteen

KeyFi is not directed to children under the age of thirteen, and KeyFi will never knowingly collect personal information from children under the age of thirteen. If you are under the age of thirteen, you must ask your parent or guardian for permission to use our services.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time and we encourage you to periodically review this page. If we make any material changes in the way we collect, use, and/or share the personal information that you have provided, we will notify you by posting notice of the changes in a clear and conspicuous manner.

How to Contact Us

The data controller of your personal information is KeyFi Issuer LLC in Saint Vincent and the Grenadines.

If you would like to contact us please send us an email at info@keyfi.ai. We welcome your enquiries and comments.

Last updated: November 10, 2020