LOCKCHAIN PRIVACY POLICY

---

PRIVACY NOTICE

Last updated March 7, 2024

Lockchain Corp. (“Lockchain,” “we,” “us,” or “our”) wants you to be familiar with how we collect, use and disclose information when you use our services (“Services”). This Privacy Policy (the “Policy”) provides a comprehensive description of how we handle your information (“Personal Information”), as well as your rights and choices regarding such Personal Information.

This Policy applies to (a) our Web3 Security Platform (the “Services”), (b) www.lockchain.ai (the “Website”), and (c) our emails, advertisements and any other location, online or offline, where you interact with our business (e.g., conferences or third party social media and networking sites) (collectively, with the Services and Website, the “Business”).

This Policy does not apply to any third-party applications or services that are used in connection with our Services, or any other products, services or accounts provided by other entities under their own terms of service and privacy policy (collectively, “Third-Party Services”). For example, our Services connect directly to multiple third-party sites, such as Alchemy, Etherscan, Defillama, TradingView, GitHub, and more. These Third-Party Services help us provide you with access to our Services but are not part of our Services themselves and are provided by independent third parties under their own policies and terms.

IF YOU DO NOT AGREE WITH OUR POLICIES AND PRACTICES, PLEASE DO NOT USE OUR SERVICES.

Some regions provide additional rights by law. For region-specific terms, please see the following sections below:

• “Additional Disclosures for Nevada Residents"
• "Additional Disclosures for California Residents"
• "Additional Disclosures for Virginia Residents"
• "Additional Disclosures for Data Subjects in the European Economic Area, Switzerland, and United Kingdom”
• “Additional Disclosures for Individuals Located in Canada”

1. WHAT INFORMATION DO WE COLLECT?

1. Personal Information You Disclose To Us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us. The information we collect includes, but is not limited to, the following:

• Names
• Email Addresses
• Usernames
• Passwords
• Billing Addresses
• Wallet Addresses
• Read-Only API keys to Custody Platforms

If you provide us with information about another individual, by acknowledging or agreeing to this Policy, you represent and warrant that you have the authority to do so and have delivered any required notices and obtained all necessary rights and consents to provide such information to us for processing in accordance with this Policy. If you believe information has been provided to us improperly, please notify us in accordance with the “Contact Us” section below.

2. Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your information to:

• Provide, Improve, and Administer our Services. To provide, operate and manage our Services, Website and other parts of our Business.
• Staying in Touch. We will send you notifications, updates, security warnings, information about changes to our policies and terms, and messages related to administration and support.
• Maintaining Safety and Reducing Risk: We prioritize the safety and security of our Business. This includes identifying and resolving any Service issues, investigating unusual activities, and preventing unauthorized transactions, policy breaches, or potential threats, often using automated methods.
• Compliance and Protection of Rights: To adhere to legal, regulatory, and contractual requirements, we cooperate with government and regulatory authorities and courts as per applicable laws. This includes maintaining records for compliance demonstration, safeguarding our legal interests, and seeking available legal remedies.
• Enhancing Business Operations: Our goal is to maximize the utility of our Services and Business for customers. This involves refining and growing our products and operations based on your usage patterns, submitted documentation, and transaction-related information.
• Internal Audits and Studies: We conduct internal audits, reporting, and research, which may include organizing focus groups and surveys.
• Marketing and Promotional Strategies: Our marketing efforts involve creating, sending, and evaluating advertising and direct marketing about our products, offers, promotions, events, and Services.
• Creating Non-Identifiable Data: We may generate anonymized data by either removing personal identifiers or by amalgamating information with other non-identifiable data.
• Acting on Your Instructions: We process requests as directed by you or your company.
• Consent-Based Usage of Information: We may use the information we collect for purposes beyond those listed here, provided we notify you and obtain your consent.

Despite the aforementioned conditions, we reserve the right to use non-identifying information for any purpose that is legally permitted or required by our contractual commitments.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We may need to share your personal information in the following situations:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
• Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
• Service Providers: We share information with service providers who assist in our operations, including cloud infrastructure, website hosting, and analytics. This sharing is ongoing for certain services like fraud detection and as-needed for others. Our contracts prevent these providers from using your information beyond our services, though non-identifying data can be used as permitted by law or contract.
• Business Customers: We provide information to our business customers to deliver our Services, such as processing transactions and responding to inquiries. This includes sharing usage details with various authorized personnel within your company.
• Connected Services: We may share information with Third-Party Services and their providers when used in conjunction with our Services.
• Identity Verification and Compliance: We disclose necessary information for identity verification and compliance functions.
• Financial Institution Partners: We share information with partners for customer identification, risk and compliance assessments.
• Marketing and Advertising: We share information with marketing and advertising vendors and platforms.
• Legal Compliance and Security: We disclose information to comply with legal obligations, for fraud detection, and in response to lawful requests by authorities.
• Referrals and Joint Marketing: Information is shared with partners for referral programs and joint marketing, like confirming application status or calculating referral fees.
• At Your Request: We disclose information as you direct.
• With Your Consent: We may disclose information with your notice and consent.

Notwithstanding the foregoing, we reserve the right to share non-identifiable or aggregated data for any legal purpose, except where restricted by law or our contractual obligations. For details on your rights and choices about how we share your information, please refer to the ‘WHAT ARE YOUR PRIVACY RIGHTS?’ section below.

4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Furthemore, in compliance with applicable laws, we employ analytics services like Google Analytics to understand user interactions with our Website and other business aspects. Additionally, we may collaborate with agencies and advertising networks to place our ads on various websites and platforms, such as Google, LinkedIn, and Facebook. This involves using tracking technologies in our Website and emails, and in ads on other sites, to monitor activities over time and across services. This helps in recognizing your various devices and in providing targeted ads and content, known as ‘Interest-based Advertising’.

For more details on our tracking technologies and your rights regarding analytics and Interest-based Advertising, please refer to the ‘WHAT ARE YOUR PRIVACY RIGHTS?’ section below. Note that opting out of personalized advertising does not prevent you from seeing ads, including ours.”

5. HOW DO WE HANDLE YOUR THIRD-PARTY LOGINS?

Our Services offer you the ability to register and log in using your third-party account details like Gmail. Where you choose to do this, we will receive certain profile information about you from your mail provider. The profile information we receive may vary depending on the provider concerned, but will often include your name, email address, as well as other information you choose to make public on such a platform.

We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

6. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

We may transfer, store, and process your information in countries other than your own.

If you are accessing our Services, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information (see “WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?” above), in and other countries.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law.

For personal data transferred from the European Economic Area, Switzerland or the United Kingdom, we will provide appropriate safeguards, such as through the use of the relevant standard contractual clauses. For further information on these transfers and the relevant appropriate safeguards, please see the “Additional Disclosures for Data Subjects in the European Economic Area, Switzerland and the United Kingdom” section below.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

8. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit data from or market to children under 18 years of age. We do not knowingly collect personal information (as defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) from children under 13. We also do not knowingly “share” or “sell,” as those terms are defined under the California Privacy Rights Act, the personal information of minors under 16 who are California residents. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you are a parent or guardian and believe we have violated this provision, contact us at privacy@lockchain.ai.

9. HOW DO YOU SECURE OUR DATA?

We are dedicated to maintaining the highest standards of data security and privacy. As part of this commitment, we adhere to the Service Organization Control Type 2 (SOC 2) standards, a framework developed by the American Institute of Certified Public Accountants (AICPA). This compliance ensures that we manage your data with the utmost care and responsibility. SOC 2 is specifically designed for service providers storing customer data in the cloud, which is central to our operations. We have implemented robust and comprehensive controls to safeguard the confidentiality, integrity, and availability of your data.

Notwithstanding the foregoing, we must acknowledge that no system for transmitting or storing data can be completely secure. If you suspect that the security of your interactions with us has been compromised, we urge you to contact us immediately, as outlined in the ‘Contacting Us’ section below

10. WHAT ARE YOUR PRIVACY RIGHTS?

To Access or Modify Your Personal Information

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. If you wish to access, correct, update, suppress, restrict, or delete your Personal Information, or if you want to object to or opt out of its processing, or if you desire to transfer your Personal Information to another company (as permitted by law), please reach out to us as directed in the ‘Contact Us’ section. We will address your request in line with applicable law.

In your request, please specify the Personal Information you wish to alter, or if you intend to remove it from our database. To ensure your safety, we will handle requests related to the Personal Information linked to the email address from which the request is sent, and we may need to verify your identity before proceeding. We aim to fulfill your request promptly.

Note that for recordkeeping and transaction completion purposes, we may need to retain some information. For instance, if you request a change or deletion after initiating a transaction like a payment, we might have to hold onto your Personal Information until the transaction is finalized.

Withdrawing Your Consent:

If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in this Policy.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Account Termination

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

Opting Out of Marketing Emails

You have the option to opt out of marketing emails: Should you wish to stop receiving marketing emails from us, simply click the ‘unsubscribe’ link in any of these emails. We will endeavor to process your opt-out request as quickly as is reasonably possible. Please be aware that opting out of marketing emails does not exempt you from receiving essential administrative communications, which are not subject to opt-out.”

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

12. DO WE MAKE UPDATES TO THIS NOTICE?

We may update this privacy notice from time to time. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.

13. CONTACT US

If you have questions or comments about this notice, you may contact us at:

Email: support@lockchain.ai

14. ADDITIONAL DISCLOSURES FOR NEVADA RESIDENTS

Nevada law (NRS 603A.340) requires each business to establish a designated request address where Nevada consumers may submit requests directing the business not to sell certain kinds of personal information that the business has collected or will collect about the consumer. A sale under Nevada law is the exchange of personal information for monetary consideration by the business to a third party for the third party to license or sell the personal information to other third parties. If you are a Nevada consumer and wish to submit a request relating to our compliance with Nevada law, please refer to the “Contact Us” section above.

15. ADDITIONAL DISCLOSURES FOR CALIFORNIA RESIDENTS

These additional disclosures apply only to California residents and only to the extent applicable.

Notice of Collection.

The California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) provides additional rights and requires businesses collecting or disclosing personal information to provide notices and means to exercise rights. In the past 12 months, we have collected the following categories of personal information enumerated in the CPRA:

• Identifiers, including name, postal address, email address, and online identifiers (such as IP address).
• Customer records, including phone number, and billing address.
• Characteristics of protected classifications under California or federal law, including gender.
• Commercial or transaction information, including records of products or services purchased, obtained, or considered.
• Internet activity, including browsing history, search history, and interactions with a website, email, application, or advertisement.
• Non-Precise Geolocation data.
• Inferences drawn from the above information about your predicted characteristics and preferences.
• For further details on personal information we collect, including the sources from which we receive information, review the “WHAT INFORMATION DO WE COLLECT? ” section above. We collect and use these categories of personal information for the business purposes described in the “How We Use Information” section above. We disclose the personal information to the categories of persons set out in the “Disclosure of Information” section above. Please visit those sections for further details.

Right to Know, Correct and Delete.

You have the right to know certain details about our data practices. In particular, you may request the following from us:

• The categories of personal information we have collected about you;
• The categories of sources from which the personal information was collected;
• The categories of personal information about you we disclosed for a business purpose or sold or shared;
• The categories of persons to whom the personal information was disclosed for a business purpose or sold or shared;
• The business or commercial purpose for collecting or selling or sharing the personal information; and
• The specific pieces of personal information we have collected about you.
• In addition, subject to exceptions, you have the right to correct or delete the personal information we have collected from you.

To exercise any of your rights, please submit a request through this privacy request form. We will confirm receipt of your request and respond to your request within the time limits prescribed by law. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests.

If personal information about you has been processed by us as a service provider on behalf of a business customer, please inquire with the business customer directly to exercise your rights. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal information. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Additional Notice and Opt-Out

Our business model does not center around selling personal information. However, under the CPRA, some marketing practices, like the disclosure of Website visitor data to obtain targeted ads and analytics to advertise our products on third party sites, may be considered a “share” or “sale” even if no money is exchanged. A “share” is broadly defined under the CPRA to include a disclosure for cross-context behavioral advertising, and a “sale” is broadly defined under the CPRA to include a disclosure for something of value. Under these definitions, we may collect, share, or sell the following categories of personal information for commercial purposes: identifiers, characteristics, commercial or transaction information, internet activity, non-precise geolocation data, and inferences drawn. The categories of third parties to whom we “share” or “sell” personal information include, where applicable, vendors and other parties involved in cross-context targeted advertising. To the extent our marketing practices constitute a “share” or “sale” of your personal information, you have the right to opt out. You can exercise this right by modifying your cookie preferences for our Website here or enabling Global Privacy Control on your browser or extension. These settings enable you to communicate an opt out that is specific to your browser or device, as applicable, so you will need to instruct each separately.

Retention

We retain each category of personal information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

Authorized Agent.

You can designate an authorized agent to submit requests on your behalf. However, we may require signed proof of the agent’s permission to do so and verify your identity directly. Requests must be submitted through the designated methods listed above.

Right to Non-Discrimination.

You have the right not to receive discriminatory treatment by us for the exercise of any of your rights.

Shine the Light.

Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclosed such information. To exercise a request, please write us at privacy@lockchain.ai or the postal address set out in “Contact Us” above and specify that you are making a “California Shine the Light Request.” We may require additional information from you to allow us to verify your identity and are only required to respond to requests once during any calendar year.

16. ADDITIONAL DISCLOSURES FOR VIRGINIA RESIDENTS

Virginia provides additional rights to Virginia residents through the Virginia Consumer Data Protection Act (“VCDPA”). This section addresses those rights and applies only to Virginia residents acting in an individual or household context.

You have the following rights under the VCDPA:

• To confirm whether or not we are processing your personal data
• To access your personal data
• To correct inaccuracies in your personal data
• To delete your personal data
• To obtain a copy of your personal data that you previously provided to us in a portable and readily usable format
• To opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you
• To exercise any of these rights, please submit through our privacy request form. We will respond to your request within the time limits prescribed by law. We may require specific information from you to help us confirm your identity and process your request. If personal data about you has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with the business customer directly. If you wish to make your request directly to us, please provide the name of the business customer on whose behalf we processed your personal data. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

17. ADDITIONAL DISCLOSURES FOR DATA SUBJECTS IN THE EUROPEAN ECONOMIC AREA, SWITZERLAND AND THE UNITED KINGDOM

Lockchain may process personal data in accordance with the instructions of or on behalf of a business customer, including when providing Services to a company under an Agreement. In this context, Lockchain acts as a processor and the business customer acts as a controller. Lockchain may also act as a controller when directly determining the processing of personal data in other Business contexts set out in this Policy, like complying with regulatory obligations applicable to our Business.

Lawful Basis for Processing.

Data protection laws in Europe require a “lawful basis” for processing personal data. Our lawful bases include where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our service providers, partners, or business customers; (b) processing is necessary for the performance of a contract; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests.

International Transfers.

We may transfer your personal data to our operations in the United States or to our service providers or other third parties in the United States or in other countries - this may involve the transfer of your personal data to countries which have different data protection standards to those which apply in the European Economic Area, Switzerland or the United Kingdom.

Some of these countries are subject to a European Commission and/or UK government adequacy decision. For other countries, Lockchain has put in place the relevant European Commission or UK government-approved standard contractual clauses with the relevant third parties to ensure that your personal data is protected with appropriate safeguards. We may also rely on other permitted data transfer mechanisms.

Your Data Subject Rights.

You may have certain statutory rights relating to your personal data. Subject to applicable law, you may have the right to access and rectify your personal data, to require us to erase your personal data or to transfer it to other organizations, and to object to the processing of your personal data. Where we process your personal data because we have a legitimate interest in doing so (as explained above), you may have a right to object to this. You may also have the right to restrict processing of your personal data in certain circumstances. These rights may be limited in some situations, for example, where we can demonstrate that we have legitimate grounds to process your personal data. In addition, you have the right to ask us not to process your personal data (or provide it to third parties to process) for marketing purposes or purposes materially different from those for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any processing of your personal data which we do based on consent you have provided to us.

To exercise any of these rights, please use this privacy request form. We will respond to your request within the time limits prescribed by law. We may require specific information from you to help us confirm your identity and process your request. If your personal data has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with our business customer directly. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal data. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Retention of your Personal Data.

Please note that we retain personal data for as long as necessary to fulfill the purposes for which it was collected from you and/or our business customers, and may continue to retain and use your personal data for purposes of our legitimate interests and/or as necessary to comply (or demonstrate compliance with) with our legal/regulatory obligations, resolve disputes, prevent fraud, and enforce our rights.

We hope that we can satisfy any queries that you may have about the way we process your personal data. However, if you have any issues with our compliance, you may contact us at privacy@lockchain.ai. You also have the right to lodge a complaint with the data protection regulator in your jurisdiction if you have any unresolved concerns. You can lodge the complaint in the country where you reside, where you work or where any alleged infringement of data protection law occurred.

18. ADDITIONAL DISCLOSURES FOR INDIVIDUALS LOCATED IN CANADA

Your Rights and Choices.

Subject to limited exceptions under applicable Canadian law, you may have the right to access, update, correct inaccuracies in, and withdraw consent (subject to reasonable prior notice and applicable legal and contractual restrictions) to the collection, use and disclosure of your personal information. If you withdraw your consent, we may not be able to provide our Website, Services or other aspects of our Business. To exercise any of these or other rights applicable to you under Canadian privacy laws, please contact us as set out in the “Contact Information” section below. We may require specific information from you to help us confirm your identity and process your request. If personal information about you has been processed by us on behalf of a business customer and you wish to exercise any rights you have with respect to such personal information, we encourage you to inquire with our business customer directly. If you are a resident of the province of Quebec, please note that we transfer and store personal information outside of the province. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we process your personal information, and we may refer your request to that business customer. We will assist our business customer in responding to your request.

Governance Policies and Practices

We are committed to protecting personal information and have implemented policies and practices that govern our treatment of personal information, including:

• policies and procedures regarding the protection, retention and disposition of personal information, including with respect to the implementation of security safeguards designed to protect personal information against loss or theft and unauthorized access, disclosure, copying, use, and modification;
• a framework that sets out roles and responsibilities of our personnel in connection with the handling of information in our possession and control;
• a Trust Center with information about the security and privacy of our Business, including our compliance with relevant audit standards and security frameworks;
• processes for responding to data subject requests and complaints in a timely and effective manner; and
• employee data protection training and awareness.
• Contact Information

If you have any questions or comments about this Privacy Policy or the manner in which we or our service providers (including our service providers outside Canada) treat your personal information, to withdraw your consent, or to request access to or correction of your personal information, please use our privacy request form or contact us at privacy@lockchain.ai.