← Back to home

Privacy Policy

Last updated: March 25, 2025

This document is available in English only.

This Privacy Policy explains how we process personal data when you use Mandate Finance websites, applications, and related services (the “Service”). It is designed to align with common expectations under the EU General Data Protection Regulation (“GDPR”) and similar laws. It does not replace legal advice; consult qualified counsel for your situation.

1. Data controller

The data controller is the legal entity operating Mandate Finance (the “Operator”). Placeholder: insert the Operator’s registered name, address, and registration details where you publish legal notices.

2. Scope

This policy covers processing tied to the Service (account creation, authentication, support, analytics, and security). On-chain data (e.g. public wallet addresses and transaction history on public blockchains) is generally public by nature; we may process such identifiers when you connect a wallet or when needed to provide the Service.

3. Categories of data we may process

  • Account and authentication: email address, login identifiers, session tokens, and authentication events when you use providers such as Privy (including social login, email OTP, passkeys, or wallet connection metadata as supported).
  • Wallet and chain data: public wallet addresses, chain IDs, and transaction payloads you approve—limited to what is necessary to display balances, simulate or submit transactions, and meet security requirements.
  • Usage and technical data: IP address, device type, browser, approximate region, timestamps, logs, crash reports, and security signals (e.g. fraud prevention).
  • Communications: messages you send to support, feedback, and survey responses.
  • AI interactions: prompts, agent instructions, or chat content you submit through AI features, if applicable—processed to generate responses and improve safety, subject to your settings and applicable law.

4. Purposes and legal bases (GDPR)

We process data for the following purposes, relying on appropriate legal bases:

  • Providing the Service (contract; Art. 6(1)(b) GDPR): authentication, displaying portfolio or vault information, executing your instructions where technically possible.
  • Security and abuse prevention (legitimate interests; Art. 6(1)(f)): detecting fraud, enforcing rate limits, protecting accounts and infrastructure.
  • Analytics and product improvement (consent or legitimate interests, depending on tool and region): understanding feature usage in aggregated form.
  • Compliance (legal obligation; Art. 6(1)(c)): responding to lawful requests, sanctions screening where required.
  • Marketing (consent where required): only if you opt in to marketing communications.

5. Recipients and processors

We may share data with:

  • Infrastructure and hosting providers (e.g. cloud, databases, CDN);
  • Authentication providers (e.g. Privy) subject to their terms;
  • Analytics tools, if enabled and where permitted;
  • Professional advisers (lawyers, auditors) when bound by confidentiality;
  • Authorities when required by law or to protect rights and safety.

We use subprocessors who process data on our instructions and, where required, under data processing agreements.

6. International transfers

If data is transferred outside the European Economic Area, we implement appropriate safeguards (e.g. Standard Contractual Clauses) unless an adequacy decision applies or another derogation is available.

7. Retention

We retain personal data only as long as necessary for the purposes above, including legal, accounting, and security needs. Logs and backups may persist for a limited period. On-chain data remains on public ledgers independently of us.

8. Your rights

Depending on your location, you may have the right to access, rectify, erase, restrict processing, object, data portability, and to withdraw consent where processing is consent-based. You may lodge a complaint with a supervisory authority (in the EU, the authority in your habitual residence or place of work).

To exercise rights, contact privacy@kairos.fi. We may need to verify your identity before responding.

9. Children

The Service is not directed at individuals under 18 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

10. Security

We implement technical and organizational measures appropriate to the risk (encryption in transit where applicable, access controls, monitoring). No method of transmission or storage is 100% secure; you should protect your credentials and wallet seed phrases.

11. Cookies and similar technologies

We and our providers may use cookies, local storage, or similar technologies for session management, preferences, analytics, and security. Where required, we will obtain consent before non-essential cookies and provide granular choices via a banner or settings where implemented.

12. Changes

We may update this Privacy Policy by posting a revised version with a new “Last updated” date. For material changes, we will provide additional notice where required by law.

13. Contact

Privacy inquiries: privacy@kairos.fi

Privacy Policy | Mandate Finance