Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how YOA LTD ("Company", "we", "us", or "our"), a company registered in England and Wales (Company No. 10009845), collects, uses, stores, and protects your personal data when you use the PURO mobile application, website, and related services (collectively, the "Services").

We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and other applicable data protection legislation.

2. Data Processing Principles

We adhere to the following principles when processing your personal data: legality, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. We collect only the data that is necessary for the purposes described in this Policy.

3. Personal Data We Collect

3.1 Data You Provide

When you use the Services, you may provide us with:

• Authentication Data: Email addresses, passkeys, or social login identifiers used to authenticate your session and provision your non-custodial embedded wallet via our infrastructure partner (Privy);
• Communications Content: Messages you send to our support team, feedback, and survey responses.

3.2 Data Collected Automatically

When you access the Services, we may automatically collect:

• Device Information: Device type, operating system, unique device identifiers, and mobile network information;
• Usage Data: Features used, actions taken within the app, timestamps, and session duration;
• Log Data & IP Addresses: IP addresses are explicitly collected and processed to enforce regulatory geographic restrictions (geoblocking) and prevent unauthorized access to restricted features;
• Blockchain Data: Public wallet addresses and transaction hashes associated with your use of the Services (note that this data is inherently public on blockchain networks).

3.3 Data We Do Not Collect

As an application utilizing non-custodial embedded wallet infrastructure, PURO does not collect, store, or have access to your private keys or cryptographic key shards. Furthermore, we do not perform identity verification (KYC) ourselves and do not collect identity documents, selfies, financial data, or biometric data.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Services to you, including facilitating token swaps;
• Legal Obligations: Processing required to comply with applicable laws and regulations;
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Services, preventing fraud, and ensuring security;
• Consent: Where you have given explicit consent, such as for receiving marketing communications. You may withdraw consent at any time.

5. How We Use Your Data

We use the collected data for the following purposes:

• To provide, maintain, and improve the Services;
• To facilitate token swap transactions;
• To detect, prevent, and address fraud, security incidents, and technical issues;
• To comply with legal and regulatory obligations;
• To communicate with you regarding the Services, including support requests;
• To send marketing communications (only with your consent);
• To analyze usage patterns and improve user experience;
• To enforce regulatory compliance, including the use of IP addresses to restrict access to certain features (such as the Fiat On-Ramp) for users located in prohibited jurisdictions, including the United Kingdom;
• To enforce our Terms and Conditions.

6. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

• Wallet Infrastructure Providers: We share Authentication Data with our embedded wallet provider (Privy) strictly to facilitate secure login and cryptographic key management;
• RPC and Network Providers: We route public blockchain data (wallet addresses and transaction payloads) through third-party node providers (such as Alchemy) to broadcast transactions and sponsor network gas fees;
• Independent Fiat On-Ramp Providers: If you access the Fiat On-Ramp feature, you will interact directly with third-party providers (such as MoonPay). Please note: these providers act as independent Data Controllers. Any KYC, identity documents, or financial data you submit to them is governed entirely by their respective Privacy Policies. YOA LTD does not collect, process, or store your fiat payment or identity verification data;
• Legal Authorities: Government agencies, regulators, or law enforcement when required by applicable law, regulation, legal process, or governmental request;
• Affiliated Companies: Companies within our corporate group, subject to the same data protection standards;
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

We do not sell your personal data to third parties. We do not share your data for third-party advertising purposes.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom. In such cases, we ensure appropriate safeguards are in place, including International Data Transfer Agreements, adequacy decisions, or other legally recognized transfer mechanisms under UK GDPR.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by applicable law. Specific retention periods include:

• Account Data: Retained for the duration of your use of the Services and up to 5 years after your last interaction;
• Transaction Records: Retained for up to 5 years as required by applicable UK legislation;
• Support Communications: Retained for up to 3 years after resolution;
• Analytics Data: Retained in anonymized or aggregated form indefinitely.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls, regular security assessments, and incident response procedures. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

10. Your Rights

Under UK GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you;
• Right to Rectification: Request correction of inaccurate or incomplete data;
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements;
• Right to Restriction: Request restriction of processing in certain circumstances;
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format;
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes;
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent;
• Right to Lodge a Complaint: File a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority.

To exercise any of these rights, please contact us at [SUPPORT_EMAIL]. We will respond to your request within 30 days.

11. Cookies and Tracking Technologies

Our website may use cookies and similar tracking technologies to improve your experience. Types of cookies we may use include:

• Essential Cookies: Required for the basic functioning of the website;
• Analytics Cookies: Help us understand how visitors interact with the website (only with your consent);
• Preference Cookies: Remember your settings and preferences.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Services.

12. Children's Privacy

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Updated versions will be posted on the website and within the application with the revised "Last updated" date. We will provide at least 14 days advance notice of material changes. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy.