Privacy Policy

Effective Date: March 16, 2026

1. Introduction

TARA Labs Ltd ("TARA," "we," "us," or "our") is a company incorporated in Bermuda (Registration Number: 202504898) with its registered office at Rosebank Centre, 5th Floor, 11 Bermudiana Road, Pembroke HM 08, Bermuda. We are committed to protecting the privacy and security of personal information in accordance with the Personal Information Protection Act 2016 ("PIPA") of Bermuda and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you access or use our non-custodial multi-party computation (MPC) wallet platform and related services (collectively, the "Platform" or "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use our Services.

2. Definitions

In this Privacy Policy, the following terms have the meanings set out below:

• "Personal Information" means any information about an identified or identifiable individual, including but not limited to name, email address, phone number, physical address, government-issued identification numbers, financial information, and location data.
• "Sensitive Personal Information" means personal information relating to an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, genetic or biometric data, or criminal record.
• "Virtual Asset" means a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes, including but not limited to cryptocurrencies, stablecoins, and utility tokens.
• "MPC Wallet" means a non-custodial digital wallet that utilizes multi-party computation technology to secure private keys by distributing key shares among multiple parties.
• "Third-Party Services" means services provided by external partners, including but not limited to custody services, brokerage services, card issuance, and identity verification services.

3. Information We Collect

3.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

• Register for an account on our Platform
• Use our Services or initiate transactions
• Contact our customer support
• Subscribe to our newsletters or marketing communications
• Participate in surveys, promotions, or other interactive features

This information may include:

• Full legal name
• Email address and phone number
• Country of residence
• Public wallet addresses

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information, including:

• Device information (device type, operating system, unique device identifiers)
• IP address and approximate geographic location
• Usage data (features used, time spent on the Platform)
• Transaction metadata (excluding private key information)

3.3 Information from Third Parties

We may receive limited information from third-party sources, including:

• Verification status (not underlying KYC data) from identity verification providers for account recovery purposes
• Blockchain analytics data
• Publicly available sources and sanctions screening results

3.4 Non-Custodial Architecture: What We Do NOT Collect or Store

As a non-custodial technology platform, TARA does NOT:

• Collect, store, or have access to your complete private keys
• Store unencrypted seed phrases or recovery phrases
• Have the ability to access, control, or transfer your Virtual Assets without your authorization
• Decrypt your wallet file data
• Collect or store KYC documentation (identity documents, proof of address, photographs, or other verification materials)
• Act as a data controller for identity verification data

You are solely responsible for the security and management of your key shares and authentication credentials.

3.5 Identity Verification Through Third-Party Providers

When you access Third-Party Services through our Platform (such as custody, brokerage, or card services), those providers may require you to complete identity verification (KYC) processes directly with them.

Important: TARA does not collect, process, or store your KYC documentation. Identity verification is conducted by and the data is controlled by our Third-Party Service partners (such as regulated custody providers and card issuers). You will be subject to their privacy policies when providing such information.

For account recovery purposes only, we may query Third-Party Service providers to verify your identity status. This process involves receiving a verification confirmation—we do not receive or store the underlying identity documents or personal data used for verification.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

4.1 Service Provision

• To create and manage your account
• To provide access to our MPC wallet platform and related Services
• To process transactions and maintain transaction records
• To facilitate your access to Third-Party Services you choose to use
• To provide customer support and respond to inquiries
• To enable account recovery by verifying your identity status through Third-Party Service providers

4.2 Legal and Regulatory Compliance

• To comply with applicable laws, regulations, and legal processes applicable to TARA
• To screen against sanctions and prohibited persons lists
• To respond to requests from regulatory authorities and law enforcement
• To detect, prevent, and investigate fraud, unauthorized activities, and security incidents

Note: KYC and AML compliance obligations for regulated services (custody, brokerage, card issuance) are the responsibility of the respective Third-Party Service providers who act as data controllers for such processes.

4.3 Platform Improvement and Analytics

• To analyze usage patterns and improve our Services
• To develop new features and functionality
• To conduct research and analytics
• To troubleshoot technical issues and optimize performance

4.4 Communications

• To send service-related communications (account updates, security alerts, transaction confirmations)
• To send marketing communications (with your consent where required)
• To notify you of changes to our policies or Services

4.5 Legal Basis for Processing

Under PIPA and applicable data protection laws, we process your personal information based on the following legal grounds:

• Your consent, where you have explicitly agreed to the processing
• Performance of a contract to which you are a party
• Compliance with legal obligations to which TARA is subject
• Our legitimate interests, where such interests are not overridden by your rights

5. Disclosure of Your Information

We may share your personal information with the following categories of recipients:

5.1 Third-Party Service Providers

Our Platform facilitates access to services provided by regulated third-party partners, including:

• Custody and brokerage services for Virtual Asset transactions
• Card issuance and payment processing services
• Identity verification services
• Cloud hosting and data storage providers
• Analytics and performance monitoring services

When you choose to access Third-Party Services through our Platform, you will interact directly with those providers, who act as independent data controllers for the personal information you provide to them (including KYC data). Such providers operate under their own privacy policies and terms of service.

5.2 Regulatory and Law Enforcement Authorities

We may disclose your personal information to:

• Regulatory authorities in Bermuda and other jurisdictions as required by law
• Law enforcement agencies in response to valid legal requests
• Courts and legal proceedings where disclosure is necessary

5.3 Corporate Transactions

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and your choices regarding your information.

5.4 With Your Consent

We may share your personal information with other parties when you have provided explicit consent for such disclosure.

5.5 Blockchain Transactions

Transactions conducted on public blockchains are inherently transparent. Public wallet addresses and transaction details may be visible on the blockchain and accessible to anyone. TARA does not control the blockchain infrastructure and cannot delete or modify blockchain records.

6. International Data Transfers

TARA is incorporated in Bermuda and may transfer, store, and process your personal information in locations outside your country of residence, including in jurisdictions that may not provide the same level of data protection as your home jurisdiction.

When we transfer personal information internationally, we implement appropriate safeguards to protect your information, including:

• Contractual clauses requiring recipients to protect personal information in accordance with PIPA standards
• Assessment of the adequacy of data protection laws in recipient jurisdictions
• Technical and organizational security measures

By using our Services, you acknowledge and consent to the transfer of your personal information to Bermuda and other jurisdictions as described in this Privacy Policy.

7. Data Retention

We retain your personal information for as long as necessary to:

• Provide our Services and maintain your account
• Comply with legal, regulatory, and reporting obligations
• Resolve disputes and enforce our agreements
• Fulfill the purposes described in this Privacy Policy

The retention period for personal information varies depending on the type of information and the purpose for which it was collected. Generally:

• Account information is retained for the duration of your account and for a reasonable period after account closure
• Transaction records are retained in accordance with legal and regulatory requirements
• Marketing preferences are retained until you withdraw consent or request deletion

Note: Retention of KYC and AML records is the responsibility of the Third-Party Service providers who collect and control such data.

When personal information is no longer required, we will securely delete or anonymize it in accordance with our data retention policies.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Multi-party computation (MPC) technology to secure cryptographic keys
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee training on data protection and security
• Incident response and breach notification procedures

While we take reasonable steps to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, and you acknowledge that you provide information at your own risk.

9. Your Rights Under PIPA

Under PIPA and applicable data protection laws, you have the following rights regarding your personal information held by TARA:

9.1 Right of Access

You have the right to request a copy of the personal information we hold about you (a "Data Access Request").

9.2 Right to Correction

You have the right to request correction of any inaccurate or incomplete personal information we hold about you (a "Data Correction Request").

9.3 Right to Object

You have the right to object to our use of your personal information in certain circumstances, including for direct marketing purposes.

9.4 Right to Withdraw Consent

Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9.5 Right to Erasure

You may request the deletion of your personal information, subject to legal and regulatory retention requirements. Note that we may be required to retain certain information for compliance purposes.

9.6 Right to Blocking

You may request that we block the use of your personal information in certain circumstances.

9.7 Exercising Your Rights

To exercise any of these rights, please contact us using the details in Section 13. We will respond to your request within 40 calendar days, as required by PIPA. We may require verification of your identity before processing your request.

We may decline to comply with a request in limited circumstances, including:

• When directed by a government agency or regulator
• When disclosure may affect the safety of any person
• When information is relevant to regulatory investigations
• When we cannot verify the identity of the requestor

Note: For rights requests relating to KYC data or other information held by Third-Party Service providers, you must contact those providers directly as they are the data controllers for such information.

10. Third-Party Services and Links

Our Platform facilitates access to services provided by third parties, including custody, brokerage, and card services. When you choose to use Third-Party Services:

• You will interact directly with those providers and be subject to their privacy policies and terms of service
• Those providers act as independent data controllers for the personal information you provide to them
• Your KYC data and other sensitive information is collected, processed, and stored by those providers—not by TARA
• TARA is not responsible for the privacy practices of third parties

11. Children's Privacy

Our Services are not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

If we make material changes, we will notify you by:

• Posting the updated Privacy Policy on our Platform with a revised effective date
• Sending a notification through the Platform
• Sending an email to the address associated with your account (where appropriate)

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes constitutes your acceptance of the revised Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

TARA Labs Ltd
Rosebank Centre, 5th Floor
11 Bermudiana Road
Pembroke HM 08
Bermuda

For privacy inquiries: privacy@tara.com

14. Governing Law

This Privacy Policy is governed by the laws of Bermuda, including the Personal Information Protection Act 2016. Any disputes arising from or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Bermuda.

15. Complaints

If you believe that TARA has not handled your personal information in accordance with this Privacy Policy or PIPA, you have the right to file a complaint with:

• TARA, using the contact details provided above
• The Office of the Privacy Commissioner for Bermuda (PrivCom)

We will investigate and respond to complaints in a timely manner and take appropriate action to address any issues identified.