Privacy Policy

01. Introduction

ZKA Protocol ("ZKA Protocol", "we", "us" and "our") is committed to protecting and respecting your privacy. This Privacy Policy describes how your personal or behavioral data is collected, used and stored when you access the ZKA Protocol website and any other online location that links to this Privacy Policy (collectively, the "Site"). The ZKA Protocol operates in a decentralized and permissionless manner. Although we may collect and process information about users of the Site in accordance with this Privacy Policy, we do not store information about all protocol users beyond what is already publicly available and recorded on the blockchain.

This Privacy Policy may be modified from time to time which will be indicated by changing the date at the top of this page. Your use of the Site is at all times subject to the Terms of Use, which incorporates this Privacy Policy.

02. Acceptance of the Privacy Policy

By accessing the Site, you signify acceptance to the terms of this Privacy Policy. Where required by law, you will be asked for your consent to the collection and use of your information as described further below. If you do not agree with or you are not comfortable with any aspect of this Privacy Policy, you should immediately discontinue access or use of the Site.

The Site is intended for general audiences and is not directed at children. To use the Site, you must legally be able to enter into the Terms of Use. We do not knowingly collect personal information (as defined by the U.S. Children's Privacy Protection Act, or "COPPA") from children. If you are a parent or guardian and believe we have collected personal information in violation of COPPA, please contact us as set out below and we will remove the personal information in accordance with COPPA.

03. The Information We Collect

We do not collect personally identifiable information (PII) unless explicitly provided by you (see below). Our services are designed to minimize data collection. However, we may automatically collect limited, anonymized information for operational and analytical purposes, including:

• Device Information: We may collect anonymized information about the device and browser configuration. This information helps us optimize our Site for different devices and troubleshoot any technical issues.
• Geolocation Data: We may collect information about your geographic region based on your IP address which is anonymized, inferred general location such as city or region (without tracking exact addresses or GPS coordinates), and general time zone information.
• In addition to the foregoing, you may connect your wallet(s) to utilize certain functionalities of the Site. Any transactions conducted from your wallet(s) are publicly accessible on blockchain networks. We do not store message data. We do not store personal or message information or in any way use information to associate or cross-associate wallet data. We will never collect or request any seed phrase or private keys associated with your wallet(s). Never trust anyone or any site that asks you for your private keys or similar security information.
• User-Submitted Incident Information: If you choose to submit a report, request, or other communication to us that includes details of a suspected protocol, network, or operational incident, we may collect the information you provide as part of that submission. This may include technical data (such as transaction or message identifiers), descriptive information regarding the incident, and your contact details (e.g., email address). You are solely responsible for the accuracy and completeness of any information you provide. We collect this information in order to review, evaluate, and respond to your submission in accordance with applicable terms, policies, and procedures.
• Please note that while certain information (such as wallet addresses, transaction hashes, and related blockchain activity) is publicly available on blockchain networks, we may process such information when it is provided to us in connection with your interactions with the Site (including when combined with other information you submit) in order to provide the requested functionality or to comply with applicable laws. When combined with other information you provide, such blockchain data may be considered personal data under certain applicable laws.
• You may choose to voluntarily provide other information to us that we have not solicited from you, and, in such instances, you are solely responsible for such information.

For further information on how we use tracking technologies for analytics and your rights and choices regarding them, please see the "Analytics" section below.

04. Usage of Data

We may collect and use information for business purposes in accordance with the practices described in this Privacy Policy. Our business purposes for collecting and using information include:

• Operating and managing the Site (including through authorized service providers): To make the Site available to you and perform services requested by you, such as responding to your comments, questions, and requests, and providing information support; detecting, preventing, and addressing fraud, breach of Terms of Use, and threats, or harm; and compliance with legal and regulatory requirements. We may also use user-submitted incident information to facilitate technical or procedural review, assessment, adjudication, and any related operational or compliance processes.
• Improving the Site: To optimize site performance and improve reliability.
• Security and Compliance with Laws: As we believe necessary or appropriate to operate and maintain the security or integrity of the Site, including to prevent or stop an attack on our computer systems or networks, investigate possible wrongdoing in connection with the Site, enforce our Terms of Use, and comply with applicable laws, lawful requests, and legal process, such as responding to subpoenas or requests from government authorities.
• Facilitating Requests: To comply with your requests or directions.

Notwithstanding the above, we may use information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by applicable law. For information on your rights and choices with respect to how we use information about you, please see the "Analytics" section below.

05. Sharing of the Personal Information

We may share or disclose information that we collect in accordance with the practices described in this Privacy Policy and for the purposes set out in the "Usage of Data" section above. We share information with third-party service providers for business purposes, including fraud detection and prevention, security threat detection, data analytics, and information technology and storage. Any information shared with such service providers is subject to the terms of this Privacy Policy. All service providers that we engage with are restricted to only utilizing the information on our behalf and in accordance with our instructions.

For user-submitted incident information, we may disclose such information to designated reviewers, technical auditors, independent evaluators, governance or oversight bodies, or other authorized parties where necessary to conduct an appropriate review, ensure procedural fairness, maintain system integrity, or meet applicable legal or regulatory requirements. We may also retain such information for audit, compliance, and transparency purposes, and may use anonymized or aggregated data for process improvement.

Notwithstanding the foregoing, for certain user-submitted incidents, certain of the user-submitted incident information may be publicly disclosed such as transaction details, explanation of incident and/or other non-identifiable information. We encourage you to review all linked Terms of Use on our Site to ensure that you understand what user-submitted information may or may not be disclosed.

In addition, we may be compelled to share your personal information with law enforcement, government officials, and regulators. Notwithstanding the above, we may share information that does not identify you (including information that has been aggregated or de-identified) except as prohibited by applicable law.

06. Analytics

We use analytics tools in anonymized, cookie-less configurations. We do not store or transmit cookies, persistent identifiers, or personally identifiable data. No persistent identifiers, cookies, or tracking technologies are stored or transmitted. All data is processed in-memory and discarded after the session ends. IP addresses are anonymized.

07. How We Protect and Store Information

We implement reasonable technical and organizational measures to protect information collected through the Site from loss, misuse, and unauthorized access. Our infrastructure is designed with security best practices, including encryption in transit, access controls, and network monitoring. Because we avoid collecting or storing personal data wherever possible, and do not use persistent identifiers such as cookies or local storage for analytics, the data we process is limited, anonymized, and ephemeral. Typically, it is only held in memory for the duration of your visit on the Site.

With respect to your wallet(s), your wallet is protected by your password, private key, and/or seed phrase, and we urge you to take steps to keep this and other PII safe by not disclosing your security credentials or leaving your wallet open in an unsecured manner. Despite these safeguards, no method of transmission or storage is completely secure. By using the Site, you acknowledge and accept that residual risk exists and that no system can be guaranteed to be 100% secure.

08. Data Retention

We retain anonymized, non-identifiable data only as long as necessary to fulfill its purpose and comply with applicable legal requirements. We may continue to retain and use your information as permitted or required under applicable laws, for legal, tax, or regulatory reasons, or legitimate and lawful business purposes. User-submitted incident information may be retained for as long as necessary to fulfill the purposes described above, including audit, compliance, and transparency obligations, and as required by applicable law.

09. Social Media

We use social and developer networks such as Discord, X (formerly Twitter), Gitbook and Github. When you use them, the operators of the respective social and developer networks may record that you are on such networks. Your use of such third-party platforms (e.g., Discord, GitHub) is governed by their respective privacy policies. ZKA Protocol is not responsible for data collected by these networks. We only use these platforms to inform our community of updates and answer user questions.

10. Information for Persons Subject to EU Data Protection Law

While users and visitors of our Site who are located in the European Union ("EU"), European Economic Area ("EEA") or the Channel Islands, or other locations subject to EU data protection law (collectively, "Europe") agree to our Terms of Use, we recognize and, to the extent applicable to us, adhere to relevant EU data protection laws. For purposes of this section, "personal data" has the meaning provided in the General Data Protection Regulation (EU) ("GDPR").

Lawful Bases for Processing. We process personal data subject to GDPR on the following bases:

• Contract performance: To provide services you request, such as processing submissions or enabling wallet connections.
• Legitimate interests: To maintain and improve the Site, to review and evaluate user-submitted incident information, to ensure protocol integrity, and to prevent fraud or abuse, provided such interests are not overridden by your rights.
• Legal obligations: To comply with applicable laws, regulatory requirements, and lawful requests from authorities.
• Consent: Where required by law (e.g., certain marketing activities or optional data collection), which you may withdraw at any time.

European Privacy Rights. European residents have the following rights under GDPR, subject to certain exceptions provided under the law, with respect to their personal data:

• Rights to Access and Rectification. You may submit a request that we disclose the personal data that we process about you and correct any inaccurate personal data.
• Right to Erasure. You may submit a request that we delete the personal data that we have about you.
• Right to Restriction of Processing. You have the right to restrict or object to our processing of your personal data under certain circumstances.
• Right to Data Portability. You have the right to receive the personal data you have provided to us in an electronic format and to transmit that personal data to another data controller.

To submit a request to exercise these rights, please see "Your Rights" below.

11. Collection and Transfer of Data Outside the EEA

Due to the international nature of our business, your personal data may be transferred to jurisdictions that do not offer equivalent protection of personal data as under the GDPR or other applicable data protection legislation. In such cases, we will process personal data or procure that it be processed in accordance with the requirements of such legislation, which may include having appropriate contractual undertakings in legal agreements with service providers who process personal data on our behalf.

12. Information for Persons Subject to California Data Protection Law

If you are a California resident, you have certain additional rights with respect to personal information about you under the California Consumer Privacy Act of 2018 ("CCPA"). We are required to inform you of:

• What categories of information we may collect about you, including during the preceding 12 months: please see section "The Information We Collect."
• The purposes for which we may use your personal information, including during the preceding 12 months: See the section "Usage of Data"
• The purposes for which we may share your personal information, including during the preceding 12 months: See the section "Sharing of the Personal Information."
• In the preceding 12 months, we have not sold any personal information of consumers.

13. Your Rights

These rights may vary depending on your jurisdiction (e.g., under GDPR, CCPA, or other applicable data protection laws). To submit a request to exercise any of the aforementioned rights, please contact us as set out below. When handling requests to exercise privacy rights, we verify the identity of the requesting party to ensure they are legally entitled to make such a request.

While we maintain a policy to respond to these requests free of charge, should your request be repetitive or unduly onerous, we reserve the right to charge you a reasonable fee for compliance with your request. These rights are subject to limitations as described in the relevant law. We may deny your request if we need to do so to comply with our legal rights or obligations.

In certain cases, we may not be able to delete specific records you have provided (such as incident reports or related records) where we are required to retain them for compliance, audit, dispute resolution, or legal defense purposes. In such cases, we will inform you of the reason for denying your deletion request.

14. Contact Us

We are committed to processing your personal data lawfully and to respecting your data protection rights. Please contact us if you have any questions about this notice or the personal data we hold about you.

Our contact details are available through our website or by marking your communication "Data Protection Enquiry" when reaching out through our official channels.