Privacy Policy

The data controller responsible for processing your personal data is:

As the data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter "GDPR"), Cryptocolony42 determines the purposes and means of the processing of personal data collected through the Bindaro platform.

If you have any questions regarding the processing of your personal data or wish to exercise your rights under applicable data protection legislation, please contact us at contact@bindaro.io.

We collect and process the following categories of personal data, depending on how you interact with the Bindaro platform:

2.1. Account and Identity Data • Email address (when registering via email/password) • Username and display name • Password (stored as a cryptographic hash — we never store plaintext passwords) • Profile information you voluntarily provide (avatar, bio)

2.2. Social Login Data • Google OAuth: email address, display name, profile picture URL, and Google account identifier • Facebook OAuth: email address, display name, profile picture URL, and Facebook account identifier • We do not access your social media contacts, posts, or other account content

2.3. Blockchain and Wallet Data • Public wallet addresses (e.g., Ethereum, Polygon) • Blockchain transaction records related to marketplace activity (ETH, WETH, USDC) • NFT ownership data and token metadata (ERC-721 and ERC-1155) • Wallet signature data used for authentication via MetaMask • Note: Blockchain data is inherently public. We index publicly available on-chain data to provide platform features.

2.4. Technical and Device Data • IP address • Browser type and version • Operating system and device type • Screen resolution and language preferences • Referring URL and pages visited • Mobile device identifiers (for Android and iOS apps)

2.5. Usage Data • Album creation, editing, and sharing activity • Marketplace browsing and transaction history • AI analytics queries and interaction logs • Feature usage patterns and session duration • Search queries within the platform

2.6. Cookie Data • Session cookies, authentication tokens, and preference cookies • Analytics cookies (see Section 11 for full details)

We process your personal data for the following purposes:

3.1. Service Provision (Art. 6(1)(b) GDPR) • Creating and managing your Bindaro account • Authenticating your identity via email/password, social login, or wallet signature • Enabling album creation, NFT collection management, and social features • Facilitating marketplace transactions (buying and selling NFTs) • Auto-discovering NFT collections from connected wallets • Providing AI-powered analytics and collection intelligence

3.2. Legitimate Interests (Art. 6(1)(f) GDPR) • Improving and optimizing the platform experience • Detecting and preventing fraud, abuse, and security threats • Analyzing usage patterns to enhance features and performance • Maintaining platform stability and troubleshooting technical issues

3.3. Legal Compliance (Art. 6(1)(c) GDPR) • Complying with applicable laws, regulations, and legal processes • Responding to lawful requests from public authorities • Maintaining records required by applicable financial and digital asset regulations

3.4. Consent (Art. 6(1)(a) GDPR) • Sending marketing communications (only with your explicit opt-in consent) • Setting non-essential cookies and analytics trackers • Processing data for purposes not covered by other legal bases, where your prior consent has been obtained

Under the GDPR, we are required to identify a lawful basis for each processing activity. The following legal bases apply to our processing of your personal data:

For the processing of special categories of data, if any, we rely on Art. 9(2) GDPR. However, Bindaro does not intentionally collect or process special categories of personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data).

We may share your personal data with the following categories of recipients:

5.1. Blockchain Networks • When you execute marketplace transactions, your wallet address and transaction data are recorded on public blockchain networks (Ethereum, Polygon). This data is publicly visible and immutable by design.

5.2. Authentication Providers • Google (for Google OAuth login) • Facebook / Meta (for Facebook OAuth login) • These providers receive only the data necessary to authenticate your identity.

5.3. Infrastructure and Hosting Providers • Cloud hosting and content delivery providers that host the Bindaro platform • Database and storage providers • All infrastructure providers are selected for GDPR compliance and are bound by data processing agreements pursuant to Art. 28 GDPR.

5.4. Analytics Providers • We may use analytics tools to understand platform usage. Any analytics providers are configured to anonymize IP addresses and comply with GDPR requirements.

5.5. Legal and Regulatory Authorities • We may disclose personal data to law enforcement, regulatory bodies, or courts when required by law or in response to valid legal processes.

We do not sell your personal data to third parties. We do not share your data with third parties for their independent marketing purposes.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR:

Blockchain data is inherently global — transaction data recorded on Ethereum and Polygon networks is replicated across nodes worldwide. This is a fundamental characteristic of distributed ledger technology and falls outside the scope of traditional data transfer mechanisms.

For social login providers (Google, Meta), data transfers to the United States are governed by the EU-U.S. Data Privacy Framework where applicable, or by Standard Contractual Clauses.

You may request information about the specific safeguards applied to transfers of your data by contacting us at contact@bindaro.io.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

When personal data is no longer required, it is securely deleted or irreversibly anonymized.

Under the GDPR, you have the following rights with respect to your personal data. You may exercise these rights at any time by contacting us at contact@bindaro.io.

Urzad Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa Poland Website: https://uodo.gov.pl Email: kancelaria@uodo.gov.pl

We will respond to all rights requests within one month of receipt, as required by Art. 12(3) GDPR. This period may be extended by two additional months where necessary, taking into account the complexity and number of requests.

The right to erasure ("right to be forgotten") under Art. 17 GDPR is a fundamental right that we take seriously. However, the use of blockchain technology introduces important limitations that you should be aware of:

9.1. What We Can Delete Upon receiving a valid erasure request, we will delete or anonymize the following data from our systems within 30 days: • Your account profile (email, username, display name, avatar, bio) • Social login associations (Google, Facebook identifiers) • Password hashes • Usage data, analytics data, and session logs • AI analytics query history • Album metadata and collection organization data stored off-chain • Cookie data and device identifiers

You can initiate account deletion directly from the application by navigating to Settings and using the Delete Account feature in the Danger Zone section. This will trigger the deletion process described above.

9.2. What Cannot Be Deleted — Blockchain Data The following data is recorded on public blockchain networks (Ethereum, Polygon) and cannot be modified or deleted by any party, including Cryptocolony42: • Public wallet addresses associated with marketplace transactions • NFT transfer records (ERC-721 and ERC-1155 token transfers) • Marketplace transaction hashes and smart contract interactions • Payment records in ETH, WETH, or USDC

This limitation arises from the fundamental architecture of blockchain technology. Data recorded on a distributed ledger is replicated across thousands of independent nodes worldwide and is cryptographically secured to prevent tampering. Neither Cryptocolony42 nor any other entity has the technical capability to alter or erase on-chain records.

9.3. Mitigation Measures To minimize the impact of this limitation on your privacy: • We do not store any direct link between your identity (email, name) and your wallet address on-chain. The association exists only in our off-chain database and is deleted upon erasure request. • After account deletion, your on-chain transactions remain visible only by wallet address, without any link to your Bindaro account or personal identity. • We design our smart contracts to minimize the amount of personal data written on-chain.

9.4. Legal Basis We rely on Art. 17(3)(b) GDPR (compliance with a legal obligation) and the technical impossibility of erasure as the basis for retaining on-chain data. This position is consistent with guidance from the European Data Protection Board (EDPB) regarding blockchain technology and GDPR compliance.

Bindaro uses artificial intelligence to provide collection intelligence features. This section explains how AI is used and your rights in relation to automated processing.

10.1. AI Models and Technology • Bindaro uses models from the Qwen3 family (developed by Alibaba Cloud), licensed under the Apache 2.0 open-source license. • The specific model deployed is fine-tuned for NFT market analysis (designated qwen3-nft-v1). • All AI models run on our own edge infrastructure — no data is sent to third-party AI cloud services. • All inference is performed locally on edge infrastructure — no data is sent to external AI APIs.

10.2. What AI Analyzes The AI processes the following data to generate insights: • Publicly available on-chain data (floor prices, transaction volumes, trait distributions) • NFT metadata and attribute frequencies within collections • Historical marketplace pricing and sales velocity • Rarity scores calculated from trait frequency analysis

10.3. AI Output Types • Smart Recommendations: Suggests NFTs to acquire based on your collection composition • Rarity Insights: Identifies undervalued tokens with rare trait combinations • Price Opportunities: Detects mispriced listings with BUY/HOLD/AVOID signals • Auto-Classification: Categorizes collections (ART, PFP, GAMING, MUSIC, UTILITY) • Collector Valuation: Estimates portfolio value from multiple data signals

10.4. Your Rights Under Art. 22 GDPR Pursuant to Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Bindaro's AI analytics are provided as informational tools and recommendations only. No automated decision on the platform produces legal effects or similarly significantly affects users. Specifically: • AI outputs are advisory — all buying, selling, and collection decisions remain entirely yours. • AI does not restrict, limit, or gate your access to platform features. • No AI-generated score or classification is used to deny service, alter pricing, or discriminate between users. • You may disregard any AI recommendation without consequence.

Notwithstanding the above, if you believe an automated decision has significantly affected you, you have the right to: • Obtain human intervention by contacting contact@bindaro.io • Express your point of view regarding the automated decision • Contest the decision and request a manual review

10.5. Data Minimization in AI Processing AI analytics are performed on aggregated, publicly available market data. Your personal identity data (email, name) is never fed into the AI models. The AI processes blockchain-level data (wallet addresses, token IDs, transaction data) which is already publicly available on the respective networks.

Bindaro uses cookies and similar technologies to provide, secure, and improve the platform. This section describes the types of cookies we use and your choices regarding them.

11.1. Strictly Necessary Cookies • Session cookies: Maintain your authenticated session. Expire when you close your browser or after 24 hours of inactivity. • CSRF tokens: Protect against cross-site request forgery attacks. Session-based. • Cookie consent preferences: Store your cookie choices. Retained for 12 months. These cookies are essential for platform operation and cannot be disabled.

11.2. Functional Cookies • Language and locale preferences • Theme settings (dark/light mode) • Last viewed album or collection Retention: 12 months. These cookies enhance your experience but are not strictly necessary.

11.3. Analytics Cookies • Platform usage metrics (pages viewed, features used, session duration) • Performance monitoring (load times, error rates) • Anonymized usage patterns for feature development Retention: Up to 24 months. These cookies are set only with your consent.

11.4. Your Cookie Choices You can manage cookie preferences through: • The cookie consent banner displayed on your first visit • Your browser settings (blocking or deleting cookies) • Platform settings in your account preferences

Disabling functional or analytics cookies will not affect core platform functionality but may reduce personalization features.

11.5. Do Not Track Bindaro respects the Do Not Track (DNT) browser signal. When DNT is enabled, we will not set non-essential analytics cookies.

Bindaro is not directed to individuals under the age of 16 (or the applicable minimum age in the relevant jurisdiction). We do not knowingly collect personal data from children under 16 years of age.

In accordance with Art. 8 GDPR, where the processing of personal data is based on consent, we require that consent be given or authorized by the holder of parental responsibility over the child, for children under 16 years of age.

If we become aware that we have inadvertently collected personal data from a child under the minimum applicable age without proper parental consent, we will take immediate steps to delete such data from our systems.

If you are a parent or guardian and believe that your child has provided personal data to Bindaro without your consent, please contact us at contact@bindaro.io so that we can take appropriate action.

Additionally, marketplace features involving cryptocurrency transactions and NFT trading may be subject to additional age requirements under applicable financial regulations. Users must verify that they meet the minimum legal age for engaging in digital asset transactions in their jurisdiction.

Cryptocolony42 implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR.

13.1. Technical Measures • Encryption in transit: All data transmitted between your device and Bindaro servers is encrypted using TLS 1.2 or higher. • Encryption at rest: Sensitive personal data stored in our databases is encrypted using AES-256 encryption. • Password security: Passwords are hashed using industry-standard bcrypt algorithms with appropriate salt values. Plaintext passwords are never stored. • Wallet authentication: MetaMask authentication uses cryptographic signature verification — private keys never leave your wallet and are never transmitted to our servers. • Access controls: Role-based access controls (RBAC) restrict employee access to personal data on a need-to-know basis. • Infrastructure security: Regular security updates, firewall protection, and intrusion detection systems.

13.2. Organizational Measures • Data processing agreements with all third-party processors pursuant to Art. 28 GDPR • Regular security assessments and vulnerability testing • Incident response procedures for data breach notification under Art. 33 and Art. 34 GDPR • Staff training on data protection and security practices

13.3. Data Breach Notification In the event of a personal data breach, Cryptocolony42 will: • Notify the competent supervisory authority (UODO) within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR, unless the breach is unlikely to result in a risk to your rights and freedoms. • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Art. 34 GDPR.

Despite our best efforts, no method of transmission over the Internet and no method of electronic storage is completely secure. We cannot guarantee absolute security of your data.

Bindaro offers native mobile applications for Android (distributed via Google Play closed testing) and iOS (distributed via Apple TestFlight). This section describes additional data practices specific to mobile apps.

14.1. Mobile-Specific Data Collection In addition to the data described in Section 2, mobile apps may collect: • Device identifiers (Android Advertising ID, iOS IDFA — only with consent) • Push notification tokens (if you enable push notifications) • Device model, OS version, and app version • Crash reports and performance diagnostics

14.2. Permissions The mobile apps may request the following device permissions: • Camera: For scanning QR codes related to wallet connection (optional) • Storage: For caching album data for offline access (optional) • Notifications: For push alerts about marketplace activity and collection updates (optional) All permissions are optional and can be managed through your device settings.

14.3. Offline Data The mobile apps may store album data locally on your device for offline viewing. This data is stored in the app's private storage area and is deleted when you uninstall the app or clear app data.

14.4. Google Play Compliance Our Android app complies with Google Play Developer Program Policies, including the User Data policy, Permissions policy, and Families policy. We submit a Data Safety section declaration to Google Play that accurately reflects our data collection and sharing practices.

14.5. Apple App Store Compliance Our iOS app complies with Apple's App Store Review Guidelines and App Store Connect requirements. We provide accurate App Privacy labels ("nutrition labels") in App Store Connect that reflect our data collection, usage, and linking practices as described in this Privacy Policy.

14.6. App Tracking Transparency On iOS 14.5 and later, we comply with Apple's App Tracking Transparency (ATT) framework. We will request your permission through the ATT prompt before tracking your activity across other companies' apps and websites. If you decline, no cross-app tracking will occur.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or platform features.

15.1. Notification of Changes • Material changes: We will notify you of material changes by email (sent to the address associated with your account) and by displaying a prominent notice on the platform at least 30 days before the changes take effect. • Non-material changes: Minor clarifications or corrections may be made without prior notice, but the "Last Updated" date at the top of this policy will always reflect the most recent revision.

15.2. Continued Use Your continued use of the Bindaro platform after the effective date of a revised Privacy Policy constitutes your acknowledgment of the changes. If you do not agree with the revised policy, you should discontinue use of the platform and request deletion of your account.

15.3. Prior Versions Prior versions of this Privacy Policy may be obtained by contacting us at contact@bindaro.io.

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

For matters related to data protection and GDPR compliance, you may also contact the competent supervisory authority:

Urzad Ochrony Danych Osobowych (UODO) Prezes Urzadu Ochrony Danych Osobowych ul. Stawki 2 00-193 Warszawa Poland Phone: +48 22 531 03 00 Website: https://uodo.gov.pl Email: kancelaria@uodo.gov.pl

We aim to resolve all data protection queries and requests promptly. If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority listed above.