PRIVACY POLICY

1.1 Banking and Financial Services Data

We collect limited financial and identity information necessary to provide regulated financial services:

• Account Establishment Data: legal name, address, date of birth, nationality, tax identification numbers, and government-issued identification
• Transaction Data: payment amounts, timestamps, counterparties, routing information, settlement data, and transaction purpose
• Compliance Documentation: data required to satisfy AML, KYC, KYB, sanctions screening, and fraud-prevention obligations
• Banking Details: account numbers, routing numbers, IBANs, and related information required for ACH, Fedwire, and SEPA processing

1.2 Stablecoin & Blockchain Interaction Data

To facilitate fiat-to-stablecoin and blockchain-based operations:

• Public wallet addresses
• Transaction hashes, network identifiers, and timestamps
• Conversion records, settlement confirmations, and fees

VaultLeap never collects or stores private keys, seed phrases, or credentials that grant access to your digital assets. We cannot recover wallet credentials if lost.

1.3 Communications & Support Data

When you contact us or interact with support:

• Message content and metadata
• Attachments (screenshots, logs, documents)
• Support ticket history, internal case notes, and resolution records

1.4 Phone Number & Identity Verification

We collect phone numbers for identity verification, fraud prevention, and account security, including:

• One-time passcodes (OTP)
• Login and security alerts
• Transaction confirmations

We do not use phone numbers for marketing, promotional messaging, or non-transactional communications. You will only receive messages related to account security and verification via phone number.

1.5 Device and Usage Data

We automatically collect limited technical information:

• Device type, OS, browser, language
• IP address and approximate location (city or regional level)
• Login timestamps, activity logs, feature usage, reward activity, tier changes, and subscription events

1.6 Cookies and Similar Technologies

We use cookies and similar technologies to operate and improve the Services.

What are cookies? Cookies are small text files stored on your device that help us recognize you, maintain your session, and analyze usage patterns.

Types of cookies we use:

• Essential Cookies: Required for core platform functionality (login, session management, security). These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Services to improve performance and user experience.
• Preference Cookies: Remember your settings and preferences.

Your choices: Most browsers allow you to control cookies through settings. Note that disabling essential cookies may prevent you from using certain features of the Services.

Where required by law, non-essential cookies are disabled until you provide explicit consent through our cookie banner.

For more information, see our Cookie Policy at https://vaultleap.com/cookies or contact us at support@vaultleap.com.

1.7 Referral Program Data

If you participate in referral programs, we collect:

• Referral identifiers
• Referral link usage
• Referral activation and eligibility status
• Referred user transaction volume (for calculating referrer rewards)

Referral rewards (Tier Points) are a non-monetary platform feature used solely to determine tiers and benefits. They are not stored value, currency, or financial assets.

This data is used to calculate Tier Points, determine referral eligibility, prevent fraud and abuse, and ensure compliance with program rules.

3.1 Regulated Financial Partners

We share data with regulated financial institutions and payment partners, including:

• Bridge Ventures LLC
• Lead Bank, Member FDIC

to enable compliant banking, payments, card issuance, and regulatory reporting.

3.2 Card Program Partners

If you use the VaultLeap Visa® Debit Card, we share necessary data with:

• Bridge Ventures LLC (Program Manager)
• Lead Bank, Member FDIC (Issuing Bank)

VaultLeap does not store full card numbers or CVV codes.

3.3 Service Providers (Sub-Processors)

We engage vetted service providers who process personal data on our behalf. All sub-processors operate under strict confidentiality and data-processing agreements that require them to process data only on our instructions and implement appropriate security measures.

Current sub-processors:

Sub-processor changes: We will update this list when we engage new sub-processors. If you are located in the EEA or UK, you may subscribe to sub-processor change notifications by emailing support@vaultleap.com with the subject line "Sub-Processor Notifications." We will provide at least thirty (30) days' notice before engaging a new sub-processor that processes EEA or UK personal data. If you have a reasonable objection to a new sub-processor, you may contact us to discuss your concerns, and if we cannot resolve the objection, you may terminate your account.

3.4 Legal Obligations

We may disclose data when required by law, regulation, court order, subpoena, or lawful government request.

3.5 Corporate Transactions

If VaultLeap is involved in a merger, acquisition, financing, restructuring, or asset sale, personal data may be transferred subject to applicable legal protections. We will notify you of any such transfer and any choices you may have regarding your data.

User Responsibilities:

Users remain responsible for safeguarding their login credentials, wallet private keys, and account security. VaultLeap cannot reverse or recover blockchain transactions or restore lost wallet credentials.

6.1 U.S. State Privacy Rights

Depending on your state of residence, you may have rights to:

• Access your personal data
• Correct inaccurate data
• Request deletion of your personal data (subject to legal retention requirements)
• Receive disclosures about our data practices
• Opt out of the sale or sharing of personal information (though we do not sell or share data)

States with Comprehensive Privacy Laws:

These rights currently apply to residents of California, Virginia, Colorado, Connecticut, Utah, and other states with applicable privacy legislation.

California Residents:

VaultLeap does not sell or share personal information as defined by the California Consumer Privacy Rights Act (CPRA) and does not engage in cross-context behavioral advertising.

Exercising Your Rights:

To exercise any of these rights, please contact us at support@vaultleap.com with the subject line "Privacy Rights Request." We will verify your identity in accordance with applicable law before processing your request.

We will respond to verified requests within the timeframes required by applicable law (typically 45 days, with possible extension).

Email Marketing:

You may receive occasional non-transactional communications about new features, platform updates, or promotions. You may opt out of these communications at any time using the unsubscribe link in the email or by contacting support@vaultleap.com with "Unsubscribe" in the subject line.

Transactional Messages:

You will continue to receive transactional, compliance, security-related, and account-related messages even after opting out of marketing, as these are necessary to provide the Services and meet our legal obligations. These include:

• Security alerts and login notifications
• Transaction confirmations
• Compliance and verification requests
• Changes to Terms of Service or Privacy Policy
• Account status updates