Privacy Policy

This Privacy Policy (Policy) describes how Orbal (we, us or our) collects, uses, transfers, and secures individual users’ (User, you, or your) personal data in connection with our websites, platforms, services, applications, and protocols (collectively, the Services). The Orbal protocol operates as a decentralised, non-custodial protocol deployed on public blockchains. Most interactions with the Protocol occur entirely on-chain and do not require Orbal to collect or process personal data. Blockchain addresses, transaction histories, and smart contract interactions are publicly visible on the blockchain and are not collected, stored, or controlled by Orbal. However, certain aspects of the Services, such as our website and applications, may involve limited collection and processing of personal data as described in this Policy. By using, accessing or interacting with our Services in any manner, you acknowledge that you have read, understood, and agree to be bound by this Policy. This Policy may be amended from time to time by us in accordance with Section 9. By accessing or using the Services or after any amendments are posted, you agree to be bound by the amended Policy. This Policy constitutes a binding agreement between you and us, whether an individual or entity (User, you, or your), who use, access or interact with Orbal’s Services. 1. COLLECTION OF PERSONAL DATA 1.1. Data We Collect When you access or use the Services, we may collect the following limited categories of personal data: (a) On-Chain Data: Orbal may access and display publicly available on-chain information associated with wallet addresses interacting with our protocol, including transaction history, balances, and smart contract interactions. Such data is sourced directly from public blockchains and is not personal data collected by Orbal. (b) Wallet Information: When you connect a digital wallet to the Services, we may view and record your publicly available blockchain address. We may also access publicly available on-chain data associated with your wallet, including transaction history, token holdings, and smart contract interactions. (c) Contact Information: If you contact us via email, support channels, or social media, we collect your name, email address, and the content of your communications. (d) Technical and Usage Data: We automatically collect certain technical and usage information when you access the Services, including your IP address, browser type, device type, operating system, usage statistics and other analytics data. (e) Geolocation Data: We may collect approximate geolocation data based on your IP address to comply with sanctions screening and access restrictions. 1.2. Data We Do Not Collect Orbal does not collect, store, or have access to your private keys, seed phrases, passwords, or custody of your digital assets. We do not collect personal data stored on third-party blockchains or processed solely on-chain without interaction with our off-chain Services. 1.3. Third-Party Service Providers We may engage third-party service providers who act as data processors under our instruction, including: (a) Identity verification providers who collect and verify identity information on our behalf. These providers process data solely as instructed by Orbal and are contractually obligated to protect your data. (b) AI Agent providers will be engaged as our protocol utilises artificial intelligence to autonomously execute vault strategies. These AI providers process operational data, including wallet addresses, transaction data, market data, and strategic instructions from Pilots, solely to perform algorithmic trading and rebalancing functions. (c) Analytics providers who provide analytics tools may be engaged for us to understand how Users interact with the Services. (d) Customer support tools may be engaged to manage support enquiries. 2. LEGAL BASIS FOR PROCESSING PERSONAL DATA 2.1. We process your personal data based on the following legal grounds: (a) Performance of a Contract: To provide the Services you have requested and enable your use of the Protocol. (b) Legitimate Interests: To improve the Services, prevent fraud, ensure security, and comply with legal obligations, balanced against your rights and freedoms. (c) Compliance with Legal Obligations: To comply with applicable laws, including sanctions screening, AML, and CTF obligations. (d) Consent: Where required by law, based on your consent, which you may withdraw at any time. 2.2. Use of Personal Data We use your personal data to: (a) provide, operate, and maintain the Services; (b) enable you to connect your wallet and interact with the Protocol; (c) respond to inquiries and provide customer support; (d) detect, prevent, and address fraud, security breaches, and prohibited activities; (e) comply with legal obligations, including sanctions screening and AML/CTF requirements; (f) analyse usage patterns and improve the Services; (g) send important notices, updates, or security alerts; (h) enforce our Terms and Conditions and this Policy, and protect our rights. 3. TRANSFER OF PERSONAL DATA 3.1. We do not sell, rent, or trade your personal data. We may share your personal data in the following limited circumstances: (a) Service Providers and Data Processors: We share personal data with third-party service providers who perform functions on our behalf. These providers act as data processors and are contractually required to protect your data and use it solely as instructed by Orbal. (b) Legal and Regulatory Authorities: We may disclose personal data when required by law, legal process, court order, or to comply with sanctions, AML/CTF obligations, or other legal requirements. (c) Protection of Rights: We may disclose personal data to protect Orbal’s rights, property, or safety, or the rights of our users or others. (d) Business Transfers: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. (e) With Your Consent: We may share your personal data with third parties when you provide explicit consent. Your personal data may be transferred to, stored, or processed in countries outside your jurisdiction. When we transfer personal data internationally, we implement appropriate safeguards, including ASEAN Model Contractual Clauses or other legally recognised transfer mechanisms. 4. RETENTION OF PERSONAL DATA We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our Terms and Conditions and this Policy. Retention periods vary based on the type of data and the purposes for which it is processed. When personal data is no longer required, we securely delete or anonymise it. 5. SECURITY OF PERSONAL DATA We implement reasonable technical and organisational measures to protect personal data from unauthorised access, loss, misuse, alteration, or destruction. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your wallet and private keys. 6. DATA SUBJECT RIGHTS You have the following rights regarding your personal data: (a) Access: You will have access to personal data in our possession or control and information about our use or disclosure. (b) Rectification: You may request us to correct inaccurate or incomplete personal data. (c) Withdraw Consent: You may withdraw consent to the collection, use or disclosure of your personal data. However, your withdrawal of consent may result in our inability to provide Services to you. To exercise your rights, please contact us at russell@orbal.org. We will respond to your request in accordance with applicable law. Please note that certain rights may be limited by legal requirements or legitimate business needs. 7. CHILDREN The Services are not intended for individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly. 8. THIRD-PARTY LINKS The Services may contain links to third-party websites, applications, or protocols. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data. 9. AMENDMENTS We may update this Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We will post the updated Policy on our website. Your continued use of the Services after changes are posted, constitutes your acceptance of the revised Policy. 10. GOVERNING LAW AND DISPUTES 10.1. This Policy shall be governed by and construed in accordance with the laws of the Cayman Islands, without regard to conflict of law principles. 10.2. The parties agree to first attempt amicable resolution of disputes through good faith negotiations. Either Party may initiate negotiations by providing written notice describing the dispute. 10.3. Any dispute arising out of or in connection with this Policy, including any question regarding its existence, validity or termination, shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre (“SIAC”) in accordance with the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force. The seat of the arbitration shall be Singapore. The Tribunal shall consist of one arbitrator. The language of the arbitration shall be English. Each party shall bear its own legal costs and expenses, and the arbitration costs shall be allocated by the Tribunal in accordance with the SIAC Rules.