Privacy Policy

# Privacy Policy **Itos Inc.** **Last Updated: May 20, 2026** This Privacy Policy describes how Itos Inc. ("Itos," "we," "us," or "our") collects, uses, shares, and protects information in connection with the website-based interface and related services (the "Site") that provide access to the Itos Smart Contract Protocol. This Privacy Policy is incorporated by reference into, and forms part of, the Itos Terms of Service, available at https://itos-finance.tome.center/legal/terms-of-service (the "Terms"). Capitalized terms used but not defined in this Privacy Policy have the meanings given to them in the Terms. For the purposes of the EU General Data Protection Regulation (the "EU GDPR"), the UK General Data Protection Regulation (the "UK GDPR," and together with the EU GDPR, "GDPR"), and other applicable data protection laws, Itos Inc. is the controller of the personal information processed as described in this Privacy Policy. By accessing or using the Site, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Privacy Policy, you must not access or use the Site. For any questions about this Privacy Policy or our data practices, please contact us at privacy@itos.fi. ## 1. Scope and Application This Privacy Policy applies only to information collected by or on behalf of Itos through the Site. It does not apply to: - The Itos Smart Contract Protocol itself, which is software deployed on public blockchains and operates autonomously, without our control over any data recorded on-chain; - Information you provide to or that is processed by third parties (including wallet providers, market makers, blockchain validators and node operators, RPC providers, and other infrastructure providers), each of which may have its own privacy practices that, where made available, you should review independently; or - Information that is publicly available on public blockchains (such as wallet addresses, transaction hashes, and on-chain transaction details), which is published by you when you initiate transactions and is not controlled by us. ## 2. Information We Collect We have designed the Site to minimize the personal information we directly collect. Specifically: ### 2.1 Information We Collect Directly **Wallet addresses.** When you use the Site, we collect and store the blockchain wallet address you use, whether that address belongs to an external wallet you connect or an embedded wallet provisioned through our authentication provider (see Section 2.4). We may associate that wallet address with your interactions with the Site (such as RFQ requests, transaction submissions, and claim actions). Wallet addresses are retained as described in Section 6 (Data Retention). **Transactional data submitted through the Site.** When you submit a request through the Site (such as requesting an RFQ quote or initiating a transaction), we process the parameters of that request as necessary to facilitate the requested operation. **Information you provide voluntarily.** If you contact us by email (for example, at privacy@itos.fi) or otherwise voluntarily provide information to us, we collect the information you choose to share. ### 2.2 Information We Do Not Directly Collect - We do not collect IP addresses through our application code. - We do not set cookies on your browser. - We do not deploy analytics, tracking pixels, fingerprinting scripts, or similar telemetry tools through our application code. - We do not collect or store names, phone numbers, government identification, or other directly identifying information in the operational backend that runs the Site (other than as described in Section 2.1 with respect to voluntary contact). - We do not collect or store email addresses in the operational backend that runs the Site (other than as described in Section 2.1 with respect to voluntary contact). If you choose to log in using an email address, that email address is collected and stored by our authentication provider, as described in Section 2.4; it may be displayed to you within the Site in your browser, but is not transmitted to or stored by that backend. ### 2.3 Information Collected Incidentally by Infrastructure Providers The Site is hosted and supported by third-party infrastructure providers. In the ordinary course of providing such infrastructure, these providers may incidentally collect, log, transmit, or store data — including IP addresses, request metadata, browser and device information, and similar technical data — without our direction or control. Infrastructure providers used in connection with the Site include: - Vercel (frontend hosting) - Privy (authentication and wallet infrastructure; see Section 2.4) - Chainalysis (wallet-address screening; see Section 3.2) - Wallet connection libraries (such as WalletConnect, RainbowKit, or similar; depending on the wallet you use) - Blockchain RPC providers (which transmit your transaction requests to the relevant blockchain) - Market makers participating in the RFQ system (which, as your counterparties for option positions, receive your RFQ request parameters; they do not receive your wallet address through the RFQ system, although wallet addresses and on-chain transaction details are publicly visible on the blockchain as described in Section 5) Where these providers make their privacy practices available, you should review them for further information about their data handling. ### 2.4 Authentication and Wallet Provisioning Login to the Site is provided through a third-party authentication and wallet-infrastructure provider, Privy. Privy maintains a user account for each user that uses the Site. The Site offers two login methods: **Wallet login.** You connect an external blockchain wallet that you control. Privy creates or associates a Privy user account with the wallet address you connect. **Email login.** You authenticate using an email address. Your email address is collected and stored by Privy as the authentication provider and associated with your Privy user account. Your email address may be displayed to you within the Site in your browser, but is not transmitted to, logged by, or stored in the operational backend that runs the Site. We do not maintain our own record of your email address. The Site's frontend may receive account information from Privy as needed to operate the Site (for example, the active wallet address for the session). Our backend systems do not receive, log, or store any such information beyond what is described in Section 2.1. Privy's data practices are governed by Privy's own privacy policy, which you should review independently. If you log in using an email address, an embedded wallet will be provisioned for you through Privy. The Site Operator does not hold the private keys for, and is not able to sign transactions on behalf of, these wallets. Privy's role in connection with such wallets is described in Privy's own documentation and privacy policy, which you should review independently. ## 3. How We Use Information We use the information described in Section 2 for the purposes set out below. Where the GDPR applies to our processing of your personal information, the legal basis on which we rely for each purpose is identified below. The legal bases we rely on are: performance of a contract with you; compliance with a legal obligation to which we are subject; and our legitimate interests (or those of a third party), provided these are not overridden by your interests or fundamental rights. Where we rely on consent, you may withdraw it at any time as described in Section 8. ### 3.1 Operating the Site To provide the Site and its features, including responding to RFQ requests, routing transaction messages to your wallet for signature, displaying on-chain data, and otherwise enabling your interaction with the Itos Smart Contract Protocol. Legal basis (where GDPR applies): performance of a contract with you, and our legitimate interests in operating and maintaining the Site. ### 3.2 Eligibility and Sanctions Screening To enforce the eligibility requirements set forth in the Terms. Specifically, we use Chainalysis to screen wallet addresses that interact with the Site against publicly available sanctions lists (including OFAC, EU, UK, and UN lists) and other risk indicators. We also employ geographic access restrictions at the Site: our hosting provider derives an approximate country or region from a visitor's IP address, and the Site uses that country- or region-level signal to restrict access from Restricted Territories as defined in the Terms. We do not retain raw IP addresses in our application code for this purpose. Wallet addresses identified as sanctioned, originating from Restricted Territories, or otherwise failing our eligibility checks may be denied access to the Site. Screening occurs both at the time a wallet first connects to the Site, before any agreement is accepted, and on an ongoing basis with respect to wallet addresses associated with open positions in the Itos Smart Contract System, to detect changes in sanctions status during the life of a position. Legal basis (where GDPR applies): compliance with a legal obligation to which we are subject (including sanctions and anti-money-laundering laws), and our legitimate interests in not providing the Site to, or entering into agreements with, persons who do not satisfy the eligibility requirements of the Terms or who are otherwise prohibited from using the Site, and in detecting changes in sanctions status during the life of an open position. This screening involves automated decision-making: decisions about your access to the Site may be made solely on the basis of the automated screening described above, without human review at the time of the access attempt. We rely on such automated decision-making because it is necessary to comply with sanctions, anti-money-laundering, and other legal obligations to which we are subject, and because the volume of access attempts makes case-by-case human review impractical. If you believe that the screening has erroneously denied your access, you may contact us at privacy@itos.fi to request human review of the decision. ### 3.3 Security and Fraud Prevention To protect the integrity of the Site, detect and prevent unauthorized access, abuse, manipulation, or fraud, and investigate any suspected violations of the Terms or applicable law. Legal basis (where GDPR applies): our legitimate interests in maintaining the security and integrity of the Site, and compliance with a legal obligation where applicable. ### 3.4 Legal Compliance To comply with applicable laws, regulations, court orders, subpoenas, or other legal process; to respond to lawful requests from government or law enforcement authorities; and to establish, exercise, or defend legal claims. Legal basis (where GDPR applies): compliance with a legal obligation to which we are subject, and our legitimate interests in establishing, exercising, or defending legal claims. ### 3.5 Communications To respond to your inquiries when you contact us. Legal basis (where GDPR applies): our legitimate interests in responding to and managing inquiries, and performance of a contract with you where your inquiry relates to your use of the Site. ## 4. How We Share Information We share information only as described below. ### 4.1 With Service Providers We share information with third-party service providers that perform services on our behalf or in connection with the Site, including: - Chainalysis, for wallet-address screening as described in Section 3.2; - Privy, which provides authentication and wallet infrastructure and, if you use email login, collects and stores your email address as described in Section 2.4; - Vercel, which hosts the Site frontend and may process information incidentally as described in Section 2.3; - Market makers participating in the RFQ system, which receive RFQ requests (including the User's chosen strike, expiration, and asset) in order to respond with quotes; - Auditors, advisors, and counsel, as reasonably necessary in connection with our business operations. ### 4.2 With Legal Authorities We may disclose information to governmental, regulatory, or law enforcement authorities if we believe in good faith that such disclosure is required by applicable law, regulation, legal process, or governmental request, or is necessary to protect our rights or the rights of others. ### 4.3 In Connection with Business Transactions If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will take reasonable steps to ensure that any successor entity continues to handle information consistent with this Privacy Policy or notifies you of any material changes. ### 4.4 With Your Consent We may share information with third parties when you have given us your consent to do so. ### 4.5 No Sale of Personal Information We do not sell personal information to third parties. ## 5. Public Blockchain Data Transactions you initiate through the Site are recorded on the public blockchains to which the Itos Smart Contract Protocol is deployed. Public blockchain data — including wallet addresses, transaction hashes, transaction amounts, and the smart contract calls you make — is publicly visible, permanent, and outside our control. We cannot modify, delete, or restrict access to information recorded on public blockchains. By using the Site, you acknowledge and accept the public and permanent nature of blockchain data. ## 6. Data Retention We retain information only for as long as necessary to fulfill the purposes set out in this Privacy Policy, unless a longer retention period is required by law. Specifically: - Wallet addresses and screening records may be retained for a period reasonably necessary to demonstrate compliance with our sanctions and eligibility obligations, and to investigate any subsequent inquiries. - Communications received from you may be retained as needed to respond to your inquiry and for our records. - On-chain data is permanent and is not within our control to retain or delete. Following the applicable retention period, we will take reasonable steps to delete or anonymize the information. ## 7. International Data Transfers Itos is incorporated in the United States of America. Information that we collect or that is collected on our behalf may be processed, stored, or transferred to the United States or to other countries where we or our service providers operate. Data protection laws in these countries may differ from, and may not provide the same level of protection as, those in your country of residence. Where we transfer personal information of individuals in the European Economic Area or the United Kingdom to a country that has not been recognized by the European Commission or the relevant United Kingdom authority as providing an adequate level of data protection, we will seek to put in place appropriate safeguards as required by the GDPR. These safeguards may include the Standard Contractual Clauses approved by the European Commission and, for transfers subject to the UK GDPR, the International Data Transfer Agreement or the UK Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner's Office. You may contact us at privacy@itos.fi for further information about the safeguards we apply to a particular transfer. By using the Site, you acknowledge that your information may be transferred to and processed in countries outside your country of residence as described in this Privacy Policy. ## 8. Your Rights Depending on the jurisdiction in which you reside and the laws applicable to you, you may have certain rights with respect to your personal information, including: - **Right of access:** the right to request confirmation of whether we process information about you, and to obtain a copy of such information; - **Right to rectification:** the right to request correction of inaccurate or incomplete information; - **Right to erasure:** the right to request deletion of certain information, subject to the limitations described below and exceptions under applicable law; - **Right to restrict or object to processing:** the right to request that we limit our processing of your information in certain circumstances; - **Right to data portability:** the right to receive your information in a structured, commonly used, and machine-readable format; - **Right to withdraw consent:** where we rely on your consent for any specific processing activity, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal; - **Rights concerning automated decision-making:** the right to obtain human intervention, to express your point of view, and to contest decisions about you that are based solely on automated processing and produce legal or similarly significant effects, as further described in Section 3.2 with respect to our wallet-address screening; - **Right to lodge a complaint:** the right to lodge a complaint with a data protection supervisory authority. If you are in the European Economic Area, you may complain to the supervisory authority in the country where you live or work or where you believe an infringement has occurred; if you are in the United Kingdom, you may complain to the UK Information Commissioner's Office. **Limitations.** Because of the technical nature of public blockchains and the Itos Smart Contract Protocol: - We cannot delete, alter, or restrict data recorded on public blockchains; - We cannot delete wallet addresses associated with confirmed sanctions or other legal-compliance triggers, where retention is necessary to demonstrate our compliance; - Many of our processing activities are necessary for legal compliance or for legitimate interests in operating the Site, and may not be subject to objection or erasure on those grounds. To exercise your rights, please contact us at privacy@itos.fi. We may need to verify your identity (for example, by requesting that you sign a message with the wallet whose address is the subject of your request) before responding to your request. ## 9. Security We implement reasonable technical and organizational measures designed to protect the information we collect against unauthorized access, disclosure, alteration, or destruction. However, no security measure is perfect, and we cannot guarantee the security of information transmitted to us or stored on our systems. You are responsible for maintaining the security of your own wallet, private keys, and devices, and for protecting your access to the Site. ## 10. Children's Privacy The Site is not directed to, and we do not knowingly collect information from, individuals under the age of 18 (or such higher age of majority as may apply in your jurisdiction). If you believe that we may have collected information from a person under such age, please contact us at privacy@itos.fi and we will take steps to delete such information. ## 11. Third-Party Links and Services The Site may contain links to, or be used in connection with, third-party websites, applications, or services that are not operated or controlled by us. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. You should review the privacy policies of any third party before providing them with information. ## 12. Changes to This Privacy Policy We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this Privacy Policy and post the updated version at https://itos-finance.tome.center/legal/privacy-policy (or such other URL as we may publish from time to time). We may also notify you of material changes by other means at our discretion. Your continued use of the Site after any update to this Privacy Policy constitutes your acceptance of the updated Privacy Policy. ## 13. Contact Us If you have any questions, comments, or requests regarding this Privacy Policy or our data practices, please contact us at: Itos Inc. — Email: privacy@itos.fi