This policy is effective as of December 31, 2025.

Welcome and thank you for utilizing, visiting, or considering zerohash – a digital asset, cryptocurrency, and blockchain infrastructure platform – as your modern financial services provider. We at zerohash (together with the zerohash entities listed in Section XI below, referred to here as “zerohash,” “we”, “us,” or “our”) respect and protect the privacy of those who explore our Services (“Users”) and Users who sign up for and access our Services (“Customers”) (together referred throughout this policy as “you” and “your”).

This zerohash Global Privacy Notice (the “Privacy Notice”) describes how we collect, use, and share personal information when you explore, sign up for or access our Services, which include any Services described or offered on or through our websites (which includes without limitation zerohash.com), when you use the a zerohash Services, including through a business partner (“Business”) that has engaged zerohash to provide our Services to Customers, which may include the use or utilization of zerohash application programming interfaces (“API”), software development kits (“SDK”), or a Business’s third party applications relying on such APIs or SDKs (collectively, the “Apps”) and any related Services.

Because we collect, use, and are responsible for certain personal information about Users or Customers in numerous jurisdictions, we are subject to various laws in the United States and other jurisdictions, including the EU’s General Data Protection Regulation (“EU GDPR”) which applies across the European Union and its equivalent in the United Kingdom, the UK GDPR (“UK GDPR” and collectively with EU GDPR, the “GDPR”). Please see the Appendices to this Privacy Policy for terms specific to the following jurisdictions:

• Appendix A: United States Privacy Notice
• Appendix B: Brazil Privacy Notice

If you reside outside of the United Kingdom (“UK”) and the European Economic Area (the “EEA”), accessing and using our Services means that you accept this Privacy Policy and its terms, except where such form of acceptance is prohibited by applicable law.

If you are a job applicant or prospective candidate, please refer to our Applicant Privacy Notice, available here.

It is important that you understand how we use your information. You should read this page in full, but below are the key highlights and some helpful links:

• We may collect data that identifies or is associated with you ("personal information" or “PII”) when you access or use our or a Business’s websites, blogs, mobile sites, applications, widgets, Apps, APIs, SDKs, and other interactive features; when you register or attend an event organized or hosted by us; when you apply for a role with us; or when you otherwise contact us or provide us your PII (our "Services");
• If you do not wish for your personal information to be collected, used, or disclosed as described in this Privacy Notice, or you are under 18 years of age, you should stop accessing our Services;
• We collect and use your personal information in order to provide or improve our Services, protect the security and integrity of our platform, and meet our legal or regulatory obligations;
• We share your information with our affiliates, subsidiaries, and associated entities (the “zerohash Group” of companies), Businesses, which include any platform that you used to apply for a zerohash account and/or use to access our Services (“Platform”), as well as trusted third party professionals and service providers, in order to offer our Services and fulfill our legal and regulatory requirements;
• We offer privacy opt-out tools for you to request access to or deletion of information we hold about you. You can use these tools by visiting our Support Portal. Depending on where you live, you may also have other privacy rights under applicable law, which we address herein; and.
• If you have any questions, please Contact Us on our Support Portal or at privacy@zerohash.com.
• Any translation is provided for informational purposes only.  If there is any discrepancy between the English version of this Privacy Notice and any translation, the English version shall control.

I. WHAT INFORMATION WE COLLECT

We collect data about visitors to our websites and any affiliated blogs, mobile sites, or applications; about Users or Customers that access our Services or Apps, whether directly or through a Business or Platform, or any other Users or Customers that attend events organized or hosted by us; and about our clients, including Businesses (where these are natural persons or a Business’s personnel, directors, owners, agents, contractors, representatives, or service providers; and these individuals about whom we collect data are incorporated into any reference to "you" or “your” in this Privacy Policy). Please refer to the below for further information about the personal information we may collect and how it may be used:

A. Information You Provide To Us

B. Information Collected Automatically

C. Information we obtain from Affiliates and Third-Parties

II. HOW WE USE YOUR INFORMATION

We use your personal information to deliver, personalize, operate, improve, create, and develop our Services, to provide you with a secure, smooth, efficient and safe experience, and for legal and regulatory compliance, theft and loss prevention, and anti-fraud purposes. Below is additional information about how we use your personal information and our legal basis for doing so:

A. As Necessary to Perform a Contract with Users

We may use certain information that is necessary to perform our duties under an applicable zerohash Group company user agreement (e.g., the zerohash & zerohash Liquidity Services User Agreement in the United States) or similar customer or end-user agreement or other relevant contract with you. We may need to suspend or terminate our Services or otherwise close your user account if we cannot process your personal information or similar data for these purposes.

B. Data used to comply with our legal obligations

Our Services are subject to laws and regulations – including laws in the local jurisdiction you sign up for or access the zerohash Services – that require us to collect, use, and store your personal information in certain ways and for specified periods. If you do not provide and continue to provide access to the personal information as required by law, we may have to suspend or close your account.

C. Data use for our Legitimate Interests

We rely on our legitimate interests or those of third parties (like Businesses or Platforms, our other Customers, and potentially the public) where they are not outweighed by your rights. In certain jurisdictions – including the EEA and UK – you may have the right to object to, and seek the restriction of this processing.

D. Data use based on your consent

When we use your information based on your consent, you have the right to withdraw your consent at any time on a go-forward basis (which will not affect our prior use of your data, based on your previously given consent). Please see our Privacy Opt Out or contact Customer Support to make changes to your consent preferences.

E. Data use to protect your or others’ vital interests

If you reside outside the UK or EEA, the legal bases on which we rely in your country may differ from those listed above.

III. HOW AND WHY WE SHARE YOUR INFORMATION

We work with service providers, partners and other third parties to help us provide our Services, and as a result we need to share certain information with these third parties.  Here’s how:

A. Affiliates

Personal information that we process and collect may be transferred between zerohash Group companies, Services, and personnel affiliated with us as a normal part of conducting business and offering our Services to you and to comply with our legal or regulatory obligations. See Section XI. for a list of our affiliated companies.

B. Business or Platform Third Party

Personal information that we process and collect may be transferred between zerohash and the Business or Platform which you use to sign up for and/or access the zerohash Services as a normal part of conducting business and offering our Services to you and to comply with our respective legal or regulatory obligations. Please note that when you use the Business’s Platform’s other services and products, which are not governed by this Privacy Policy, the Business’s or Platform's own terms and privacy policies will govern your use of those services and products.

C. Linked Third Party Websites & Applications

When you utilize certain Services that use third-party services or websites (e.g., AML/KYC services, pay with crypto, withdrawal services, etc.) that are linked through to our Services, the providers of those services or products may receive information about you that zerohash, you, or others share with them. Please note that when you use third-party services or websites, which are not governed by this Privacy Policy, their own terms and privacy policies will govern your use of those services and products.

D. TRUST

The T.R.U.S.T. network is a global, secure, and industry-driven solution designed to comply with a requirement known as the Travel Rule while protecting your security and privacy. zerohash and other custodial cryptocurrency exchanges and financial institutions share certain basic information about their customers when sending funds over a certain amount to another financial institution. To learn more, see Travel Rule FinCEN Advisory.

E. Professional advisors, industry partners, authorities and regulators

We may share your information described in Section I. with our professional advisors, regulators, tax authorities, law enforcement, government agencies, Businesses, Platforms, and industry partners to:

• respond pursuant to applicable law or regulations, court orders, legal process or government requests; 
• comply with our reporting and information sharing obligations with industry partners (e.g., other Virtual Asset Service Providers (“VASPs”) and regulatory authorities)
• detect, investigate, prevent, or address fraud and other illegal activity or security and technical issues; and 
• protect the rights, property, and safety of our Users, Customers, the zerohash Group, or others, including to prevent death, imminent bodily harm, or exploitation.

F. Asset Transfer or Company Acquisition

We may choose to buy or sell assets, and may share and/or transfer information about our Users or Customers in connection with the evaluation of and entry into such transactions. Also, if we (or our assets) are acquired, merged, reorganized, or if we go out of business, enter bankruptcy, or go through some other change of control or similar event, your personal information could be one of the assets transferred to the acquiring party.

G. Third-Party Service Providers

We work with third-party service providers to help us provide our Services. When we share information with third-party service providers in this capacity, we require them to use your information on our behalf in accordance with our instructions and terms and only process as necessary and proper for the limited purpose of the contract. We work with different types of third-party service providers, including:

A list of additional third parties that may receive or process your Personal Information is available here.

IV. HOW LONG WE RETAIN YOUR PERSONAL INFORMATION

We retain your information as needed to provide our Services, comply with legal or regulatory obligations, or protect our, your, or others’ vital or necessary interests. While retention requirements vary by country, we maintain internal retention policies on the basis of how information needs to be used. This includes considerations such as when the information was collected or created, whether it is necessary in order to continue offering you our Services, whether we are required to hold the information to comply with our legal obligations, including AML/KYC compliance and other regulatory obligations, whether we need it is necessary to protect a vital interest, or if it meets other information preservation requirements. We also keep certain information where necessary to protect the safety, security and integrity of our Services, Businesses, Platforms, Customers, and Users. Our third-party electronic identity verification providers collect and retain information, which may include biometric information, for the period required for financial regulatory compliance or otherwise as required by applicable law. They retain this information as described in their respective policies.

In line with these considerations, we delete information that is no longer required or needed for the above purposes when you close your account, or when you request deletion of your information (which you can initiate through our Privacy Opt Out), and delete any other information when permitted pursuant to the above considerations.

V. CHILDREN'S PERSONAL INFORMATION

The Services are not directed to persons under the age of 18, and we do not knowingly request or collect any information about persons under the age of 18. If you are under the age of 18, please do not provide any personal information to any zerohash Group company. If a User or Customer submitting personal information is suspected of being under 18 years of age, we will require the relevant Customer or User to close the account, and will take all reasonable steps to delete or purge the individual’s information as soon as possible.

VI. INTERNATIONAL TRANSFERS

To facilitate our global operations, and depending on where you sign-up for or access our Services, zerohash, its Affiliates, third party partners, and service providers may transfer, store, and process your personal information in certain approved location, including Australia, Bermuda, Brazil, Germany, the Netherlands, the UK, and the United States. Further information is available at Appendix C.

If you reside in the EEA, Switzerland, or the United Kingdom, we rely upon a variety of legal mechanisms to facilitate these transfers of your personal information (collectively, “European Personal Data”).

• We rely on the European Commission and the UK Information Commission Office’s Standard Contractual Clauses to facilitate the international and onward transfer of European Personal Data to third countries, including from our EU and UK operating entities to zerohash Group entities in the United States. For further information about our standard contractual clauses, please contact privacy@zerohash.com.
• We further rely on exemptions and adequacy decisions provided for under data protection law for our international transfers, including from the European Commission. For example, we operate globally and need to share information with zerohash Group companies and to data centers outside the EEA in order to develop and provide zerohash Services (Article 49(1)(b) GDPR). In addition, we may rely on certain exemptions for sharing personal information with law enforcement or regulators outside of the EEA in emergency situations (Article 49(1)(f) GDPR).

VII. YOUR PRIVACY RIGHTS AND CHOICES

Depending on where you live, you may be able to exercise certain privacy rights related to your personal information. For any of your privacy rights and choices referenced below, requests relating to your personal information can be made by contacting Customer Support or by submitting a request via our Privacy Opt Out or at privacy@zerohash.com. If any of the rights listed below are not provided under law for your operating entity or jurisdiction, zerohash has absolute discretion in honoring your request regarding these rights.

• Right to access and portability: 

You may request that we provide you a copy of your personal information held by contacting Customer Support, or by submitting a request privacy@zerohash.com.

• Right to rectification:

You may update or request us to rectify or update any of your personal information held by zerohash that is incomplete or inaccurate by logging in to your Business or Platform account and/or zerohash account and updating the details in your account profile, by contacting Customer Support, or by submitting a request privacy@zerohash.com.

• Right to deletion/erasure: 

You may request to erase your personal information, subject to applicable law. If you close your zerohash Account, we will retain or delete information associated with your account in accordance with our obligations under applicable law and as described in Section IV.

• Right to withdraw your consent: 

To the extent the processing of your personal information is based exclusively on your consent, you may withdraw your consent at any time. The lawfulness of zerohash’s processing before you withdraw your consent will not be affected by such withdrawal.

• Right to object to or restrict processing: 

You may have the right to restrict or object to us using or transferring your personal information based on our legitimate interests, in the public interest, or for marketing purposes. We may continue to process your personal information where permitted or required by applicable law. You can opt-out of certain processing or communications by contacting Customer Support, or by submitting a request privacy@zerohash.com. 

• Right to non-discrimination:

We will not discriminate against you for exercising any of your rights provided to you under law.

• Right to lodge a complaint:  

If you reside in the EEA, Switzerland, or the UK, you have the right to lodge a complaint about our practices with respect to your personal information with the supervisory authority of your country or state. In the UK, the relevant data protection authority is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, +44 (0303) 123 1113, email: casework@ico.org.uk. In the Netherlands, the relevant data protection authority is the Dutch Personal Data Authority, PO Box 93374, 2509 AJ, The Hague, Netherlands, (+31)0881805250, email: info@autoriteitpersoonsgegevens.nl or by using the following Online Form.

If you reside in Australia, you may lodge a complaint about our practices with respect to your personal information with the supervisory authority of your country. In Australia, the relevant data protection authority is the Office of the Australian Information Commissioner, and complaints may be made through their website at www.oaic.gov.au.

To protect your privacy and security, we may take steps to verify your identity before complying with your request and we may decline your request if we are unable to verify your identity.

Under certain US data privacy laws, as well as in Brazil, you may also designate an authorized agent to make these requests on your behalf. 

These rights are not absolute, and may be denied: (a) when granting access or assisting portability would adversely affect the rights and freedoms of others; (b) to protect our rights and properties; (c) where the request is frivolous, vexatious, or abusive; or (d) as otherwise permitted by law.

VIII. ADDITIONAL PRIVACY NOTICES FOR RESIDENTS OF SPECIFIC JURISDICTIONS

A. If you are a United States Resident, you can learn more about how we use your information and your privacy rights, including rights provided to residents of certain states like California, by reviewing Appendix A: United States Privacy Notice. Any terms defined in the California Consumer Privacy Act (as amended) (“CCPA”) have the same meaning when used in the US Privacy Notice.

B. If you are a Brazilian Resident, you can learn more about how we use your information and your privacy rights by reviewing Appendix B: Brazil Privacy Notice. Any terms defined in the Brazil General Data Protection Law (“LGPD”) have the same meaning when used in the Brazil Privacy Notice.

IX. HOW TO CONTACT US WITH QUESTIONS

If you have questions or concerns regarding this Privacy Policy, or if you have a complaint, please reach out to us at Customer Support or at privacy@zerohash.com, or by writing to us at the address of your zerohash service provider, provided in Section XI.

X. CHANGES TO THIS PRIVACY POLICY

We’re constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time as well. We post any changes we make to our Privacy Policy on this page and, where appropriate, we will provide you with reasonable notice of any material changes before they take effect or as otherwise required by law. The date the Privacy Policy was last updated is identified at the top of this page.

We may provide additional specific or immediate disclosures or information about how we collect or use your information in the context of specific Services; these in-product or supplemental notices may supplement or clarify our privacy practices or may provide you with additional information or choices about how we use your information.

XI. OUR RELATIONSHIP WITH YOU

A. If you reside in the EEA or Switzerland, zerohash europe B.V. acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the GDPR.

B. If you reside in the UK, Zero Hash LLC acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the UK GDPR.

C. If you reside in the United States or Canada, Zero Hash LLC or Zero Hash Trust Company LLC acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under applicable law.

D. If you reside in Australia or New Zealand, Zero Hash Australia Pty LTD acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under applicable law.

E.  If you reside in Brazil, Zero Hash Brazil Limitada acts as controller with respect of your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the LGPD.

F. If you reside in any other jurisdiction not other listed in this Section IX, Zero Hash LLC or Zero Hash Worldwide LTD acts as controller with respect to your personal information and has primary responsibility thereto, including with respect to providing you with information and responding to any requests you may make under the applicable law, including without limitation the Bermuda Personal Information Protection Act (PIPA).

APPENDIX A

United States Privacy Notice

Updated: December 31, 2025

This United States Privacy Notice (“Notice”) is for zerohash User or Customers living in the U.S., and clarifies or further describes how we collect, use, and disclose your personal information. This Notice supplements the zerohash Global Privacy Policy (“Privacy Policy”). For purposes of the Notice, the terms “personal information” and “sensitive personal information” encompass the terms “personal data” and “sensitive personal data” and have the meaning provided under applicable U.S. state privacy laws, including the California Privacy Rights Act of 2020 (“CCPA”).  Any capitalized terms not defined herein shall have the meaning provided in the Privacy Policy.

Continued Use. By continuing to use the zerohash Services, Apps, APIs, or SDKs, by accessing or using our websites, or by contacting us on our systems, you agree to this Privacy Policy.

Purpose for Collection and Disclosure of Personal Information. We’ve collected and disclosed the below categories for personal information to create, develop, operate, deliver, and improve our Services, to communicate with you, to ensure the safety, security and integrity of our Services, and for the business and commercial purposes outlined in Section II and Section III of the Privacy Policy. We do not collect, use, or disclose sensitive personal information for purposes other than those specified in this Privacy Policy, to provide the Services, or as permitted under applicable law. In addition, to the extent that zerohash de-identifies personal information, we take reasonable measures to maintain and use the information in a de-identified manner and do not make any attempts to re-identify such information, except as permitted under applicable law.

Collection and Disclosure of Personal Information.  We collect the below categories of personal information, and disclose the specified types of personal information below (as that data is further referenced and outlined in Section I of the Privacy Policy) with the following categories of third parties:

Collection and Disclosure of Sensitive Personal Information. We collect and disclose the following categories of sensitive personal information, with the following categories of third parties:

Sources of Personal Information. We gather various types of personal information from our customers and individuals who access or use our Services from a range of sources, such as:

• information you give us when you sign up for, or otherwise use our Services;
• information we receive from our Affiliates and third parties; and
• information we collect automatically through cookies and similar technologies (see our Cookie Policy for more information on this type of information).

Selling or Sharing of Personal Information. We do not sell your Personal Information.  We share (as that term is defined in the CCPA) identifiers with third party analytics providers or advertising partners, for analytics and advertising purposes.

We do not have actual knowledge that we sell or share the personal information of individuals under 16 years of age.

How Long We Retain Your Personal Information. We retain your information as needed to provide our Services, comply with legal obligations, or protect our or others’ interests. We decide how long we need information on a case-by-case basis.

• Here is what we consider:

  • When the information was collected or created,

  • Whether it is necessary in order to continue offering you our Services,

  • Whether we are required to hold the information to comply with our legal obligations, including AML/KYC compliance or other financial regulatory obligations, or information preservation requirements.

  • We also keep certain information where necessary to protect the safety, security and integrity of our Services, Customers, and Users.

Privacy Rights. Residents of specific states (e.g., California) have certain rights with respect to personal information collected and processed under state privacy laws.  You may exercise the following rights, subject to certain exceptions and limitations:

• Right to Know. You have a right to request the following information about our collection, use and disclosure of your personal information, and ask that we provide you with a copy of the following: 

  • categories of and specific pieces of personal information we have collected, sold, or shared about you; 

  • categories of sources from which we collect personal information; 

  • the business of commercial purposes for collecting personal information;

  • categories of third parties to whom the personal information was disclosed for a business purpose; and

  • categories of personal information disclosed about you for a business purpose.  

• Right to Correct. You have a right to request that we correct inaccurate personal information maintained about you. 

• Right to Delete. You have a right to request that we delete personal information, subject to certain exceptions. 

• Right to Opt Out. You have the right to opt out from the “sale” / “sharing” of your personal information, including the processing of your personal information for purposes of targeted advertising.

• Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

Exercising Your Rights. You may exercise your rights by contacting us at Customer Support or at privacy@zerohash.com. We may take steps to verify your identity before complying with your request to protect your privacy and security, and may decline your request if we are unable to verify your identity. To verify your identity, we may collect information such as your email address, government issued ID, or date of birth, before providing a substantive response to the request. 

Authorized Agent. Under certain U.S. state privacy laws, you may designate an authorized agent to exercise privacy rights on your behalf. To do so, you must: (1) provide that authorized agent written and signed permission to submit such a request; and (2) verify your own identity directly with us. Please note, we may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf.

Appeal. You have the right to appeal zerohash’s decision regarding a privacy right request.  In order to appeal a declined request, please email privacy@zerohash.com.

Questions. If you have questions or concerns regarding this Notice, or if you have a complaint, please contact us at Customer Support or at privacy@zerohash.com, or by writing to us at the address of your zerohash service provider (provided in Section XI of the Privacy Policy.

APPENDIX B

Brazil LGPD Notice

Updated: December 31, 2025

This Brazil LGPD Notice (“Notice”) is part of the zerohash Privacy Policy and is applicable to Customers, Users, or clients of zerohash Brazil Limitada (“zerohash” or “zerohash Brazil” herein this Section III), a limited company enrolled with the CNPJ No. 46.534.916/0001-22, with its head office at Avenida Brigadeiro Luis Antonio, 300, 10th floor, conjunto 104, in the city of São Paulo, state of São Paulo, CEP 01318-903, which is an affiliate of zerohash Holdings Ltd, a US based company. 

The purpose of this Notice is to illustrate zerohash's commitment to processing data in accordance with its responsibilities under the Law No. 13,709 of August 14th, 2018 - General Data Protection Law (“LGPD”). zerohash is committed to protecting the privacy and security of your personal data. The information you share with zerohash Brazil and its affiliates worldwide (the “zerohash Group”) allows zerohash to provide you the best experience with our products and services. zerohash has implemented a privacy program to protect all personal data collected and to help zerohash properly handle your personal data.

This Notice explains our specific privacy practices in Brazil. Please read this notice together with the zerohash Privacy Policy to understand how zerohash collects and uses your personal data. Should any terms conflict, the terms of this Notice shall control. Any capitalized terms not defined herein shall have the meaning provided in the Privacy Policy.

If you do not agree with the practices or policies described in this Notice or the zerohash Privacy Policy, we ask that you discontinue use of our website or other services. Likewise, both this Notice and zerohash Holdings Privacy Policy may change from time to time and your continued use will be deemed to be acceptance of such changes. 

Definitions

• Anonymization: Refers to the use of reasonable and available technical means at the time of the processing, through which the data loses the possibility of being directly or indirectly associated with an individual.
• Anonymized data: Data that went through the anonymization process, i.e., related to a data subject who can no longer be identified, considering the use of reasonable and available technical means at the time of the processing.
• ANPD: The National Data Protection Authority, which is the federal public administration body responsible for ensuring the protection of personal data and for regulating, implementing and supervising compliance with the LGPD in Brazil.
• Blocking: Temporary suspension of any processing operation, by means of retention of the personal data or the database
• Consent: Means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by an affirmative action, signifies agreement to the Processing of personal data relating to him or her.
• Controller: A natural person or legal entity, either public or private, that makes decisions about the processing of personal data.
• Data Protection Officer: A person named by the company to act as a channel of communication between the controller, the data subjects and the National Data Protection Authority (ANPD)
• Data subject: Means a natural person, such as an individual, a customer, a prospect, an employee, a contact person, etc, to whom the personal data that are the object of processing refer to.
• Database: Is a structured set of personal data, kept in one or several locations, in electronic or physical support.
• Deletion: Refers to the exclusion of data or a set of data stored in a database, irrespective of the procedure used.
• International transfer of data: Means the transfer of personal data to a foreign country or international organization of which the country is a member. Examples of activities with international data transfer: sharing a database between companies of the same economic group, storing data in data centers located abroad, hiring a cloud computing service provider, among others.
• Operator (or Processor): A natural person or legal entity, either public or private that processes personal data on behalf of the controller.
• Personal data: Any information relating to an identified or identifiable person (data subject).
• Processing: Covers any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, diffusion or extraction.
• Processing Agents: Refers to the controller and the operator (or processor).
• Research body/entity: Means a body or entity from the direct or indirect public administration or nonprofit legal entity of private law, legally organized under Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes basic or applied research of historical, scientific, technological or statistical nature.
• Sensitive personal data: Means the personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.
• Shared use of data: Communication, dissemination, international transfer, interconnection of personal data or shared processing of personal databases by public bodies and entities in compliance with their legal powers, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or between private entities.
• Third Party means a natural or legal person, public authority, agency or body other than the data subject, controller, operator (or processor) who, under the direct authority of the controller or Processor, are authorized to process personal data.

LGPD Principles

zerohash will ensure that all activities of processing personal data are done in good faith and in accordance with the principles defined by the Article 6 of LGPD, as follows:

1. Purpose: processing of personal data needs to be done for a legitimate, specific and explicit purpose of which the data subject is informed, with no possibility of subsequent processing in a way incompatible with these purposes.
2. Adequacy: Personal data shall be processed in a manner that is compatible with the purposes informed to the data subject, in accordance with the context of the processing.
3. Necessity (data minimization): Processing of personal data must be limited to the minimum necessary to achieve its purposes, covering only relevant, proportional and non-excessive data in relation to the purposes for which they are processed.
4. Free access: Guarantee to data subjects an easy and free of charge consultation way about the form and duration of the processing, as well as the integrity of their personal data.
5. Quality of the data (accuracy): Guarantee to data subjects the accuracy, clarity, relevancy and updating of the data, according to the need and for achieving the purpose of the processing.
6. Transparency: Guarantee to data subjects a clear, precise and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy.
7. Security: Use of technical and administrative measures to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.
8. Prevention: Adoption of measures to prevent the occurrence of damages due to the processing of personal data.
9. Nondiscrimination: Processing of personal data can not be done for unlawful or abusive discriminatory purposes.
10. Accountability: The data processing has to demonstrate the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the effectiveness of such measures.

Lawful Purpose of Processing 

All data processed by zerohash will be done in accordance with the lawful bases provided by Article 5 of LGPD:

• With your consent¹. zerohash will seek consent before using your personal data for commercial purposes, especially when/if the processing involves sensitive personal data. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent will be kept with your personal data.
• For compliance with legal or regulatory obligations by the controller.
• For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data.
• When necessary for the execution of a contract, agreement or preliminary procedures related to a contract of which you are a party³.
• For the regular exercise of rights in judicial, administrative or arbitration procedures.
• For the protection of life or physical safety of you or a third party, if applicable.
• When necessary to fulfill our legitimate interests controller or of a third party, except when your fundamental rights and liberties which require personal data protection prevail.¹
• For the protection of credit, including as provided in specific legislation.

¹ If we process information based on your consent, you may withdraw such consent at any time, through a free and facilitated procedure. Please contact the Data Protection Officer outlined below to withdraw your consent.

Where communications are sent to you based on your previous consent, the option to revoke your consent (unsubscribe) should be clearly available and systems should be in place to ensure such unsubscription is reflected accurately in zerohash’s systems.

² Note that zerohash gathers and processes personal data to fulfill its anti-money laundering and know your customer obligations, open and manage your account, and track and monitor account activity. Besides being a regulatory obligation, zerohash has determined these activities to be in its legitimate business interest. 

³ zerohash also processes your personal data in furtherance of the User Agreement you have entered with zerohash, including when onboarding you as a customer, funding your account, processing your orders, facilitating transactions, and processing withdrawals. zerohash may share your personal data between its affiliated entities, in Brazil or abroad, or with Third Parties, also both in Brazil or abroad, to facilitate these actions, which are necessary in furtherance of your agreement(s) with zerohash.

zerohash will take reasonable steps to ensure personal data is accurate, so that, where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date, in accordance with the principle of quality of data.

The Data We Collect

zerohash collects the data as described in the item “3. Personal Information We Collect About You” of the zerohash Privacy Policy, such as, but not limited to:

• Identifying Information, including names, government issued identification, Taxpayer ID number, passport numbers, birth dates, addresses, telephone number, e-mail address, occupation and all other background information necessary for AML/KYC requirements, including a copy of your ID.
• Financial Information, including bank account number(s), transaction history, net worth, account balances, assets and liabilities, wallet address.
• Account Authenticating Information, including hashed representations of account passwords, PINs, and account recovery information.
• Biometric information generated based on photos or videos you provide to verify your identity
• Technical data such as IP address and device fingerprinting.
• Compliance and reputational data, such as news and media search, sanctions and PEP screenings.

Personal Data does not include generic email address or general business information that is not linked to an individual.

How We Collect Your Data

We collect this personal information directly from you – from in person contact, telephone, text, email, text or messaging service, or via our website. However, we may also collect information::

• Automatically via our IT systems or automatic electronic record capture and retention methods (e.g., logs, system files, electronic usage trackers, or cookies)
• From publicly accessible sources (e.g., property records);
• Directly from a third party (e.g., sanctions screening providers, credit reporting agencies, or customer due diligence providers);
• From a third party with your consent (e.g., your bank or platform provider);

zerohash may also receive your data indirectly from vendors and third parties when conducting “know your customer” background checks or confirming the personal information you have provided. We only collect information that is reasonably necessary to fulfill the identified purpose. Although you access our services through an application provided by a platform based in Brazil, the data is processed in the United States given that Zero Hash Brazil is an affiliate of a US based company that uses the systems based in the US.

How We Will Use Your Data

zerohash will use your data:

• To properly identify you.
• To manage your account(s) with zerohash.
• To determine your eligibility for products and services and the products and services of companies with whom we are affiliated.
• To respond to questions, requests, or concerns regarding the products and services provided by zerohash.
• To process your orders related to the digital asset trading/custody/settlement/account servicing and related services contracted for.
• To communicate with you and email you with offers on other products and services we think you might like and inform you about the products and services we provide.
• To recruit for positions at zerohash.
• To investigate legal claims.
• To detect suspicious activities and protect against fraud, money laundering and other illicit activities.
• To administer zerohash websites and any zerohash software applications.
• For such purposes for which zerohash may obtain your consent from time to time.
• For such other uses as may be permitted or required by law.

Your data may also be anonymized or aggregated to enable zerohash to manage its business, develop statistical information, test our performance, or develop products. Anonymized and/or aggregated data will not identify you. zerohash does not sell your Personal Data or information.

Sharing Data With Third Parties

zerohash may share your Personal Data with Third Parties, both within your jurisdiction and abroad:

• To provide and support zerohash's products and services. For example, zerohash may submit your information to credit bureaus or KYC vendors for identification purposes.
• To comply with legal obligations, such as responding to regulatory or criminal investigations or mandatory reporting to our regulators.
• To protect you from fraud, abuse, or illegal activity. In such cases, zerohash may disclose your information to an appropriate governmental authority or next of kin to prevent illegal or fraudulent activity in your account.
• If, in our best judgment, we believe someone is seeking your information as your agent, with your consent, or if otherwise permitted by law.
• Any other situation or purpose for which zerohash obtains your consent to share, as described in the zerohash Privacy Policy.

Please note that Zero Hash Brazil, in accordance with LGPD and other Data Protection laws applicable to the Zero Hash Group, has the right to share your personal data without your consent with any national/federal, state, local and international legal, governmental and regulatory entities, authorities and officials in order to cooperate with any investigation or governmental, legal or regulatory proceeding relating to any information collected and/or website content or to any purported unlawful activities of any visitor.

How We Protect Your Data

zerohash has many processes and controls in place to protect your personal data. Controls include limiting access to private data and confidential information to authorized employees, service providers, representatives, or agents who have all been made aware of the importance of keeping your information confidential. That is, zerohash only allows access to confidential information on a need-to-know basis and appropriate security will be in place to avoid unauthorized sharing of information.

Additionally, zerohash uses safeguards that are consistent with the industry standard, including firewalls, data encryption, physical access controls, appropriate back-up and disaster recovery solutions. As stated above, Zero Hash Brazil is an affiliate of a US based company and may store your personal data both in Brazil and in the United States. Data transfers are carried out in accordance with applicable laws and regulations, and transfers to another jurisdiction will also be subject to the laws of the jurisdiction where the data is held.

In the event of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, zerohash shall promptly assess the risk to people’s rights and freedoms and report the breach, if applicable, to the impacted individual(s) and the ANPD, within the deadline and format defined by the ANPD.

Retention and Deletion

According to LGPD, personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but the storage is authorized for the following purposes:

• Compliance with a legal or regulatory obligation by the controller.
• Study by a research entity, ensuring, whenever possible, the anonymization of the personal data.
• Transfer to third parties, provided that the requirements for data processing as provided in the Law are obeyed
• Exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized.

To ensure that personal data is kept for no longer than necessary, zerohash adopts a records retention policy for each area in which personal data is processed and reviews this process periodically.

The records retention policy considers what data should/must be retained, for how long, and why. Your data is only retained for as long as reasonably necessary to fulfill the purpose for which it was collected. Your data will be destroyed or de-identified once no longer necessary or required to be stored by law. When personal data is deleted this must be done safely such that the data is irrecoverable.

Zero Hash Brazil is required by regulators to keep and maintain much of your personal data for prescribed periods from 5 (five) to 10 (ten) years, this last one to comply with AML requirements provided by the Central Bank of Brazil.

Some of your personal data may be deleted prior to the expiration of the above period, if such deletion is permitted by the local laws and regulations.

Marketing

zerohash would like to send you information about products and services of ours that we think you might like. If you have agreed to receive marketing, you may opt out at a later date.

You have the right at any time to stop zerohash from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, you can unsubscribe through the link available in the communication or submit a request to our data privacy officer through the email: privacy@zerohash.com.

Your Data Protection Rights

• Confirmation of the existence of treatment: In response to this request, we will inform you if we process your Personal Data or not. Note that, if you are an User of our website or any of our services, we necessarily process your Personal Data, as explained in this Notice and in the zerohash Privacy Policy.
• The right to access - You have the right to request, free of charge, a copy of your personal data that is processed by us.
• The right to rectification: If you consider that your personal data is incomplete, inaccurate or outdated, you can request the rectification, indicating what needs to be changed and why. It is possible that we request a proof or supporting document to make this change.
• The right to anonymization, blocking or erasure: If you consider that we are processing your Personal Data in an unnecessary and excessive manner or in breach of the LGPD, you can request that the Personal Data be anonymized, blocked or erased, under certain conditions.
• The right to data portability: You can request  the transfer of your Personal Data to another service or product supplier, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets. The portability does not include data that has already been anonymized.
• The right to deletion: You can request deletion of your personal data processed on the basis of your consent, except in the events of retention of Personal Data prescribed by law.
• The right to obtain information about: 
  • Public and private entities with which we share your Personal Data.
  • The possibility of denying consent and the consequences of such denial, when the consent is used as legal basis for processing of personal data.
• The right to Withdraw your consent: If your personal data is processed based on your consent, you can withdraw this consent. With that, any processing of your data that is made based on consent will be interrupted. Please note that we may not be able to offer our services or features of the services without your consent.
• Request the revision of decisions taken based on  automated processes: It is possible that decisions are taken based on automated processing of your Personal Data. You have the right to request the review of such decisions that affect your interests, including decisions aimed at defining your personal, professional, consumption and credit profile.
• Right to lodge a complaint before the ANPD.

You can exercise your rights by submitting a request to privacy@zerohash.com.

Note that the rights above can be exercised exclusively by you or your legal representative, upon express request. So, before answering any request for exercise of the abovementioned rights, we can request that you provide us with some information and supporting documentation to confirm and validate your identity.

Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. You may refuse to accept browser cookies by activating the appropriate setting on your browser. Check the cookies settings information available in the zerohash Privacy Policy.

For further information about cookies visit the ANPD Orientation Guide here.

Minors

In the event that our products or services are made available to minors and the processing of personal data of children and teenagers under the age of 18 years old is necessary, it will be necessarily carried out with the specific and prominent parental (or legal guardian) consent. Measures to verify and validate the parent’s or legal guardian identity will also be applied.

Changes to Our Privacy Policy

zerohash keeps this Notice and the Zero Hash Holdings Privacy Policy under regular review and will place any updates on this web page. Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates

Contact Information

Our Data Protection Officer is available through the email: privacy@zerohash.com  

Contact us if you have any questions or comments regarding this Notice, the zerohash Privacy Policy or our privacy practices.

You can find more information about the LGPD here.

APPENDIX C

International Transfers

Updated: December 31, 2025

To facilitate our global operations, zerohash, its Affiliates, third-party partners and service providers may transfer, store, and process your personal information throughout the world. Below is a list of geographic locations where your information may be transferred:

• Australia

• Argentina

• Bermuda

• Brazil

• Canada

• European Union

• New Zealand

• Philippines

• Switzerland

• United Kingdom

• United States