Last updated 11.06.2026
Question? privacy@zama.org
Data protection and data security are important to us. Your Personal Data is collected and processed in accordance with applicable laws and in accordance with this Privacy Notice.
We invite you to read this document (the "Privacy Notice") carefully. If you have any questions about our Privacy Notice and, in general, about the collection and processing of your Personal Data in relation to the Super App available at app.zama.org (the "App"), please do not hesitate to contact us at: privacy@zama.org
Scope
This Privacy Notice governs and details the main principles that apply to the Personal Data collected and processed in relation to the App.
The purpose of this Privacy Notice is to provide you with all the important information and explanations about how and why some of your Personal Data may be collected and processed when you use the App.
This Privacy Notice also aims to remind you about your data protection rights and to provide you with all the elements you need to exercise them.
This Privacy Notice does not apply to any products, services, websites, or content that are offered by third parties or that have their own privacy notice, including in particular the Wert fiat onramp, Privy, Elliptic, and the Zama corporate website (zama.org), which is governed by a separate privacy policy.
Important Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that identifies the person directly (e.g. a name, an identification number) or indirectly (e.g. an IP address or a wallet address in context).
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, storage, disclosure by transmission, etc.
"Controller" means an entity that determines the purposes and means of Processing.
"Processor" means an entity that processes Personal Data on behalf of and on the instructions of the Controller.
How Your Personal Data is Collected and Processed?
Data arising automatically from your use of the App:
Why Your Personal Data is Collected and Processed?
When you use the App, some of your Personal Data is collected and processed for the following purposes and on the following legal bases:
Your wallet address and IP address are processed to authenticate your session, enable App functionality, and operate the App's technical infrastructure. Legal basis: performance of contract (nFADP Art. 31(1)(b) / GDPR Art. 6(1)(b)) and legitimate interest (nFADP Art. 31(1)(e) / GDPR Art. 6(1)(f)).
We use GA4 to collect anonymised aggregate usage data to understand how the App is used and to improve its features. No wallet addresses or financial data are included. Legal basis: your consent (nFADP Art. 31(1)(a) / GDPR Art. 6(1)(a)) collected via the cookie consent banner.
Sentry is used for error tracking and diagnostic purposes. Wallet addresses and amounts are excluded. Legal basis: legitimate interest (nFADP Art. 31(1)(e) / GDPR Art. 6(1)(f)).
Privy logs wallet address and session timestamp data, which may be used to identify and assist with support requests. Legal basis: legitimate interest (nFADP Art. 31(1)(e) / GDPR Art. 6(1)(f)).
Elliptic performs Know Your Transaction (KYT) screening using wallet addresses and transaction data to detect and prevent financial crime, including sanctions evasion and money laundering. Legal basis: legal obligation (applicable anti-money laundering regulations) and legitimate interest (nFADP Art. 31(1)(c)(e) / GDPR Art. 6(1)(c) and 6(1)(f)).
Your information is processed to handle and respond to your data protection rights requests. Legal basis: compliance with a legal obligation (nFADP Art. 25 / GDPR Art. 6(1)(c)).
Who Are the Recipients of Your Personal Data?
For How Long Is Your Personal Data Stored?
Your Personal Data is retained only for as long as strictly necessary for the purposes declared above, and in any event within the limits imposed by applicable law:
At the end of the relevant retention periods, we undertake to delete or anonymise your Personal Data from our systems, subject to any overriding legal, accounting, or tax obligations.
Are Your Personal Data Transferred Across Borders?
Several of our sub processors are based in the United States or the United Kingdom, so cross-border transfers of personal data are required.
In such cases, that appropriate safeguards are in place. The standard mechanism is the adoption of Standard Contractual Clauses (SCCs) as adopted by the European Commission (2021 version), supplemented, where required, by a Transfer Impact Assessment.
Transfers to the United States (Privy, Vercel, Google LLC, Sentry, Goldsky): governed by Standard Contractual Clauses and the applicable Data Processing Agreements with each provider.
Transfers to the United Kingdom (Elliptic): the UK is recognised as providing an adequate level of protection. Transfers may also be governed by the UK International Data Transfer Addendum (IDTA) where applicable.
Intra-group transfers: appropriate intra-group data sharing arrangements are in place.
How Your Personal Data is Protected?
To prevent unauthorised access, disclosure, modification, damage, or destruction, the appropriate technical and organisational security measures are implemented, including:
Children's Privacy
The App is not directed at individuals under the age of 18. We do not knowingly collect Personal Data from minors. If you believe that we have inadvertently collected Personal Data relating to a child, please contact us at privacy@zama.org and we will promptly delete such data.
Cookies
When you use the App, cookies and similar tracking technologies may be placed on your device, subject to your choices. We use the following categories of cookies:
A full cookie consent banner is deployed on the App, allowing you to accept all cookies, refuse all non-essential cookies, or manage your preferences by category. You may change your preferences at any time via the Cookie Settings link available in the App.
For users located in the United States, a "Do Not Sell or Share My Personal Information" link is permanently displayed in the footer of the App. Clicking this link opens the cookie preferences panel where you may opt out of analytics cookies. If your browser or device sends a Global Privacy Control (GPC) signal, we will automatically treat this as an opt-out from the sharing of your personal data, without any further action required from you. Opt-out requests are processed within 15 business days. For more information on your rights as a United States user, see the Additional information for specific jurisdictions section below.
What Are Your Rights and How Can You Contact Us?
Regarding your use of the App, you have the following rights under the conditions provided for in the applicable regulations:
Additional information for specific jurisdictions:
If you are located in Switzerland: the Swiss Federal Act on Data Protection (nFADP/DSG) applies. You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch.
If you are located in the European Economic Area (EEA): the GDPR also applies. You may lodge a complaint with the supervisory authority of the EU Member State of your habitual residence or place of work.
If you are located in the United Kingdom: the UK GDPR applies. You may lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk.
If you are located in the United States (California): the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), applies. California residents have the right to know what personal data we collect and how it is used, to request deletion or correction of their personal data, and to opt out of the "sale" or "sharing" of personal data. We do not sell personal data for monetary consideration; however, our use of Google Analytics 4 may constitute "sharing" for cross-context behavioural advertising purposes under the CCPA/CPRA. To opt out, click the "Do Not Sell or Share My Personal Information" link in the persistent footer of the App, or enable a Global Privacy Control (GPC) signal in your browser or device (honoured automatically, with no further action required). You also have the right not to be discriminated against for exercising these rights. Opt-out requests are processed within 15 business days of receipt. The supervisory authority is the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
If you are located in Brazil: the Lei Geral de Proteção de Dados Pessoais (LGPD) applies. You have the right to confirm the existence of processing, and to access, correct, delete, port, or object to the processing of your personal data. You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.
If you are located in Canada (Québec): Québec’s Act respecting the protection of personal information in the private sector (Law 25) applies to residents of Québec. You have the right to access, correct, and request the deletion of your personal data, and to withdraw your consent at any time. You may lodge a complaint with the Commission d’accès à l’information (CAI) at www.cai.gouv.qc.ca.
You can exercise your rights by email at privacy@zama.org, specifying the right you wish to exercise and attaching proof of your identity if requested.
If you exercise these rights, we will endeavour to respond to your request as soon as possible.
Changes to This Privacy Notice
This Privacy Notice will be updated when processing activities change or when required by applicable law. Material changes will be communicated via an in-App notice. We recommend checking this Privacy Notice periodically. The version date at the top of this document indicates when the Privacy Notice was last updated.
Contact
For any questions or requests regarding this Privacy Notice or the processing of your Personal Data, please contact us at:
Email: privacy@zama.org
Protocol
Solutions
ECOSYSTEM
Resources
community
company
.svg)
.svg){kind=icon}