ChainATM Privacy Policy

1. WHO IS RESPONSIBLE (CONTROLLER)

The controller for the processing described here is:

• Noctra GmbH
• Schaanerstrasse 27, 9490 Vaduz, Liechtenstein
• Email: contact@noctra-labs.com

For any privacy question or to exercise your rights, contact us at contact@noctra-labs.com. We have not appointed a Data Protection Officer, as we are not legally required to do so.

2. WHAT CHAINATM DOES, IN SHORT

ChainATM is non-custodial software: an AI assistant that helps you operate your own self-custodial crypto wallet using plain language. A few points that shape how we handle data:

• We never have access to your private keys or recovery phrase. Keys are created and held inside your device's secure hardware (Secure Enclave / Android Keystore) or inside our wallet provider's secure infrastructure, and signing happens on your device.
• We never hold your money. Fiat purchases and the identity checks (KYC) that go with them are carried out by licensed payment partners, not by us. See our Legal & Licensing page.
• We do not use advertising identifiers, we do not run cross-app tracking, and we do not sell your personal data.

3. INFORMATION WE COLLECT

3.1 Account and identity data

• Email address and display name, where you provide them.
• Authentication data: how you sign in (for example email/passwordless, Apple or Google sign-in, an external wallet, or a passkey) and the identifiers our authentication provider returns. We never store passwords or private keys.
• Linked accounts: the type and identifier of any external login or wallet you connect.

3.2 Wallet and blockchain data

• Wallet addresses (for example Ethereum/EVM and Solana addresses) associated with your account.
• Transaction data: records and metadata of crypto actions you prepare or carry out through the Service, such as asset, amount, network, and timestamps. Completed transactions are also recorded publicly on the relevant blockchain, which is outside our control.
• Portfolio context: token balances read from your wallet. A summarised, sanitised version may be sent transiently to the AI assistant so it can answer your question (see section 5).

3.3 AI chat content

• The messages you send to the AI assistant, the assistant's replies, any feedback you give on a reply, and your display currency and language so answers are localised.

3.4 Purchases, credits, and referrals

• Credit and subscription data: your credit balance and credit history, and, for subscriptions, the platform (for example Apple), transaction identifiers, and renewal/expiry status. Purchases are processed by the app store; we do not receive your full payment card details.
• Referral data: your referral code and, if you take part, the link between referrer and referred accounts.

3.5 Device, usage, and location data

• Technical and usage data: device type, operating system, app version, IP address, access timestamps, log data, and in-app events (for example app opened, message sent, quote received). In-app events are stripped of sensitive fields such as addresses, amounts, emails, and keys before being recorded.
• Approximate location: a country and (in some countries) region, derived from your IP address and your device locale or a country you declare. We use this only to determine where the Service and its regulated features may lawfully be offered.
• Push notification token, if you turn on notifications, plus your notification preferences.

3.6 Support and diagnostics

• Support communications when you contact us.
• Crash and error diagnostics from our error-reporting tool. These are filtered before transmission so that private keys, authentication tokens, email addresses, and full wallet addresses are masked.

What we never collect: your private keys or recovery phrase, your full payment card number, and advertising identifiers (IDFA). The iOS app does not present an App Tracking Transparency prompt because it does not track you across other companies' apps and websites.

4. HOW WE USE YOUR DATA AND OUR LEGAL BASES

We process your personal data for the purposes below, each on the legal basis stated.

• To provide the Service: creating and securing your account, connecting or creating your wallet, running the AI assistant, preparing the transactions you ask for, and managing credits. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• To process purchases, subscriptions, and referrals and to keep the related accounting records. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c), for example accounting and tax retention).
• To meet regulatory and eligibility requirements, including checking where the Service and its on/off-ramp features may be offered. Legal basis: compliance with a legal obligation (Art. 6(1)(c)) and our legitimate interest in offering the Service lawfully (Art. 6(1)(f)).
• To keep the Service secure: preventing fraud and abuse, debugging, and diagnosing crashes. Legal basis: our legitimate interest in a secure, reliable Service (Art. 6(1)(f)).
• To understand and improve the Service using aggregated, de-identified product analytics. Legal basis: our legitimate interest in improving the Service (Art. 6(1)(f)), or your consent where required.
• To send notifications you have enabled, and any marketing updates. Legal basis: your consent (Art. 6(1)(a)), which you can withdraw at any time; security and transaction alerts may instead rely on Art. 6(1)(b) or (f).
• To handle your requests and legal claims. Legal basis: our legitimate interest, or compliance with a legal obligation, as applicable (Art. 6(1)(f) / (c)).

Where we rely on legitimate interests, you have the right to object (see section 9).

5. THE AI ASSISTANT

The AI assistant is powered by third-party large language models. By default we use Google's Gemini models; we may use Anthropic's Claude models as an alternative. When you send a message, we transmit to the model provider your message, the relevant chat history, a sanitised summary of your portfolio so the answer is useful, and your language and currency preferences. We instruct these providers to act as our processors and not to use your content to train their models.

The assistant can interpret your instruction and propose an action (for example a buy, swap, or transfer). It does not execute anything by itself and does not take decisions that produce legal or similarly significant effects on you without your involvement: you review every action and sign it yourself with your own wallet. The eligibility check described in section 4 is an automated rule applied to meet legal requirements; if you believe a result is wrong, contact us and we will look into it.

6. WHO WE SHARE INFORMATION WITH

We do not sell your personal data. We share it only with the categories of recipients below, and only as needed for the purposes above. Most are processors acting on our instructions; some (such as payment and on/off-ramp partners) act as independent controllers for their own regulated services and apply their own privacy policies.

• Authentication and wallet infrastructure (Privy): account authentication and embedded wallet creation. Private keys are held in secure hardware and are not accessible to us in usable form.
• AI model providers (Google; Anthropic where enabled): to generate assistant responses, as described in section 5.
• Fiat on/off-ramp and payment partners (such as Coinbase, Transak, and MoonPay): to process fiat-to-crypto purchases and crypto-to-fiat sales, including the identity verification (KYC) those services require. These partners are the controllers for that regulated processing.
• App stores (Apple): to process in-app purchases and subscriptions and to deliver push notifications.
• Blockchain data and connectivity providers (such as Infura, Moralis, Helius, and LI.FI): to read balances, fetch transaction data, and route on-chain actions. These process wallet addresses, which are public on-chain identifiers.
• Push delivery (Expo): to deliver the notifications you enable.
• Error and crash diagnostics (Sentry): to detect and fix faults, with personal data masked as described above.
• Hosting and email (Railway for our backend and database; Resend for transactional email): to operate the Service and contact you.
• Authorities and advisers: where we are required to disclose data by law, or to establish, exercise, or defend legal claims.
• In a business transfer: if we are involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

7. INTERNATIONAL DATA TRANSFERS

We are based in Liechtenstein (part of the EEA). Some of the providers above are located outside the EEA, in particular in the United States. Where we transfer personal data to such providers, we rely on an appropriate safeguard under the GDPR, namely the EU Standard Contractual Clauses and/or the providers' certification under the EU-US Data Privacy Framework, together with supplementary measures where needed. You can ask us for more detail using the contact above.

8. HOW LONG WE KEEP YOUR DATA

We keep personal data only for as long as needed for the purpose it was collected for, then delete or anonymise it. In particular:

• Account, wallet, and chat data: for as long as your account is active. You can delete individual chats, and when you close your account we delete or anonymise your account data within a reasonable period, unless we must keep it longer by law.
• Purchase, subscription, and accounting records: for the retention periods required by applicable accounting and tax law.
• Compliance and eligibility records: for as long as needed to evidence lawful provision of the Service.
• Crash and error diagnostics: for a limited period, typically up to 90 days.
• Push tokens: until you disable notifications, uninstall the app, or the token expires.
• Product analytics: kept in aggregated or de-identified form.

9. YOUR RIGHTS

Under the GDPR you have the right to:

• Access the personal data we hold about you and obtain a copy.
• Rectification of inaccurate or incomplete data.
• Erasure of your data in the circumstances the law provides.
• Restriction of processing in certain cases.
• Data portability: receive data you provided in a structured, commonly used, machine-readable format.
• Object to processing based on our legitimate interests, on grounds relating to your situation, and to object to direct marketing at any time.
• Withdraw consent at any time, where we rely on consent. Withdrawal does not affect processing carried out before the withdrawal.

To exercise any of these rights, contact contact@noctra-labs.com. We may need to verify your identity first. We will respond within the time limits set by the GDPR.

You also have the right to lodge a complaint with a supervisory authority. Our competent authority is the Datenschutzstelle Liechtenstein (Städtle 38, 9490 Vaduz, Liechtenstein; datenschutzstelle.li). If you are in the EU/EEA, you may also complain to the supervisory authority in your country of residence.

10. CHILDREN'S PRIVACY

The Service is intended for adults and is not directed to anyone under 18. We do not knowingly collect personal data from children under 18. If we learn that we have, we will delete it.

11. COOKIES AND TRACKING

Our website uses Vercel Analytics, which measures aggregate usage without cookies and without tracking you across other sites. We do not use advertising or cross-site tracking cookies. Our mobile app does not use advertising identifiers and does not track you across other companies' apps and websites. We use only the on-device storage necessary to run the app (for example to keep you signed in and cache data).

12. THIRD-PARTY LINKS AND SERVICES

The Service may link to or interact with third-party websites and services that we do not control. This Privacy Policy does not cover their practices, and we are not responsible for them. Please review their privacy policies.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will post the updated version here and change the "Last Updated" date. For significant changes we will provide a more prominent notice where appropriate.

14. CONTACT US

If you have any question about this Privacy Policy or how we handle your data:

• By email: contact@noctra-labs.com
• By mail: Noctra GmbH, Schaanerstrasse 27, 9490 Vaduz, Liechtenstein