Privacy Policy

Last Updated: September 25, 2025

This Privacy Policy (the “Policy”) explains how Ostium Foundation (“Foundation”) and Ostium Labs Co. (the “Company” and with Foundation, “we”, “us” or “our”), may collect, use, process, and disclose information in connection with the tools and services available via ostium.com (the “Site”), app.ostium.com (the “App”), the mobile application (the "Mobile App"), the bot available via Telegram @ostiumbot (the “Bot” and together with the Site, the App, any other website, application programming interface (“API”), code repository or other attendant tooling, information, services or technology, the “Services”) that we host.

Your use of the Services is subject to this Policy, and the Terms of Service available on Site.

This Policy does not apply to any products, services, websites, or content offered or provided by third parties and we are not responsible in any way for those third party offerings; please review any separate privacy policies or terms made available by those third parties.

We may update this Policy from time to time. If we make any changes, we will change the Last Updated date above. Any modifications to this Policy will be effective upon our posting of the updated Policy. In all cases, your continued use of the Services following the posting of any updated Policy indicates your acceptance of the updated Policy.

1. Data We Collect

We may collect certain personal information when you use, access or otherwise interact with the Services, including:

● Internet Protocol (“IP”) addresses and other location information

● Publicly available blockchain data, including time stamps and number of packets sent

● Blockchain account information or wallet addresses, including signer and auth pubkeys as well as transaction signatures

● Device user agent, client library version

● Analytics about your login session, including but not limited to device and/or browser type, geolocation, access activity, and referring domain

● Any information you voluntarily provide to us or third parties with whom we are partnered, including but not limited to email addresses or other social sign-in information

● Any information about you provided to us by third parties with whom we work (including contractors, service providers and analytics providers)

All or any of this information may be combined with other information we collect or that you provide. We may also obtain information about you through our analysis of blockchain information.

We may integrate technologies operated or controlled by other parties into parts of the Services. Please note that when you interact with these other parties, those parties may independently collect information about you and solicit information from you. You can learn more about how those parties collect and use your data by consulting their privacy policies and other terms.

Note that you are responsible for all of your use of or access to the Services, including the security of your blockchain network addresses, cryptocurrency wallets, and their cryptographic keys.

1. Use of Information

We use your information for various business and administrative purposes, such as:

● Provide, maintain, support and improve the Services, communicate with you about and respond to inquiries regarding the Services and respond to your feedback about the Services;

● Detect, investigate and prevent fraudulent, abusive or harmful activities, including detecting potential security incidents;

● Analyze usage trends to permit access to the Services;

● Ensure internal quality control and safety;

● Take certain actions that you have asked us to and provided consent for us to take;

● Enforce this Policy, the Terms and/or other policies or terms;

● Comply with any legal or regulation obligations, including in the event we have a legal obligation to collect, use or retain information about you or comply with legal requests from government authorities or in private suits

You agree and acknowledge that we may use information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by applicable law.

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

We may use personal information to create de-identified and/or aggregated information, such as demographic information, information about the device from which you access the Services, or other analyses we create.

1. Sharing Information

We may share or disclose the data we collect, including your personal information:

● To third parties as needed for the provision of the Services, including those third-party service providers and vendors that support the Services for functions such as IT support, hosting, and related services

● Via APIs and/or software development kits (“SDKs”) as part of the functionality of the Services

● When we believe providing such information is necessary to comply with law, and other agreements with you, or protect the rights, property, or security of Ostium, our agents and employees or users, including sharing information with other organizations for fraud prevention and detection purposes

● With business partners if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider

We do not sell your information or other data about the Services for marketing purposes.

1. Location of Information

Please be aware that data and information collected via the Services may be processed, stored, and used in the United States as well as any other jurisdiction in the world. Data protection laws in the United States may be different from those of your country of residence. Your use of the Services or provision of any information therefore constitutes your consent to the transfer to and from, processing, usage, sharing, and storage of information about you in the United States and other jurisdictions as set out in this Policy.

Note that the data protection laws that apply to you in your jurisdiction may be different from the laws that govern your data as collected, stored, processed and transferred as part of your use of or access to the Services.

1. Retention of Information

We store the data and information we collect as described in this Policy for different periods of time — in some instances, only for a matter of days and in others for as long as you use the Services, or as necessary to fulfill the purpose(s) for which it was collected, provide the Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

To determine the appropriate retention period for personal information, we may consider applicable legal requirements, the amount, nature, and sensitivity of the personal information, certain risk factors, the purposes for which we process your personal information, and whether we can achieve those purposes through other means.

1. Access, Deletion, Choice

If you need to update or delete certain information about you or your interactions with the Services, you can contact us for assistance at privacy@ostium.io.

You may have choices about the collection and use of information about you. You can choose not to provide certain information, but then you might not be able to use the Services.

If you do not want to receive messages from us about the Services or other matters related to the Company and its technology, please adjust your communication preferences.

In accordance with applicable law, you may have the right to:

● Confirm whether we are processing your personal information;

● Access and port your personal information, including: (i) obtaining access to or a copy of your personal information; and (ii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company in a structured, commonly used, and machine readable format (also known as the “right of data portability”);

● Request:

○ Correction of your personal information where it is inaccurate or incomplete;

○ Deletion of your personal information;

○ To opt-out of certain processing activities, including, as applicable, if we process your personal information for “targeted advertising” (as “targeted advertising” is defined by applicable privacy laws), if we “sell” your personal information (as “sell” is defined by applicable privacy laws), or if we engage in “profiling” in furtherance of certain “decisions that produce legal or similarly significant effects” concerning you (as such terms are defined by applicable privacy laws);

○ Restriction of or object to our processing of your personal information;

● Withdraw your consent to our processing of your personal information. Please note that your withdrawal will only take effect for future processing, and will not affect the lawfulness of processing before the withdrawal; and

● Appeal any decision to decline to process your request.

For additional information related to choices on data privacy in certain jurisdictions, please see Section 9 below.

If you would like to exercise any of these rights, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws.

1. Children’s Information

The Services are intended for general users who are 18 years of age or older, and are in no way directed at children. We do not knowingly collect personal information from children. If you believe such information has been collected in error, please email privacy@ostium.io to notify us of this.

1. Notices

If you have any questions about this Policy, please contact us at privacy@ostium.io..

If you interact with the Services on behalf of or through your organization, then your information may also be subject to your organization’s privacy practices and you should direct privacy inquiries to your organization.

1. Additional Information for Certain Jurisdictions

California

If you are a California resident, you have certain additional rights with respect to personal information about you under the California Consumer Privacy Act of 2018 (“CCPA”).

We are required to inform you of:

● What categories of information we may collect about you, including during the preceding 12 months;

● The purposes for which we may use your personal information, including during the preceding 12 months;

● The purposes of which we may share your personal information, including during the preceding 12 months;

● In the preceding 12 months, we have not sold any personal information of consumers.

You have the right to request to know: (i) the categories of personal information we have collected about you in the last 12 months; (ii) the specific pieces of personal information we have about you; (iii) the categories of sources from which that personal information was collected; (iv) the categories of your personal information that we sold or disclosed in the last 12 months, if applicable; (v) the categories of third parties to whom your personal information was sold or disclosed in the last 12 months; and (vi) the purpose for collecting and selling your personal information, if applicable. These rights are subject to limitations as described in the relevant law. We may deny your request if we need to do so to comply with our legal rights or obligations.

We will not discriminate against any user for exercising their CCPA rights.

You may exercise these rights yourself or you may designate an authorized agent to make these requests on your behalf. To protect your information, we may need to verify your identity before processing your request, including by collecting additional information to verify your identity, such as government issued identification documents. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected personal information. We will only use the personal information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose. When we verify your agent’s request, we may verify your identity and request a signed document from your agent that authorizes your agent to make the request on your behalf. To protect your personal information, we reserve the right to deny a request from an agent who does not submit proof that they have been authorized by you to act on their behalf.

If you would like to exercise any of these rights, please contact us at team@ostium.io.

European Economic Area, the United Kingdom, and Switzerland

If you are a data subject in the European Economic Area, the United Kingdom, or Switzerland, you have certain rights with respect to your personal data pursuant to the General Data Protection Regulation of the European Union (“GDPR”) and similar laws. This section applies to you.

References to “personal information” in this Policy are equivalent to “personal data” as defined under GDPR.

We process your personal data as necessary and in reliance on the legal bases below, in order to:

● Provide access to and improve the Services;

● Comply with applicable laws and our legal obligations, and prevent fraud;

● Ensure safety and security of your data, the Services and the Company;

● Send communications, or for research or analytics; and

● Comply with your consent, which may be withdrawn at any time by communicating your withdrawal to us.

You may: (a) ask whether we have any personal data about you and request a copy of such personal data; (b) request that we update or correct inaccuracies in your personal data; (c) request that we delete your personal data; (d) request a portable copy of your personal data; (e) request that we restrict the processing of your personal data if such processing is inappropriate; and (f) object to our processing of your personal data. These rights are subject to applicable law.

If you would like to exercise any of these rights, please contact us. To protect your information, we may need to verify your identity before processing your request, including by collecting additional information about your identity, such as government issued identification documents.

If your personal information is subject to the applicable data protection laws of the European Economic Area, Switzerland, or the United Kingdom, you have the right to lodge a complaint with the competent supervisory authority or attorney general if you believe our processing of your personal information violates applicable law.

1. Contact Us

If you have any questions about this Policy or how we collect, use, or share your information, please contact us at team@ostium.io.