Privacy Policy

Last Updated: September 14, 2025

This Privacy Policy explains how Ord.io, Inc. ("Ord.io," "Zap," "we," "our," or "us") collects, uses, shares, and safeguards information in connection with the Zap mobile app, websites, dashboards, and related services that link to this Policy (collectively, the "Services"). By using the Services, you agree to the practices described here.

Quick note on blockchain data: Public blockchains (like Solana) are by design transparent. Wallet addresses, balances, and transactions are public and may be analyzed by anyone, including us and our service providers. This Policy governs our handling of information off-chain and any off-chain associations with that public data.

1) Information We Collect

1.1 Information you provide directly

Depending on how you use the Services, you may provide:

• Contact details (e.g., name, email, phone).
• Account profile data (e.g., username/handle, referral code, preferences).
• Support communications (e.g., messages you send us via email or in-app chat).
• KYC/verification data (if ever required by law for certain features; we'll ask only if necessary and will disclose any additional terms at that time).
• Marketing preferences (opt-in/opt-out selections).

1.2 Information we receive automatically

When you access the Services, we (and our service providers) automatically collect:

• Device & network data (IP address, device identifiers, OS and app version, language, time zone, mobile network, crash logs).
• Usage data (pages/screens viewed, taps/clicks, session duration, referral source, performance metrics).
• Telemetry & diagnostics (to improve reliability, prevent fraud/abuse, and measure app performance).

1.3 Wallet & blockchain-related information

• Wallet address(es) you connect or create, token holdings as visible on-chain, transaction hashes, and other public on-chain interactions (e.g., DEX interactions) associated with your wallet address.
• We may associate your wallet address with your account or contact details off-chain (for example, to show portfolio information, to calculate fees, to provide support, to investigate fraud/abuse, or to comply with law).

1.4 Information from third parties

• Service providers and partners (e.g., analytics, crash reporting, on-ramp/off-ramp partners, notifications, cloud hosting).
• Public sources (e.g., public block explorers, social profiles you choose to link).
• Single sign-on / social login (if offered and you choose to use it, we receive info permitted by that platform's settings).

2) Cookies, SDKs & Similar Technologies

We use:

• Cookies / local storage on our websites to remember settings and improve performance.
• Mobile SDKs in our apps for analytics, attribution, crash reporting, A/B testing, fraud prevention, and messaging.
• Pixels / beacons in emails to understand aggregate engagement (you can disable remote images in your email client to limit this).

You can control cookies in your browser settings and limit certain SDK tracking in your device settings; some features may not work without these technologies.

3) How We Use Information

We use personal information to:

• Provide and operate the Services (including account setup, wallet connections, fee calculations, transaction routing UI, notifications, and support).
• Personalize & improve features (e.g., show relevant tokens, save preferences, streamline flows).
• Measure performance & analytics (usage trends, product decisions, debugging, crash resolution).
• Communicate with you (service announcements, security alerts, support replies, product updates, and—if you opt in—marketing).
• Protect the Services and our users (fraud and abuse detection, sanctions screening, risk scoring, incident response).
• Comply with legal obligations (court orders, lawful requests, regulatory requirements).
• Create aggregated/de-identified data for analytics, research, and business purposes.

We do not sell your personal information for money. Like many apps, we may use analytics/measurement and (if used) advertising technologies that some state laws define as a "sale" or "share"—see State Privacy Rights for opt-out options.

4) How We Share Information

We may share information with:

• Service providers who help us run the Services (cloud hosting, analytics, crash reporting, customer support, communications, notifications, payment/settlement partners for USDC fee collection, etc.). These providers are bound by contract to use data only to provide services to us.
• Wallet/embedded-wallet & integration partners you choose to use (your use is governed by their terms/policies).
• On-ramp/off-ramp or payment partners (if you use those features). They may require information to process payments, comply with law, or mitigate fraud.
• Affiliates (controlled entities) consistent with this Policy.
• Professional advisors (lawyers, auditors, insurers) under confidentiality.
• Authorities, law enforcement, and third parties if we believe disclosure is necessary to comply with law, enforce our Terms, protect rights/safety, or respond to lawful process.
• Business transfers (merger, acquisition, financing, or sale of assets). Information may be transferred as part of the transaction, subject to this Policy.
• Other users/the public: public blockchain data is inherently visible; if you choose to post content or a public profile, that content may be visible to others.

We do not control (and are not responsible for) how Third-Party Services handle your data. Review their privacy policies before use.

5) Special Notes About Your Zap Experience

5.1 Self-custody & public blockchains

Zap is non-custodial. You control your wallet and keys. Your on-chain activity (including fees paid via our gasless experience) may be visible publicly and can be linked by others to your wallet address.

5.2 USDC fee collection & disclosures

Zap collects certain fees in USDC (see Terms of Service for details) and uses that USDC to pay SOL for network actions on your behalf. We record the fact of fee payments (amount, timestamp, transaction metadata) and may associate them with your account and wallet for support, compliance, and accounting.

5.3 Bridged/wrapped assets

If you view or trade wrapped/bridged assets on Solana through Zap, we may display third-party metadata to help you understand what you're interacting with. That metadata may be wrong, stale, or incomplete. Our use of such metadata is informational only.

6) Your Choices

• Account & profile: You can review/update certain account details in the app or by contacting support.
• Marketing emails: You can unsubscribe via the link in the email or contact us. You will still receive transactional/security messages.
• Cookies/SDKs: Use browser settings to block cookies; use device settings to limit ad identifiers or background data. Some features may degrade.
• Do Not Track (DNT): We currently do not respond to DNT signals because no standardized response exists.
• Delete account: Use the in-app account deletion (if available) or contact support. We may retain certain data as required by law or for legitimate business purposes (see Retention).

7) Data Security

We use administrative, technical, and physical safeguards designed to protect personal information. That said, no system is 100% secure. You are responsible for securing your devices, wallets, keys, and recovery materials.

8) Data Retention

We retain personal information for as long as needed to provide the Services and for legitimate business or legal purposes (e.g., security, fraud prevention, accounting, dispute resolution, required recordkeeping). Where feasible, we de-identify or aggregate data and will delete or de-identify data when no longer needed.

9) Children's Privacy

The Services are not directed to or intended for children under 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it as required by law.

10) International Data Transfers

We are headquartered in the United States and may use providers in other countries. Laws in those countries may differ from those in your jurisdiction. Where required, we implement appropriate safeguards for international transfers.

11) State Privacy Rights (U.S.)

Depending on where you live (e.g., California, Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws), you may have some or all of the following rights, subject to legal limits and verification:

• Right to know/access what personal information we collect, use, and disclose.
• Right to delete personal information we collected from you.
• Right to correct inaccuracies.
• Right to data portability (receive a copy in a usable format).
• Right to opt out of (i) targeted advertising; (ii) "selling" or "sharing" personal information as defined by law; and (iii) certain profiling.
• Right to appeal a denial of your request (where applicable).
• Non-discrimination for exercising your rights.

How to exercise: Email legal@zap.app or support@zap.app with your request and sufficient information to verify your identity (and residency). If applicable, you may authorize an agent to submit a request on your behalf; we may require proof of authorization and identity verification.

Targeted advertising / "sale" or "sharing" opt-outs: While we don't sell personal information for money, we may use analytics/measurement or ad tech that some state laws deem a "sale" or "share." You can opt out by:

• Adjusting your device ad settings (reset/limit ad ID).
• Using browser settings or privacy tools to limit third-party cookies.
• Contacting us at legal@zap.app and requesting an opt-out.

California "Shine the Light" (Civ. Code §1798.83): California residents may request information about our disclosures for direct marketing in the prior calendar year by emailing legal@zap.app with "Shine the Light Request," your name, and mailing address. We may ask for additional info to verify your residency.

12) Notice to European Users (EEA/UK/Switzerland)

Controller. Ord.io, Inc. is the controller of personal data processed under this Policy.

Legal bases. We process personal data on these bases:

• Contractual necessity (to provide the Services you request).
• Legitimate interests (e.g., to secure, analyze, improve, prevent fraud/abuse, support customers, and personalize experiences) balanced against your rights and freedoms.
• Consent (e.g., for certain cookies/SDKs or marketing where required). You can withdraw consent at any time.
• Compliance with legal obligations (e.g., responding to lawful requests, sanctions screening where applicable).

Your rights. Subject to legal limits, you may have the right to request access, rectification, erasure, restriction, portability, and to object (including to processing based on legitimate interests and to direct marketing). Where processing is based on consent, you may withdraw consent at any time. To exercise, email legal@zap.app or support@zap.app. You also have the right to lodge a complaint with your local supervisory authority.

Transfers. When transferring personal data outside the EEA/UK/CH, we use appropriate safeguards where required (e.g., Standard Contractual Clauses).

13) Third-Party Websites & Services

The Services may link to or integrate with third-party websites, apps, wallets, DEXs, bridges, or other services. We are not responsible for their privacy practices. Review their policies before use.

14) Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will update the "Last Updated" date and may provide additional notice as required. Your continued use of the Services after the effective date signifies your acceptance of the updated Policy.

15) Contact

• General & Support: support@zap.app
• Privacy & Legal Requests (including state/EU rights requests): legal@zap.app

If a physical mailing address is required by your local law for notices, email legal@zap.app to request our current notice address.

Appendix: Category Summary (for State Law Transparency)

• Identifiers & contact info (e.g., email, device ID) – collected; shared with service providers; may be used for analytics and, if used, targeted advertising (opt-out available).
• Commercial/transactional info (e.g., fee payments in USDC, in-app purchases) – collected; shared with payment/settlement and analytics providers.
• Internet/network activity (e.g., usage, telemetry) – collected automatically; used for security, analytics, product improvement; may involve cookies/SDKs.
• Geolocation (coarse) (e.g., general region from IP) – collected automatically; used for localization, security, compliance.
• Financial/crypto data (wallet addresses, on-chain metadata, balances visible on-chain) – collected/associated off-chain; public on-chain data is inherently visible to anyone.
• Inferences/analytics (aggregated or de-identified insights) – created for product improvement and business intelligence.
• Sensitive personal information – not intentionally collected; if necessary for specific features or to comply with law, we will present additional disclosures/consents.