VIRTUS Protocol — Privacy Policy

Effective Date: May 27, 2026

Definitions of key protocol terms are available in the VIRTUS Protocol Glossary.

Important Information

This Privacy Policy ("Policy") outlines how the VIRTUS Protocol Operator ("Operator") collects, uses, processes, stores, and safeguards data, including Personal Data, when users access the website and interface (the "Site") and interact with the decentralized finance protocol and smart contracts (the "DeFi Protocol" or "Protocol"). The same applies when Services are accessed through third-party websites or applications.

"Personal Data" means any information relating to an identified or identifiable natural person.

This Policy forms an integral part of the Terms of Service ("Terms"), available at https://docs.virtus-protocol.com/docs/Legal/Terms-of-Service, and should be read together with the Terms. Capitalized terms used in this Policy have the meanings described in the Terms unless defined otherwise herein.

BY ACCESSING OR USING THE SITE OR DEFI PROTOCOL, EITHER DIRECTLY OR THROUGH THIRD PARTIES, YOU CONFIRM THAT YOU HAVE READ, UNDERSTOOD, AND ACCEPT ALL TERMS AND CONDITIONS CONTAINED IN THIS POLICY. IF YOU ARE UNWILLING TO AGREE TO THIS PRIVACY POLICY, OR YOU DO NOT HAVE THE RIGHT, POWER, AND AUTHORITY TO ACT ON BEHALF OF AND BIND THE BUSINESS, ORGANIZATION, OR OTHER ENTITY YOU REPRESENT, DO NOT ACCESS OR USE THE SERVICES.

The Operator is committed to protecting user privacy. Protection of Personal Data and user privacy are among the Operator's top priorities.

Critical Blockchain Data Notice

PUBLIC BLOCKCHAINS ARE DISTRIBUTED LEDGERS DESIGNED TO RECORD TRANSACTIONS ACROSS COMPUTER NETWORKS PERMANENTLY AND IMMUTABLY.

Blockchains are decentralized and not controlled by any single party. Blockchains are managed by third parties such as validators, miners, and node operators. Data recorded on blockchains is permanent and cannot be deleted, modified, or altered. The Operator CANNOT delete, modify, or alter any data recorded on blockchain networks, even if the data was entered through the DeFi Protocol. All blockchain transactions are publicly visible and can be viewed by anyone using block explorers. Wallet addresses and transaction history are pseudonymous but NOT anonymous.

YOU ACKNOWLEDGE THAT BLOCKCHAIN DATA IS PUBLIC, PERMANENT, AND BEYOND THE OPERATOR'S CONTROL.

1. Data Controller and Contact Information

1.1 For purposes of this Policy, the Operator acts as data controller for Personal Data processed through the Site interface. The Operator has not appointed a dedicated Data Protection Officer.

1.2 For all matters relating to data protection and privacy, contact the Operator at VIRTUSplatform@proton.me with the subject line "Privacy Inquiry" or "GDPR Request".

2. Data Collected

2.1 Data Collected Through the Site

When using the Site, the Operator may collect and process the following information:

2.1.1 Personal Data (Voluntarily Provided)

Users may voluntarily provide first and last name and email address through the contact form, email, Discord, or Telegram (collectively, "Contact Channels"). Users may also choose to include additional data in messages or documents sent through Contact Channels, such as wallet addresses, VIRTUS Protocol account addresses, support inquiries, and feedback.

Users are responsible for the content and extent of information provided, and are asked to limit Personal Data to the absolute minimum necessary.

2.1.2 Automatically Collected Data

The Operator automatically collects technical and usage information including:

IP address and geolocation data (country, region, city)
Browser type, version, and language settings
Operating system and device type
Screen resolution and device identifiers
Referring/exit pages and URLs
Date, time, and duration of access
Pages viewed, features used, navigation paths, and click data
Interaction patterns and traffic data
Domain server and site security data

The Operator also collects information through tracking technologies including session and persistent cookies, web beacons and similar technologies, local storage and session storage, and analytics identifiers.

2.2 Data Collected Through the DeFi Protocol

The Operator does NOT actively collect or process Personal Data through the DeFi Protocol. However, the Operator may process the following data:

2.2.1 IP Address

The Operator automatically collects IP addresses to restrict access from Restricted Territories (as defined in the Terms). This data is temporarily retained for compliance screening purposes.

2.2.2 Public Blockchain Data

The Operator processes only publicly available blockchain data including protocol interactions and transaction records; account positions; transaction hashes and timestamps; token balances and holdings (derived from public blockchain data); and smart contract interactions.

Blockchain addresses and transaction information are public data not created by the Operator or any other central party and are not considered personally identifying.

The Operator does NOT aggregate this data with other information to identify individuals, and does NOT collect any data from MetaMask, Ledger, Rabby, or other wallet applications. Wallet providers may collect their own data independently.

2.2.3 Tracking Technologies

The Operator may collect information through cookies that collect browser type, operating system, and device information, as well as web beacons and similar technologies used to personalize services accessible through the DeFi Protocol across sessions.

2.3 Third-Party Personal Data

If Personal Data of third parties is provided, users must obtain their express permission before providing their data to the Operator, comply with all applicable legal obligations (such as informing them about data provision), and represent that they have the legal right to share their Personal Data.

2.4 Information Not Collected

The Operator does NOT collect, access, store, or have the ability to access:

Private keys or seed phrases
Wallet passwords or credentials
Personal identification documents (passports, ID cards, driver's licenses)
Financial account information (bank accounts, credit card numbers)
Social security numbers or tax identification numbers
Biometric data
Health or medical information
Racial or ethnic origin, political opinions, religious beliefs, or trade union membership

THE OPERATOR HAS NO ABILITY TO ACCESS, CONTROL, OR RECOVER YOUR FUNDS, TOKENS, OR PRIVATE KEYS.

The Operator will NEVER ask for private keys, mnemonic phrases, wallet seeds, or any other wallet security information. Never provide private keys or wallet seed to anyone or any website/form, and do not store them anywhere accessible by anyone other than you.

The Operator will NEVER contact users on any social media, messenger, or other platform asking for personal information and/or wallet information. Do not send or submit private keys, mnemonic phrases, seed phrases, or any other private security information on any website, form, or email.

3. How the Operator Uses the Data

3.1 Data Collected Through the Site

The Operator uses Personal Data and other data collected through the Site for:

Customer Support and Communications: Answering questions and inquiries, resolving technical issues or problems, providing guidance on using the Site or DeFi Protocol, and responding to feedback or complaints.

Compliance with Applicable Laws: Verifying that IP addresses are not from Restricted Territories, responding to lawful requests from authorities, complying with regulatory requirements, and defending against legal claims or proceedings.

Site Operations and Improvement: Delivering core functionality, debugging and troubleshooting, optimizing performance and user experience, and conducting analytics to understand usage patterns.

Internal and Operational Purposes: Ensuring security, identifying irregular website behavior, preventing fraudulent activity, and improving security at all possible levels.

Assessment and Analysis: Assessing and improving the performance of the Services, including via Google Analytics, Hotjar, and other analytics tools.

3.2 Data Collected Through the DeFi Protocol

The Operator uses data collected through the DeFi Protocol for:

Providing, Customizing, and Improving Services: Delivering DeFi Protocol functionality, personalizing user experience, and optimizing protocol performance.

Verification and Security: Verifying that users meet criteria for using the DeFi Protocol, checking wallet balances for transaction safeguards, safeguarding smart contract interactions, and preventing fraud, abuse, and unauthorized access.

Displaying Pool Data: Reading and displaying publicly available pool information on the Site, including token balances, liquidity, and protocol mechanics. The Operator does not operate or manage any liquidity pools — all pools are independent and permissionless.

Compliance with Laws and Regulations: Verifying that IP addresses are not from Restricted Territories, conducting sanctions screening (checking blockchain addresses against sanctions lists), complying with anti-money laundering (AML) and counter-terrorism financing (CTF) requirements, and responding to lawful requests from authorities.

Fraud Prevention and Security: Investigating and restricting fraudulent, unauthorized, or illegal activities, tackling security vulnerabilities, resolving potential security concerns, and protecting the Protocol and users from malicious actors.

For users in the European Union, European Economic Area, and the United Kingdom, the Operator processes Personal Data based on the following legal grounds under GDPR:

4.1 Contact Channels

When users contact the Operator for general inquiries, Personal Data is processed based on the Operator's legitimate interest (Article 6(1)(f) GDPR) for information necessary to resolve the inquiry, and based on consent (Article 6(1)(a) GDPR) for any excessive Personal Data voluntarily provided beyond what is necessary.

4.2 Cookies

Essential cookies are processed based on the Operator's legitimate interest (Article 6(1)(f) GDPR) and are required for the Site to function properly without requiring consent. Optional cookies (analytics, marketing, and functional) are processed based on user consent (Article 6(1)(a) GDPR), which requires explicit consent via cookie banner and can be withdrawn at any time.

Some analytical cookies may use automated profiling to evaluate selected factors about browsing behavior, create forecasts or predictions, and tailor content to preferences and interests. Users can object to profiling or withdraw consent at any time.

4.3 Compliance and Security Processing

The Operator processes data based on legal obligation (Article 6(1)(c) GDPR) for compliance with laws and regulations, and based on legitimate interest (Article 6(1)(f) GDPR) for fraud prevention, security, and risk management.

4.4 Other Data (Non-Personal Data)

No legal basis is required to process data that does not constitute Personal Data. However, such data is processed based on user consent, legitimate interests, or legal obligations.

5. Who Can Access the Data

The Operator may share Personal Data with:

Authorities and Legal Advisors: When necessary to comply with legal requirements, court orders, regulatory inquiries, or compliance proceedings, and only to the essential extent required for legal compliance and defense of claims.

Service Providers and Advisors: When questions or requests require their involvement, only to the extent necessary to carry out tasks necessary to respond. These service providers may include technical providers, legal advisors, and consultants.

The Operator does NOT share Personal Data with third parties for other purposes.

The Operator may share non-Personal Data with:

Service Providers and Vendors: To help with maintenance and development of the DeFi Protocol and Site. Examples include cloud hosting providers (AWS, Google Cloud, Cloudflare), analytics services (Google Analytics, Hotjar), and development and technical support providers.

Authorities and Legal Advisors: To comply with legal requirements, court proceedings, regulatory inquiries, or compliance matters.

Other Service Providers: If questions or requests require their involvement.

Data collected through the DeFi Protocol is shared with third-party protocols in the standard information exchange process within blockchain networks, which is inherent to how public blockchains operate. Once data is on the blockchain, it is publicly accessible and permanent.

The Operator may share data to safeguard, investigate, and restrict fraudulent, unauthorized, or illegal activities; protect the DeFi Protocol from security vulnerabilities or potential security concerns; and comply with sanctions screening and anti-money laundering (AML) requirements. This may include sharing with law enforcement and regulatory authorities, blockchain analytics and compliance providers (Chainalysis, Elliptic, TRM Labs, etc.), and security monitoring services.

5.4 Third-Party Form Service Provider

The Operator uses FormSubmit service provided by Devro LABS for the contact form. Data submitted through the contact form on the Site is shared with this provider. To avoid sharing data with this third-party provider, contact the Operator directly via email at VIRTUSplatform@proton.me.

5.5 Third-Party Analytics Providers

The Operator currently uses the following analytics services:

Google Analytics: Collects usage data, browsing behavior, and device information. Privacy policy: https://policies.google.com/privacy. Opt-out: https://tools.google.com/dlpage/gaoptout.

Hotjar: Collects heatmaps, session recordings, and user behavior analytics. Privacy policy: https://www.hotjar.com/legal/policies/privacy.

Users can opt out of these services through cookie settings or browser extensions.

5.6 No Sale of Personal Data

The Operator does NOT sell Personal Data to third parties.

5.7 Compliance Disclosure

The Operator reserves the right to disclose Personal Data, IP addresses, blockchain addresses, or usage patterns to government agencies, law enforcement authorities, compliance and blockchain analytics providers (Chainalysis, Elliptic, TRM Labs, etc.), and regulatory bodies conducting investigations or enforcement actions.

Such disclosures may occur WITHOUT prior notice if the Operator identifies or suspects access from Restricted Territories, interaction with sanctioned blockchain addresses, prohibited activities or violations of the Terms, or illegal activity, fraud, money laundering, or terrorist financing.

The Operator may not be able to guarantee that recipients of Personal Data will maintain the privacy or security of such data if disclosure is required to comply with official investigations or legal proceedings.

By using the Site or DeFi Protocol, users consent to such compliance-related disclosures.

5.8 Shared Data Limitations

Data shared with third parties for service provider purposes will never include Personal Data or sensitive information beyond what is strictly necessary for the service being provided.

6. How the Operator Protects the Data

6.1 Data Collected Through the Site

The Operator implements security measures including:

Access Controls: Personal Data is accessible only by authorized individuals who deal directly with matters requiring access, and access is granted only to the extent necessary for the tasks they perform. Periodic access reviews are conducted to determine whether access ranges need to be revised.

Ongoing Security: Risk assessments, adequacy monitoring of security measures, and implementation of additional security measures when necessary.

Third-Party Requirements: When the Operator engages third parties with access to Personal Data, those parties are required to guarantee appropriate security measures and comply with data protection requirements.

Technical and Organizational Measures: Encryption of data in transit using HTTPS/TLS, secure storage of data in access-controlled environments, firewalls and network security to protect against unauthorized access, and regular security updates to keep systems and software up to date.

6.2 Data Collected Through the DeFi Protocol

Data collected through the DeFi Protocol is safeguarded through standard cryptographic techniques (encryption and hashing), consensus mechanisms (blockchain validation and security), and decentralized architecture (distributed network design).

For more information, visit https://github.com/VirtUsProtocol and the Security Overview at https://docs.virtus-protocol.com/docs/Security/security-overview.

6.3 No Guarantee of Absolute Security

Despite the Operator's efforts, absolute security cannot be guaranteed as no method of transmission or storage is 100% secure. Unauthorized access, hacking, data breaches, or security incidents may occur, and users provide information at their own risk.

The Operator is NOT liable for security breaches or unauthorized access, data loss or corruption, actions of third parties (hackers, malicious actors), or vulnerabilities in third-party services.

6.4 User Responsibility for Security

Users are solely responsible for:

Protecting private keys and seed phrases (never share with anyone, including the Operator)
Securing wallet credentials (use strong passwords and hardware wallets where appropriate)
Enabling security features (two-factor authentication, biometric authentication)
Keeping software updated (browsers, operating systems, wallet applications)
Protecting against malware (antivirus, anti-phishing tools)
Monitoring account activity (regularly review transactions and wallet activity)
Reporting suspicious activity (notify the Operator immediately of any security concerns)

LOSS OR COMPROMISE OF PRIVATE KEYS RESULTS IN PERMANENT LOSS OF FUNDS. THE OPERATOR CANNOT RECOVER LOST OR STOLEN ASSETS. The Operator is not responsible for transferring, safeguarding, or maintaining private keys or any virtual currency associated with them. If private keys are lost, mishandled, or stolen, recovery of associated virtual currency may not be possible, and the Operator bears no liability for such loss.

7. Data Retention

7.1 General Retention Principles

The Operator conducts ongoing reviews to determine whether data, particularly Personal Data, still needs to be processed. The Operator seeks to process data for the shortest possible period, considering the purpose for which data was collected, the need to defend against claims, and applicable legal requirements.

The Operator reserves the right to process Personal Data for as long as necessary to fulfill the purposes for which it was collected, satisfy legal, accounting, or tax requirements, comply with regulatory obligations, and defend against legal claims.

Personal Data is securely destroyed or deleted when it is no longer required. Aggregated data, which cannot identify a device/browser (or individual) and is used for reporting and analysis, is maintained for as long as is commercially necessary.

7.2 Specific Retention Periods

Server Logs and IP Addresses: Typically retained for 30–90 days, with exceptions for data flagged for compliance review, investigation, or legal hold.

Blockchain Address Data: May be retained indefinitely for compliance, sanctions screening, fraud prevention, and security purposes.

Analytics Data: Typically aggregated and anonymized after 12–24 months for trend analysis and protocol improvement.

Communications and Support Tickets: Retained for 2–5 years or as needed for legal purposes to maintain support history and legal defense.

Compliance and Sanctions Screening Records: Retained for 5–10 years or as required by applicable law for regulatory compliance and audit requirements.

7.3 Deletion and Anonymization

Upon expiration of retention periods, Personal Data will be securely deleted or destroyed using industry-standard methods, anonymized so it can no longer identify individuals, or archived in restricted-access systems to prevent ordinary access.

7.4 Continued Processing After Deletion Request

If a deletion request is received, the Operator may continue to process Personal Data to the extent permitted by law (legal, tax, regulatory obligations), required by law (compliance with legal hold, ongoing investigations), or for legitimate business purposes (defense of legal claims, fraud prevention).

7.5 Blockchain Data Permanence

CRITICAL LIMITATION: Data recorded on public blockchains is PERMANENT and CANNOT be deleted. The Operator cannot delete, modify, or alter blockchain data. Blockchain data will remain publicly accessible indefinitely, including transaction hashes, wallet addresses, token transfers, and smart contract interactions. Third parties can view, analyze, and link blockchain data.

YOU ACKNOWLEDGE AND ACCEPT THAT BLOCKCHAIN DATA IS BEYOND THE OPERATOR'S CONTROL AND CANNOT BE DELETED, EVEN UPON REQUEST.

If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

8.1 Right to Information (Articles 13–14 GDPR)

You have the right to request information about whether the Operator processes any of your Personal Data, the purposes and legal grounds for processing, the scope of Personal Data processed, the entities to whom Personal Data is disclosed, the planned date of deletion or retention period, and your rights regarding the data.

8.2 Right to Access (Article 15 GDPR)

You have the right to request access to your Personal Data, receive a copy of Personal Data the Operator processes, and check whether it is processed lawfully. The copy will be provided in the format of your choice if possible; otherwise, in a commonly used format.

8.3 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate or incomplete Personal Data, have the Operator rectify any inconsistencies or errors, and have incomplete Personal Data completed.

8.4 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your Personal Data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, you withdraw consent (where processing is based on consent), you object to processing based on legitimate interests, the data was unlawfully processed, or erasure is required for legal compliance.

Important Limitations: The Operator may refuse erasure if retention is necessary for legal obligations, defense of legal claims, or compliance or regulatory purposes. Blockchain data CANNOT be deleted — it exists on decentralized, immutable public ledgers. IP addresses and blockchain addresses retained for sanctions screening may not be deletable.

8.5 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that the Operator limit how it uses your Personal Data if you contest the accuracy of the data (while the Operator verifies accuracy), processing is unlawful but you prefer restriction over deletion, the Operator no longer needs the data but you need it for legal claims, or you object to processing and the Operator is verifying whether its legitimate grounds override yours.

When processing is restricted, the Operator will cease performing operations on your Personal Data, only perform operations authorized by you or necessary for retention, and continue restriction until the reasons cease to exist.

8.6 Right to Data Portability (Article 20 GDPR)

You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and transmit your Personal Data to another controller without hindrance. This right applies only when processing is based on consent or contract and processing is carried out by automated means.

8.7 Right to Object (Article 21 GDPR)

You have the right to object to processing of your Personal Data. For general objections based on legitimate interests, you must provide justification based on your particular situation, and the Operator must stop processing unless it demonstrates compelling legitimate grounds that override your interests. For marketing objections, no justification is needed and the Operator must stop processing for marketing immediately.

8.8 Right to Withdraw Consent (Article 7(3) GDPR)

You have the right to withdraw consent at any time where processing is based on consent, and to withdraw as easily as consent was given. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.9 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to file a complaint with your local data protection authority (supervisory authority) and seek judicial remedy if you believe your rights have been violated.

EU/EEA Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en

UK Supervisory Authority (ICO): https://ico.org.uk/make-a-complaint/data-protection-complaints/

8.10 How to Exercise Your Rights

To exercise any of the above rights, contact the Operator by email at VIRTUSplatform@proton.me with the subject line "GDPR Rights Request". Please include your full name and contact information, the specific right(s) you wish to exercise, sufficient information to verify your identity, and any relevant details (wallet address, dates of activity, specific data).

8.11 Response Timeline

The Operator will respond to requests within one month of receipt. If an extension is needed (for complex requests), the Operator will inform you and explain the reasons. The maximum extension is an additional two months (total of three months).

8.12 Verification and Limitations

The Operator may request additional information to verify identity before fulfilling requests, which protects against fraudulent or unauthorized requests. Providing additional verification information is not mandatory; however, failure to provide verification may result in the request being refused. Requests can be made in person or through a third party (e.g., proxy, legal representative), and the Operator may require proof of authorization for third-party requests.

Rights under GDPR are not absolute. The Operator reserves all available rights under applicable law to refuse manifestly unfounded or excessive requests, charge a reasonable fee for repetitive or excessive requests, decline requests that would compromise security, legal obligations, or the rights of others, and retain data despite erasure requests if required for legal, regulatory, or compliance purposes.

9. Cookies, Analytics, and Marketing

9.1 What Are Cookies

Cookies are small text files stored on your device by your web browser when you visit a website. They enable the website to remember your preferences and settings, track your activity and usage patterns, and improve user experience and functionality. Cookies may contain Personal Data if the information they collect can be linked to an identified or identifiable person (e.g., IP addresses, unique identifiers).

9.2 How the Operator Uses Cookies

The Operator uses cookies for analytics (understanding how users interact with the Site), marketing (personalizing content and advertisements, if applicable), functionality (storing preferences and improving user experience), and essential operations (ensuring the Site functions properly).

9.3 Types of Cookies Used

Session Cookies: Track actions as users navigate the Site, are stored temporarily and deleted when the browser is closed, and are used to maintain session state and form inputs.

Persistent Cookies: Save preferences and settings for future visits, remain on the device for a predetermined timeframe or until manually deleted, and are used to remember login status, language preferences, and theme choices.

Essential Cookies (Strictly Necessary): Ensure the proper functioning of the Site and its essential features by enabling core functionality (navigation, security, accessibility), remembering cookie preferences, and maintaining session state. These cookies do not require consent as they are necessary for the Site to function. Without them, the Site and its services cannot be used properly.

Optional Cookies (Require Consent):

(a) Analytics Cookies: Track the number and sources of visits to the Site to measure and improve Site performance, understand which pages are most or least visited, and analyze how visitors navigate the Site. Examples: Google Analytics, Hotjar. If refused, visits will not be included in statistics, but Site functionality will not be restricted.

(b) Marketing Cookies: Personalize content and advertisements displayed on the Site and third-party websites to tailor advertisements to interests, track advertising campaign effectiveness, and deliver personalized marketing on third-party platforms. If refused, generic and non-personalized advertisements will be shown, but Site functionality will not be restricted.

(c) Functional Cookies: Store and customize the Site according to user choices to remember language preferences, theme or display settings, and enhance user experience. If blocked, some parts of the Site may not work correctly.

(d) Third-Party Cookies: Currently provided by Google Analytics and Hotjar, which fall within Analytics and Marketing cookies. Their privacy policies are available at https://policies.google.com/privacy (Google Analytics) and https://www.hotjar.com/legal/policies/privacy (Hotjar). Users can opt out of each or all of them without restricting Site functionality.

Essential cookies are installed and used automatically without consent, as they are necessary for the Site to function. Optional cookies are only installed and used with user consent.

Upon the first visit to the Site, a cookie banner will inform users that cookies are used and present options:

Allow All: Gives consent for all Optional cookies (Analytics, Marketing, Functional, Third-Party) and affirms that the user has read and agreed to this Policy.

Reject All: Rejects all Optional cookies. Essential cookies will still be installed and used (required for Site functionality).

Personalize / Cookie Settings: Choose which categories of Optional cookies to enable or disable. This option does not apply to Essential cookies (they cannot be disabled).

Cookie consent can be changed at any time by accessing the cookie settings on the Site (usually in the footer or privacy settings), adjusting preferences through the cookie banner (if it reappears), or using browser settings to manage or delete cookies.

Cookies can also be managed through browser settings to block or disable cookies, receive notifications when cookies are being set, or delete existing cookies. Browser help documentation:

Note that blocking or deleting Essential cookies may prevent the Site from functioning properly.

10. International Data Transfers

10.1 The Operator may process and transfer Personal Data outside of the European Economic Area (EEA) and the United Kingdom. This may include transfers to countries where service providers, infrastructure, or third parties are located, and countries where regulatory authorities or law enforcement request information.

10.2 Any processing or transfer of Personal Data is conducted in accordance with appropriate transfer mechanisms under GDPR and UK GDPR.

10.3 If the Operator transfers Personal Data to a country that has not been deemed by the EU as having an adequate level of data protection, appropriate safeguards will be in place. The Operator will conclude contracts based on Standard Contractual Clauses published by the European Commission (available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en). Supplementary measures will be implemented to ensure the highest standards of data protection, which may include encryption, access controls, and contractual commitments from service providers.

10.4 The current list of countries with adequacy decisions is available at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

10.5 Users have the right to request information about the safeguards in place for data transfers and obtain a copy of Standard Contractual Clauses or other transfer mechanisms. Contact the Operator at VIRTUSplatform@proton.me for more information about international data transfers.

11. Age Restriction

The Site and DeFi Protocol are strictly restricted to persons who are of legal age in their jurisdiction of residence and in no event under the age of 18 (or the age of majority in their jurisdiction, whichever is higher). By accessing or using the Services, users represent and warrant that they meet this age requirement.

The Operator does NOT knowingly collect Personal Data from persons under 18. If the Operator inadvertently processes Personal Data from a person under 18, the Operator will take legally permissible measures to cease processing the data immediately, delete or anonymize the data as soon as possible, and remove that data from records.

The Operator bears no liability for any loss, damage, or consequence arising from access to or use of the Services by persons under 18, and any such access is a material breach of the Terms. Parents and legal guardians are solely responsible for monitoring and preventing unauthorized access by minors.

If a parent or guardian becomes aware that a child has provided Personal Data to the Operator, contact the Operator immediately via email at VIRTUSplatform@proton.me with the subject line "Children's Privacy Concern". The Operator will take prompt action to remove the data.

12. Blockchain Data Transparency and Permanence

CRITICAL NOTICE: All blockchain transactions and wallet addresses are publicly visible and permanently recorded on public blockchains. This includes:

All transactions you sign and broadcast
Your wallet address(es) and token balances
Smart contract interactions and function calls
Transaction amounts, timestamps, gas fees, and metadata
On-chain activity and transaction history

Blockchain data is NOT controlled by the Operator or any single entity, CANNOT be deleted, modified, or made private by the Operator or anyone else, is accessible to anyone via block explorers, node queries, or APIs, and may be analyzed by third parties including blockchain analytics firms (Chainalysis, Elliptic, TRM Labs), researchers and academics, law enforcement and regulatory authorities, and other users or malicious actors.

Privacy Implications

Blockchain transactions are pseudonymous, NOT anonymous. Your wallet address is a pseudonym, not directly linked to your real name; however, sophisticated analysis can link wallet addresses to real-world identities. De-anonymization can occur through centralized exchange (CEX) KYC/AML data (if you deposited/withdrew), IP address logging by nodes or services, transaction graph analysis and clustering, social media disclosures (posting your address publicly), and on-chain activity patterns (unique behaviors).

Once a blockchain address is associated with you, ALL past and future transactions may be traced, transaction history is permanent and public, and privacy cannot be retroactively added.

BY USING THE SITE OR DEFI PROTOCOL, YOU ACKNOWLEDGE AND ACCEPT THAT blockchain transactions are public and permanent, your financial activity on blockchains may be visible to anyone, the Operator cannot delete, modify, or hide blockchain data, you assume all privacy risks associated with public blockchain transactions, and you are responsible for understanding and managing your own privacy on blockchains.

If you require privacy, consider using privacy-focused blockchains (where legal), employing best practices for pseudonymity (separate wallets for different purposes), avoiding linking blockchain addresses to personal identities, and understanding the inherent limitations of blockchain privacy.

13. Compliance and Reporting Obligations

13.1 The Operator may be legally obligated to collect, retain, and report certain information to regulatory authorities; cooperate with law enforcement investigations and proceedings; disclose information in response to valid legal processes (subpoenas, court orders, warrants); comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations; and implement sanctions screening and comply with economic sanctions programs.

13.2 The Operator prioritizes legal compliance over user privacy expectations. This means the Operator will comply with lawful requests for information, even without user consent; disclose information if required or permitted by law; cooperate with regulatory investigations and enforcement actions; and not resist valid legal processes on behalf of users.

13.3 Disclosures to authorities, regulators, or compliance providers may occur WITHOUT prior notice if the Operator is legally prohibited from notifying users (e.g., gag orders, ongoing investigations), notification would compromise an investigation or legal proceeding, the Operator identifies or suspects prohibited uses, illegal activity, or sanctions violations, or immediate disclosure is necessary to comply with urgent legal obligations.

13.4 By using the Site or DeFi Protocol, users consent to collection and retention of information for compliance purposes, disclosure of information to authorities, regulators, and compliance providers, sharing of information with sanctions screening services and blockchain analytics firms, and reporting of suspicious activity, violations of law, or prohibited conduct.

IF YOU DO NOT CONSENT TO SUCH COMPLIANCE-RELATED DATA PROCESSING AND DISCLOSURE, YOU MUST NOT USE THE SITE OR DEFI PROTOCOL.

14. Do Not Track (DNT) Signals

The Site does not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry-wide standard for DNT compliance.

15. Updates to This Privacy Policy

This Policy may be regularly reviewed and updated as required to reflect changes in data practices, comply with new legal or regulatory requirements, address new technologies or features, and improve clarity and transparency.

The current Policy is always available at https://docs.virtus-protocol.com/docs/Legal/Privacy-Policy.

Each revision will include the date of the last revision at the top of the Policy. For material changes that significantly affect user rights, the Operator may provide additional notice (email, in-app notification, prominent Site banner); however, such notice is not required for the changes to be effective.

Changes are binding on users and will take effect immediately upon posting. Users are advised to check the Policy periodically to familiarize themselves with any changes. Continued use of the Site or DeFi Protocol after changes are posted constitutes acceptance of the revised Policy. If you do not agree to the changes, you must cease using the Site and DeFi Protocol.

16. Contact

For questions, concerns, requests, or complaints regarding this Privacy Policy or data practices, contact the Operator:

Email: VIRTUSplatform@proton.me

Please use the following subject lines as appropriate:

"General Privacy Inquiry"
"GDPR Rights Request" (for EU/EEA/UK users)
"Data Protection Inquiry"
"Privacy Complaint"
"Children's Privacy Concern"

The Operator will respond to inquiries within 30 days of receipt, as required by GDPR and applicable data protection law.

17. Acknowledgment and Acceptance

By accessing or using the Site or DeFi Protocol, you acknowledge that:

You have read and understood this entire Privacy Policy
You consent to the collection, use, processing, storage, and disclosure of your information as described herein
You understand that blockchain data is public, permanent, and beyond the Operator's control
You accept the privacy risks associated with public blockchain transactions
You agree to international transfers of your information
You consent to compliance-related disclosures to authorities and third parties
You have had the opportunity to seek independent legal advice
You voluntarily agree to be bound by this Policy

IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU MUST NOT USE THE SITE OR DEFI PROTOCOL.

Last updated: May 2026 — Version 1.1

Important Information​

Critical Blockchain Data Notice​

1. Data Controller and Contact Information​

2. Data Collected​

2.1 Data Collected Through the Site​

2.2 Data Collected Through the DeFi Protocol​

2.3 Third-Party Personal Data​

2.4 Information Not Collected​

3. How the Operator Uses the Data​

3.1 Data Collected Through the Site​

3.2 Data Collected Through the DeFi Protocol​

4. Legal Basis for Processing (GDPR)​

5. Who Can Access the Data​

5.1 Sharing Personal Data Collected Through the Site​

5.2 Sharing Other Data Collected Through the Site​

5.3 Sharing Data Collected Through the DeFi Protocol​

5.4 Third-Party Form Service Provider​

5.5 Third-Party Analytics Providers​

5.6 No Sale of Personal Data​

5.7 Compliance Disclosure​

5.8 Shared Data Limitations​

6. How the Operator Protects the Data​

6.1 Data Collected Through the Site​

6.2 Data Collected Through the DeFi Protocol​

6.3 No Guarantee of Absolute Security​

6.4 User Responsibility for Security​

7. Data Retention​

7.1 General Retention Principles​

7.2 Specific Retention Periods​

7.3 Deletion and Anonymization​

7.4 Continued Processing After Deletion Request​

7.5 Blockchain Data Permanence​

8. Your Rights Under GDPR (EU/EEA/UK Users)​

9. Cookies, Analytics, and Marketing​

9.1 What Are Cookies​

9.2 How the Operator Uses Cookies​

9.3 Types of Cookies Used​

9.4 Managing Cookie Consent​

9.5 Changing Cookie Consent​

9.6 Browser-Level Cookie Management​

10. International Data Transfers​

11. Age Restriction​

12. Blockchain Data Transparency and Permanence​

Privacy Implications​

13. Compliance and Reporting Obligations​

14. Do Not Track (DNT) Signals​

15. Updates to This Privacy Policy​

16. Contact​

17. Acknowledgment and Acceptance​