VIRTUS PROTOCOL PRIVACY POLICY
Effective Date: February 7, 2026
Last Revised: February 7, 2026
IMPORTANT INFORMATION
This Privacy Policy ("Policy") outlines how VIRTUS Protocol ("we", "our", "us", or "VIRTUS") collects, uses, processes, stores, and safeguards your data, including your Personal Data, when you use our website and user interface (the "Site") and our decentralized finance protocol and smart contracts (the "DeFi Protocol" or "Protocol"). "Personal Data" means any information relating to an identified or identifiable natural person.
This Policy forms an integral part of our Terms of Use ("Terms"), available at https://docs.virtus-protocol.com/docs/Legal/terms-of-use, and should be read together with the Terms. Capitalized terms used in this Policy have the meanings described in the Terms unless defined otherwise herein. By using the Site or DeFi Protocol, you confirm that you have read, understood, and accept all terms and conditions contained in this Policy.
JURISDICTIONAL SCOPE
This Policy applies to all territories where VIRTUS Protocol is available, EXCEPT the United States of America and its territories. For users in the European Union/European Economic Area and the United Kingdom, additional GDPR provisions apply as set forth throughout this Policy.
CRITICAL BLOCKCHAIN DATA NOTICE
PUBLIC BLOCKCHAINS ARE DISTRIBUTED LEDGERS DESIGNED TO RECORD TRANSACTIONS ACROSS COMPUTER NETWORKS PERMANENTLY AND IMMUTABLY. Blockchains are decentralized and not controlled by VIRTUS Protocol. Blockchains are managed by third parties such as validators, miners, and node operators. Data recorded on blockchains is permanent and cannot be deleted, modified, or altered. VIRTUS Protocol CANNOT delete, modify, or alter any data recorded on blockchain networks, even if the data was entered through the DeFi Protocol. All blockchain transactions are publicly visible and can be viewed by anyone using block explorers. Wallet addresses and transaction history are pseudonymous but NOT anonymous. YOU ACKNOWLEDGE THAT BLOCKCHAIN DATA IS PUBLIC, PERMANENT, AND BEYOND OUR CONTROL.
1. DATA CONTROLLER AND CONTACT INFORMATION
1.1. Data Controller. The data controller is VIRTUS Protocol. We have not appointed a dedicated Data Protection Officer. For all matters relating to data protection and privacy, you may contact us at VIRTUSplatform@proton.me with the subject line "Privacy Inquiry" or "GDPR Request".
2. DATA WE COLLECT
2.1. Data Collected Through the Site
When you use the Site, we may collect and process the following information:
2.1.1. Personal Data (Voluntarily Provided). You may voluntarily provide us with your first and last name and email address through our contact form, email, Discord, or Telegram (collectively, "Contact Channels"). You may also choose to include additional data in messages or documents sent through Contact Channels, such as wallet addresses, VIRTUS Protocol account addresses, support inquiries, and feedback. You are responsible for the content and extent of information you provide, and we ask that you limit Personal Data to the absolute minimum necessary.
2.1.2. Automatically Collected Data. We automatically collect technical and usage information including IP address and geolocation data (country, region, city), browser type, version, and language settings, operating system and device type, screen resolution and device identifiers, referring/exit pages and URLs, date, time, and duration of access, pages viewed, features used, navigation paths, and click data and interaction patterns. We also collect information through tracking technologies including session and persistent cookies, web beacons and similar technologies, local storage and session storage, and analytics identifiers.
2.2. Data Collected Through the DeFi Protocol
We do NOT actively collect or process Personal Data through the DeFi Protocol. However, we may process the following data:
2.2.1. IP Address. We automatically collect IP addresses to restrict access from Restricted Territories (as defined in Section 7 of the Terms). This data is temporarily retained for compliance screening purposes.
2.2.2. Public Blockchain Data. We process only publicly available blockchain data including protocol deposits, withdrawals, and borrows, account solvency and positions, transaction hashes and timestamps, token balances and holdings (derived from public blockchain data), and smart contract interactions. We do NOT aggregate this data with other information to identify individuals, and we do NOT collect any data from MetaMask, Ledger, Rabby, or other wallet applications. Wallet providers may collect their own data independently.
2.2.3. Tracking Technologies. We may collect information through cookies that collect browser type, operating system, and device information, as well as web beacons and similar technologies used to personalize services accessible through the DeFi Protocol across sessions.
2.3. Third-Party Personal Data
If you provide us with Personal Data of third parties, you must obtain their express permission before providing their data to us, comply with all applicable legal obligations (such as informing them about data provision), and represent that you have the legal right to share their Personal Data.
2.4. Information We Do NOT Collect
VIRTUS Protocol does NOT collect, access, store, or have the ability to access private keys or seed phrases, wallet passwords or credentials, personal identification documents (passports, ID cards, driver's licenses), financial account information (bank accounts, credit card numbers), social security numbers or tax identification numbers, biometric data, health or medical information, or racial or ethnic origin, political opinions, religious beliefs, or trade union membership. WE HAVE NO ABILITY TO ACCESS, CONTROL, OR RECOVER YOUR FUNDS, TOKENS, OR PRIVATE KEYS.
3. HOW WE USE THE DATA
3.1. Data Collected Through the Site
We use Personal Data and other data collected through the Site to provide customer support and communications by answering your questions and inquiries, resolving technical issues or problems, providing guidance on using the Site or DeFi Protocol, and responding to feedback or complaints. We use this data for compliance with applicable laws by verifying that your IP address is not from a Restricted Territory, responding to lawful requests from authorities, complying with regulatory requirements, and defending against legal claims or proceedings. We also use data for Site operations and improvement by delivering core functionality, debugging and troubleshooting, optimizing performance and user experience, and conducting analytics to understand usage patterns.
3.2. Data Collected Through the DeFi Protocol
We use data collected through the DeFi Protocol to provide, customize, maintain, and improve services by delivering DeFi Protocol functionality, personalizing user experience, and optimizing protocol performance. We use this data for verification and security by verifying that you meet criteria for using the DeFi Protocol, checking wallet balances for transaction safeguards, safeguarding smart contract interactions, and preventing fraud, abuse, and unauthorized access. We use data to operate Liquidity Pools by establishing the amount of tokens available in pools, broadcasting pool information on the Site, and managing protocol mechanics and parameters. We use data for compliance with laws and regulations by verifying that IP addresses are not from Restricted Territories, conducting sanctions screening (checking blockchain addresses against sanctions lists), complying with anti-money laundering (AML) and counter-terrorism financing (CTF) requirements, and responding to lawful requests from authorities. We also use data for fraud prevention and security by investigating and restricting fraudulent, unauthorized, or illegal activities, tackling security vulnerabilities, resolving potential security concerns, and protecting the Protocol and users from malicious actors.
4. LEGAL BASIS FOR PROCESSING (GDPR)
For users in the European Union, European Economic Area, and the United Kingdom, we process Personal Data based on the following legal grounds under GDPR:
4.1. Contact Channels. When you contact us for general inquiries (non-recruitment purposes), we process Personal Data based on our legitimate interest (Article 6(1)(f) GDPR) for necessary information to resolve your inquiry, and based on your consent (Article 6(1)(a) GDPR) for any excessive Personal Data you voluntarily provide beyond what's necessary.
4.2. Cookies. Essential cookies are processed based on our legitimate interest (Article 6(1)(f) GDPR) and are required for the Site to function properly without requiring consent. Optional cookies (analytics, marketing, and functional) are processed based on your consent (Article 6(1)(a) GDPR), which requires your explicit consent via cookie banner and can be withdrawn at any time. Some analytical cookies may use automated profiling to evaluate selected factors about your behavior, create forecasts or predictions, and tailor content to your preferences and interests. You can object to profiling or withdraw consent at any time.
4.3. Compliance and Security Processing. We process data based on legal obligation (Article 6(1)(c) GDPR) for compliance with laws and regulations, and based on legitimate interest (Article 6(1)(f) GDPR) for fraud prevention, security, and risk management.
4.4. Other Data (Non-Personal Data). We do not need a legal basis to process data that does not constitute Personal Data. However, we process such data based on your consent, our legitimate interests, or legal obligations.
5. WHO CAN ACCESS THE DATA
5.1. Sharing Personal Data Collected Through the Site
We may share Personal Data collected through the Site with authorities and legal advisors when necessary to comply with legal requirements, court orders, regulatory inquiries, or compliance proceedings, and only to the essential extent required for legal compliance and defense of claims. We may share Personal Data with service providers and advisors when your questions or requests require their involvement, only to the extent necessary to carry out tasks necessary to respond to you. These service providers may include technical providers, legal advisors, and consultants. We do NOT share Personal Data with third parties for other purposes.
5.2. Sharing Other Data Collected Through the Site
We may share non-Personal Data with service providers and vendors to help with maintenance and development of the DeFi Protocol and Site. Examples include cloud hosting providers (AWS, Google Cloud, Cloudflare), analytics services (Google Analytics, Hotjar), and development and technical support providers. We may share data with authorities and legal advisors to comply with legal requirements, court proceedings, regulatory inquiries, or compliance matters, and with other service providers if your questions or requests require their involvement.
5.3. Sharing Data Collected Through the DeFi Protocol
Data collected through the DeFi Protocol is shared with third-party protocols in the standard information exchange process within blockchain networks, which is inherent to how public blockchains operate. Once data is on the blockchain, it is publicly accessible and permanent. We may share data to safeguard, investigate, and restrict fraudulent, unauthorized, or illegal activities, protect the DeFi Protocol from security vulnerabilities or potential security concerns, and comply with sanctions screening and anti-money laundering (AML) requirements. This may include sharing with law enforcement and regulatory authorities, blockchain analytics and compliance providers (Chainalysis, Elliptic, TRM Labs, etc.), and security monitoring services.
5.4. Third-Party Form Service Provider
We use FormSubmit service provided by Devro LABS for our contact form. Data submitted through the contact form on the Site is shared with this provider. You can review their privacy policy at [FormSubmit Privacy Policy]. If you do not wish to share data with this third-party provider, please contact us directly via email at VIRTUSplatform@proton.me.
5.5. Third-Party Analytics Providers
We currently use Google Analytics and Hotjar for analytics services. Google Analytics collects usage data, browsing behavior, and device information. Their privacy policy is available at https://policies.google.com/privacy and you can opt-out at https://tools.google.com/dlpage/gaoptout. Hotjar collects heatmaps, session recordings, and user behavior analytics. Their privacy policy is available at https://www.hotjar.com/legal/policies/privacy with opt-out information available in their privacy policy. You can opt out of these services through cookie settings or browser extensions.
5.6. No Sale of Personal Data
We do NOT sell your Personal Data to third parties.
5.7. Important Compliance Disclosure
CRITICAL: We reserve the right to disclose Personal Data, IP addresses, blockchain addresses, or usage patterns to government agencies (OFAC, FinCEN, SEC, CFTC, FCA, EU regulators, etc.), law enforcement authorities (FBI, Europol, Interpol, national police forces), compliance and blockchain analytics providers (Chainalysis, Elliptic, TRM Labs, etc.), and regulatory bodies conducting investigations or enforcement actions. Such disclosures may occur WITHOUT prior notice to you if we identify or suspect access from Restricted Territories, interaction with sanctioned blockchain addresses (OFAC SDN List, EU Consolidated List, UN Sanctions, etc.), prohibited activities or violations of our Terms, or illegal activity, fraud, money laundering, or terrorist financing. By using the Site or DeFi Protocol, you consent to such compliance-related disclosures.
6. HOW WE PROTECT THE DATA
6.1. Data Collected Through the Site
We implement security measures including authorized access controls whereby Personal Data is accessible only by authorized individuals who deal directly with matters requiring access, and access is granted only to the extent necessary for the tasks they perform. We conduct periodic access reviews to determine whether access ranges need to be revised, ongoing risk assessments, adequacy monitoring of our security measures, and implement additional security measures when necessary. When we engage third parties with access to Personal Data, we ensure they guarantee appropriate security measures and comply with data protection requirements when processing Personal Data. We implement technical and organizational measures including encryption of data in transit using HTTPS/TLS, secure storage of data in access-controlled environments, firewalls and network security to protect against unauthorized access, and regular security updates to keep systems and software up to date.
6.2. Data Collected Through the DeFi Protocol
Data collected through the DeFi Protocol is safeguarded through standard cryptographic techniques (encryption and hashing), consensus mechanisms (blockchain validation and security), and decentralized architecture (distributed network design). For more information, visit our GitHub at https://github.com/VirtUsProtocol and our Security Page at https://docs.virtus-protocol.com/docs/Security/security-overview.
6.3. No Guarantee of Absolute Security
Despite our efforts, we cannot guarantee absolute security as no method is 100% secure. Unauthorized access, hacking, data breaches, or security incidents may occur, and you provide information at your own risk. We are NOT liable for security breaches or unauthorized access, data loss or corruption, actions of third parties (hackers, malicious actors), or vulnerabilities in third-party services.
6.4. User Responsibility for Security
You are solely responsible for protecting private keys and seed phrases (never share with anyone, including us), securing wallet credentials (use strong passwords and hardware wallets where appropriate), enabling security features (two-factor authentication, biometric authentication), keeping software updated (browsers, operating systems, wallet applications), protecting against malware (antivirus, anti-phishing tools), monitoring account activity (regularly review transactions and wallet activity), and reporting suspicious activity (notify us immediately of any security concerns). LOSS OR COMPROMISE OF PRIVATE KEYS RESULTS IN PERMANENT LOSS OF FUNDS. WE CANNOT RECOVER LOST OR STOLEN ASSETS.
7. DATA RETENTION
7.1. General Retention Principles
We conduct ongoing reviews to determine whether we still need to process data, particularly Personal Data. We seek to process data for the shortest possible period, considering the purpose for which data was collected, the need to defend against claims, and applicable legal requirements. We reserve the right to process Personal Data for as long as necessary to fulfill the purposes for which we collected it, satisfy legal, accounting, or tax requirements, comply with regulatory obligations, and defend against legal claims.
7.2. Specific Retention Periods
Server logs and IP addresses are typically retained for 30-90 days, with exceptions for data flagged for compliance review, investigation, or legal hold. Blockchain address data may be retained indefinitely for compliance, sanctions screening, fraud prevention, and security purposes. Analytics data is typically aggregated and anonymized after 12-24 months for trend analysis and protocol improvement. Communications and support tickets are retained for 2-5 years or as needed for legal purposes to maintain customer support history and legal defense. Compliance and sanctions screening records are retained for 5-10 years or as required by applicable law for regulatory compliance and audit requirements.
7.3. Deletion and Anonymization
Upon expiration of retention periods, Personal Data will be securely deleted or destroyed using industry-standard methods, anonymized so it can no longer identify individuals, or archived in restricted-access systems to prevent ordinary access.
7.4. Continued Processing After Deletion Request
If you request deletion of your Personal Data, we may continue to process it to the extent permitted by law (legal, tax, regulatory obligations), required by law (compliance with legal hold, ongoing investigations), or for legitimate business purposes (defense of legal claims, fraud prevention).
7.5. Blockchain Data Permanence
CRITICAL LIMITATION: Data recorded on public blockchains is PERMANENT and CANNOT be deleted. VIRTUS Protocol CANNOT delete, modify, or alter blockchain data. Blockchain data will remain publicly accessible indefinitely, including transaction hashes, wallet addresses, token transfers, and smart contract interactions. Third parties can view, analyze, and link blockchain data. YOU ACKNOWLEDGE AND ACCEPT THAT BLOCKCHAIN DATA IS BEYOND OUR CONTROL AND CANNOT BE DELETED, EVEN UPON REQUEST.
8. YOUR RIGHTS UNDER GDPR (EU/EEA/UK USERS)
If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
8.1. Right to Information (Article 13-14 GDPR). You have the right to request information about whether we process any of your Personal Data, the purposes and legal grounds for processing, the scope of Personal Data we process, the entities to whom we disclose your Personal Data, the planned date of deletion or retention period, and your rights regarding the data.
8.2. Right to Access (Article 15 GDPR). You have the right to request access to your Personal Data, receive a copy of Personal Data we process, and check whether it is processed lawfully. We will provide the copy in the format of your choice, if possible; otherwise, in a commonly used format.
8.3. Right to Rectification (Article 16 GDPR). You have the right to request correction of inaccurate or incomplete Personal Data, have us rectify any inconsistencies or errors, and have us complete incomplete Personal Data.
8.4. Right to Erasure / "Right to be Forgotten" (Article 17 GDPR). You have the right to request deletion of your Personal Data in certain circumstances including when the data is no longer necessary for the purposes for which it was collected, you withdraw consent (where processing is based on consent), you object to processing based on legitimate interests, the data was unlawfully processed, or erasure is required for legal compliance. Important Limitations: We may refuse erasure if retention is necessary for legal obligations, defense of legal claims, or compliance or regulatory purposes. Blockchain data CANNOT be deleted (it is on decentralized, immutable public ledgers), and IP addresses and blockchain addresses for sanctions screening may not be deletable.
8.5. Right to Restriction of Processing (Article 18 GDPR). You have the right to request that we limit how we use your Personal Data if you contest the accuracy of the data (while we verify accuracy), processing is unlawful but you prefer restriction over deletion, we no longer need the data but you need it for legal claims, or you object to processing and we are verifying whether our legitimate grounds override yours. When processing is restricted, we will cease performing operations on your Personal Data, only perform operations authorized by you or necessary for retention, and continue restriction until reasons cease to exist (e.g., supervisory authority decision).
8.6. Right to Data Portability (Article 20 GDPR). You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and transmit your Personal Data to another controller without hindrance. This right applies only when processing is based on consent or contract and processing is carried out by automated means. We will provide the data in a format that allows transfer to another entity, if technically feasible.
8.7. Right to Object (Article 21 GDPR). You have the right to object to processing of your Personal Data. For general objections based on legitimate interests (not marketing), you must provide justification based on your particular situation, and we must stop processing unless we demonstrate compelling legitimate grounds that override your interests. For marketing objections, no justification is needed and we must stop processing for marketing immediately.
8.8. Right to Withdraw Consent (Article 7(3) GDPR). You have the right to withdraw consent at any time (where processing is based on consent) and withdraw as easily as consent was given. Withdrawal does not affect the lawfulness of processing before withdrawal.
8.9. Right to Lodge a Complaint (Article 77 GDPR). You have the right to file a complaint with your local data protection authority (supervisory authority) and seek judicial remedy if you believe your rights have been violated. EU/EEA Supervisory Authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en. The UK Supervisory Authority (ICO) can be contacted at https://ico.org.uk/make-a-complaint/.
8.10. How to Exercise Your Rights. To exercise any of the above rights, contact us by email at VIRTUSplatform@proton.me with the subject line "GDPR Rights Request". Please include in your request your full name and contact information, the specific right(s) you wish to exercise, sufficient information to verify your identity, and any relevant details (wallet address, dates of activity, specific data).
8.11. Response Timeline. We will respond to your request within one month of receipt. If we need to extend this deadline (for complex requests), we will inform you and explain the reasons. The maximum extension is an additional two months (total of three months).
8.12. Verification and Limitations. We may request additional information to verify your identity before fulfilling requests, which protects against fraudulent or unauthorized requests. Providing additional verification information is not mandatory; however, failure to provide verification will result in the request being refused. You can make requests in person or through a third party (e.g., proxy, legal representative), and we may require proof of authorization for third-party requests. Your rights are not absolute. We reserve all available rights under applicable law to refuse manifestly unfounded or excessive requests, charge a reasonable fee for repetitive or excessive requests, decline requests that would compromise security, legal obligations, or the rights of others, and retain data despite erasure requests if required for legal, regulatory, or compliance purposes.
9. COOKIES, ANALYTICS & MARKETING
9.1. What Are Cookies?
Cookies are small text files stored on your device by your web browser when you visit a website. They enable the website to remember your preferences and settings, track your activity and usage patterns, and improve user experience and functionality.
9.2. Cookies and Personal Data
Cookies may contain Personal Data if the information they collect can be linked to an identified or identifiable person (e.g., IP addresses, unique identifiers).
9.3. How We Use Cookies
We use cookies for analytics (understanding how users interact with the Site), marketing (personalizing content and advertisements, if applicable), functionality (storing preferences and improving user experience), and essential operations (ensuring the Site functions properly).
9.4. Types of Cookies We Use
(1) Session Cookies track your actions as you navigate the Site, are stored temporarily and deleted when your browser is closed, and are used to maintain session state, shopping cart, and form inputs.
(2) Persistent Cookies save your preferences and settings for future visits, remain on your device for a predetermined timeframe or until manually deleted, and are used to remember login status, language preferences, and theme choices.
(3) Essential Cookies (Strictly Necessary) ensure the proper functioning of the Site and its essential features by enabling core functionality (navigation, security, accessibility), remembering your cookie preferences, and maintaining session state. These cookies do not require consent as they are necessary for the Site to function. Without them, you cannot use the Site and its services properly.
(4) Optional Cookies (Require Consent) include:
-
(a) Analytics Cookies that track the number and sources of visits to the Site to measure and improve Site performance, understand which pages are most or least visited, and analyze how visitors navigate the Site (examples: Google Analytics, Hotjar). If refused, your visit will not be included in our statistics, but it will not restrict any Site functionality.
-
(b) Marketing Cookies that personalize content and advertisements displayed on the Site and third-party websites to tailor advertisements to your interests, track advertising campaign effectiveness, and deliver personalized marketing on third-party platforms. If refused, you will be shown generic and non-personalized advertisements, but it will not restrict any Site functionality.
-
(c) Functional Cookies that store and customize the Site according to your choices to remember language preferences, theme or display settings, and enhance user experience. If blocked, some parts of the Site may not work correctly.
-
(d) Third-Party Cookies provided by Google Analytics and Hotjar (currently used), which fall within Analytics and Marketing cookies. Their privacy policies are available at https://policies.google.com/privacy (Google Analytics) and https://www.hotjar.com/legal/policies/privacy (Hotjar). You can opt out of each or all of them without restricting Site functionality.
9.5. Managing Cookie Consent
Essential cookies (Section 9.4(3)) are installed and used automatically without your consent, as they are necessary for the Site to function. Optional cookies (Section 9.4(4)) are only installed and used with your consent. Upon your first visit to the Site, a cookie banner will inform you that cookies are used and you will be presented with options to manage your cookie preferences.
To consent to all Optional cookies, select the "Allow All" option on the cookie banner, which gives consent for all Optional cookies (Analytics, Marketing, Functional, Third-Party) and affirms that you have read and agreed to this Policy.
To reject Optional cookies, select the "Reject All" option on the cookie banner, which rejects all Optional cookies while Essential cookies will still be installed and used (required for Site functionality).
To manage cookie preferences in detail, select the "Personalize" or "Cookie Settings" option on the cookie banner to choose which categories of Optional cookies to enable or disable. Note that this option does not apply to Essential cookies (they cannot be disabled).
9.6. Changing Your Cookie Consent
You can change your cookie consent at any time by accessing the cookie settings on the Site (usually in the footer or privacy settings), adjusting your preferences through the cookie banner (if it reappears), or using your browser settings to manage or delete cookies.
9.7. Browser-Level Cookie Management
You can also manage cookies through your browser settings to block or disable cookies (most browsers allow you to refuse all cookies or only third-party cookies), receive notifications (set your browser to notify you when cookies are being set), or delete existing cookies (clear cookies already stored on your device). Browser help documentation is available at:
Note: Blocking or deleting Essential cookies may prevent the Site from functioning properly.
10. INTERNATIONAL DATA TRANSFERS
10.1. Cross-Border Transfers
We may process and transfer Personal Data outside of the European Economic Area (EEA) and the United Kingdom. This may include transfers to the British Virgin Islands (where VIRTUS Protocol Ltd. is registered), countries where our service providers, infrastructure, or third parties are located, and countries where regulatory authorities or law enforcement request information.
10.2. Transfer Mechanisms and Safeguards
Any processing or transfer of Personal Data is conducted in accordance with appropriate transfer mechanisms under GDPR and UK GDPR.
10.3. Transfers to Countries Without Adequacy Decisions
If we transfer Personal Data to a country that has NOT been deemed by the EU as having an adequate level of data protection, we will ensure appropriate safeguards are in place. We will conclude contracts based on Standard Contractual Clauses published by the European Commission (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en). We will implement supplementary measures to ensure the highest standards of data protection, which may include encryption, access controls, and contractual commitments from service providers.
10.4. Adequacy Decisions
The current list of countries with adequacy decisions (deemed to have adequate data protection) is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
10.5. Your Rights Regarding Transfers
You have the right to request information about the safeguards in place for your data transfers and obtain a copy of Standard Contractual Clauses or other transfer mechanisms. Contact us at VIRTUSplatform@proton.me for more information about international data transfers.
11. CHILDREN'S PRIVACY
The Site and DeFi Protocol are NOT intended for individuals under the age of 18 (or the age of majority in your jurisdiction, whichever is higher). We do NOT knowingly collect Personal Data from children. If we inadvertently process Personal Data from a person under 18, we will take legally permissible measures to remove that data from our records, cease processing the data immediately, and delete or anonymize the data as soon as possible. If you, as a parent or guardian, become aware that your child has provided Personal Data to us, please contact us immediately via email at VIRTUSplatform@proton.me with the subject line "Children's Privacy Concern". We will take prompt action to remove the data.
12. UPDATES TO THIS PRIVACY POLICY
The Policy may be regularly reviewed and updated as required to reflect changes in our data practices, comply with new legal or regulatory requirements, address new technologies or features, and improve clarity and transparency. The current Policy is always available at https://app.virtus-protocol.com/privacy-policy. Each revision will include the date of the last revision at the top of the Policy and information about when it was last reviewed. For material changes that significantly affect your rights, we may provide additional notice (email, in-app notification, prominent Site banner); however, such notice is not required for the changes to be effective. Changes are binding on users and will take effect immediately upon posting. You are advised to check the Policy periodically to familiarize yourself with any changes. Continued use of the Site or DeFi Protocol after changes are posted constitutes your acceptance of the revised Policy. If you do not agree to the changes, you must cease using the Site and DeFi Protocol. Please observe which version of the Policy applies to you before you use the Site or enter into any transaction using the DeFi Protocol.
13. BLOCKCHAIN DATA TRANSPARENCY AND PERMANENCE
CRITICAL NOTICE: All blockchain transactions and wallet addresses are publicly visible and permanently recorded on public blockchains. This includes all transactions you sign and broadcast, your wallet address(es) and token balances, smart contract interactions and function calls, transaction amounts, timestamps, gas fees, and metadata, and staking activity, delegation history, and rewards. Blockchain data is NOT controlled by VIRTUS Protocol or any single entity, CANNOT be deleted, modified, or made private by us or anyone else, is accessible to anyone via block explorers, node queries, or APIs, and may be analyzed by third parties including blockchain analytics firms (Chainalysis, Elliptic, TRM Labs), researchers and academics, law enforcement and regulatory authorities, and other users or malicious actors.
Blockchain transactions are pseudonymous, NOT anonymous. Your wallet address is a pseudonym, not directly linked to your real name; however, sophisticated analysis can link wallet addresses to real-world identities. De-anonymization can occur through centralized exchange (CEX) KYC/AML data (if you deposited/withdrew), IP address logging by nodes or services, transaction graph analysis and clustering, social media disclosures (posting your address publicly), and on-chain activity patterns (unique behaviors). Once a blockchain address is associated with you, ALL past and future transactions may be traced, transaction history is permanent and public, and privacy cannot be retroactively added.
BY USING THE SITE OR DEFI PROTOCOL, YOU ACKNOWLEDGE AND ACCEPT THAT blockchain transactions are public and permanent, your financial activity on blockchains may be visible to anyone, VIRTUS Protocol cannot delete, modify, or hide blockchain data, you assume all privacy risks associated with public blockchain transactions, and you are responsible for understanding and managing your own privacy on blockchains. If you require privacy, consider using privacy-focused blockchains (where legal), employ best practices for pseudonymity (separate wallets for different purposes), avoid linking blockchain addresses to personal identities, and understand the inherent limitations of blockchain privacy.
14. COMPLIANCE AND REPORTING OBLIGATIONS
VIRTUS Protocol may be legally obligated to collect, retain, and report certain information to regulatory authorities, cooperate with law enforcement investigations and proceedings, disclose information in response to valid legal processes (subpoenas, court orders, warrants), comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations, and implement sanctions screening and comply with economic sanctions programs. WE PRIORITIZE LEGAL COMPLIANCE OVER USER PRIVACY EXPECTATIONS. This means we will comply with lawful requests for information, even without user consent, disclose information if required or permitted by law, cooperate with regulatory investigations and enforcement actions, and not resist valid legal processes on behalf of users.
Disclosures to authorities, regulators, or compliance providers may occur WITHOUT prior notice to you if we are legally prohibited from notifying you (e.g., gag orders, ongoing investigations), notification would compromise an investigation or legal proceeding, we identify or suspect Prohibited Uses, illegal activity, or sanctions violations, or immediate disclosure is necessary to comply with urgent legal obligations.
BY USING THE SITE OR DEFI PROTOCOL, YOU CONSENT TO collection and retention of information for compliance purposes, disclosure of information to authorities, regulators, and compliance providers, sharing of information with sanctions screening services and blockchain analytics firms, and reporting of suspicious activity, violations of law, or prohibited conduct. IF YOU DO NOT CONSENT TO SUCH COMPLIANCE-RELATED DATA PROCESSING AND DISCLOSURE, YOU MUST NOT USE THE SITE OR DEFI PROTOCOL.
15. CONTACT US
For questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact us by email at VIRTUSplatform@proton.me. Please use the following subject lines: "General Privacy Inquiry", "GDPR Rights Request" (for EU/EEA/UK users), "Data Protection Inquiry", "Privacy Complaint", or "Children's Privacy Concern". We will respond to your inquiry as promptly as possible, typically within 30 days (or as required by applicable law, such as one month for GDPR requests).
16. ACKNOWLEDGMENT AND ACCEPTANCE
By accessing or using the Site or DeFi Protocol, you acknowledge that you have read and understood this entire Privacy Policy, you consent to the collection, use, processing, storage, and disclosure of your information as described herein, you understand that blockchain data is public, permanent, and beyond our control, you accept the privacy risks associated with public blockchain transactions, you agree to international transfers of your information, you consent to compliance-related disclosures to authorities and third parties, you have had the opportunity to seek independent legal advice, and you voluntarily agree to be bound by this Policy. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU MUST NOT USE THE SITE OR DEFI PROTOCOL.
END OF PRIVACY POLICY
Effective Date: February 7, 2026
Last Updated: February 7, 2026
© 2026 VIRTUS Protocol. All rights reserved.