VIRTUS Protocol — Privacy Policy

Effective Date: March 6, 2026
Version: 1.0

Important Information

This Privacy Policy ("Policy") outlines how VIRTUS Protocol ("we", "our", "us", or "VIRTUS") collects, uses, processes, stores, and safeguards your data, including your Personal Data, when you use our website and user interface (the "Site") and our decentralized finance protocol and smart contracts (the "DeFi Protocol" or "Protocol"). The same applies if you use our Services on third-party websites or applications.

"Personal Data" means any information relating to an identified or identifiable natural person.

This Policy forms an integral part of our Terms of Service ("Terms"), available at https://docs.virtus-protocol.com/docs/Legal/Terms-of-Service, and should be read together with the Terms. Capitalized terms used in this Policy have the meanings described in the Terms unless defined otherwise herein.

BY ACCESSING OR USING THE SITE OR DEFI PROTOCOL, EITHER DIRECTLY OR THROUGH THIRD PARTIES, YOU CONFIRM THAT YOU HAVE READ, UNDERSTOOD, AND ACCEPT ALL TERMS AND CONDITIONS CONTAINED IN THIS POLICY. IF YOU ARE UNWILLING TO AGREE TO THIS PRIVACY POLICY, OR YOU DO NOT HAVE THE RIGHT, POWER, AND AUTHORITY TO ACT ON BEHALF OF AND BIND THE BUSINESS, ORGANIZATION, OR OTHER ENTITY YOU REPRESENT, DO NOT ACCESS OR USE THE SERVICES.

We are determined to protect the privacy of our users. Protection of your personal data and privacy are among our top priorities.

Critical Blockchain Data Notice

PUBLIC BLOCKCHAINS ARE DISTRIBUTED LEDGERS DESIGNED TO RECORD TRANSACTIONS ACROSS COMPUTER NETWORKS PERMANENTLY AND IMMUTABLY.

Blockchains are decentralized and not controlled by VIRTUS Protocol. Blockchains are managed by third parties such as validators, miners, and node operators. Data recorded on blockchains is permanent and cannot be deleted, modified, or altered. VIRTUS Protocol CANNOT delete, modify, or alter any data recorded on blockchain networks, even if the data was entered through the DeFi Protocol. All blockchain transactions are publicly visible and can be viewed by anyone using block explorers. Wallet addresses and transaction history are pseudonymous but NOT anonymous.

YOU ACKNOWLEDGE THAT BLOCKCHAIN DATA IS PUBLIC, PERMANENT, AND BEYOND OUR CONTROL.

1. Data Controller and Contact Information

1.1 The data controller is VIRTUS Protocol. We have not appointed a dedicated Data Protection Officer.

1.2 For all matters relating to data protection and privacy, you may contact us at VIRTUSplatform@proton.me with the subject line "Privacy Inquiry" or "GDPR Request".

2. Data We Collect

2.1 Data Collected Through the Site

When you use the Site, we may collect and process the following information:

2.1.1 Personal Data (Voluntarily Provided)

You may voluntarily provide us with your first and last name and email address through our contact form, email, Discord, or Telegram (collectively, "Contact Channels"). You may also choose to include additional data in messages or documents sent through Contact Channels, such as wallet addresses, VIRTUS Protocol account addresses, support inquiries, and feedback.

You are responsible for the content and extent of information you provide, and we ask that you limit Personal Data to the absolute minimum necessary.

2.1.2 Automatically Collected Data

We automatically collect technical and usage information including:

IP address and geolocation data (country, region, city)
Browser type, version, and language settings
Operating system and device type
Screen resolution and device identifiers
Referring/exit pages and URLs
Date, time, and duration of access
Pages viewed, features used, navigation paths, and click data
Interaction patterns and traffic data
Domain server and site security data

We also collect information through tracking technologies including session and persistent cookies, web beacons and similar technologies, local storage and session storage, and analytics identifiers.

2.2 Data Collected Through the DeFi Protocol

We do NOT actively collect or process Personal Data through the DeFi Protocol. However, we may process the following data:

2.2.1 IP Address

We automatically collect IP addresses to restrict access from Restricted Territories (as defined in the Terms). This data is temporarily retained for compliance screening purposes.

2.2.2 Public Blockchain Data

We process only publicly available blockchain data including protocol deposits, withdrawals, and borrows; account solvency and positions; transaction hashes and timestamps; token balances and holdings (derived from public blockchain data); and smart contract interactions.

Note that blockchain addresses and transaction information are public data that are not created by us or any other central party, and are not considered personally identifying.

We do NOT aggregate this data with other information to identify individuals, and we do NOT collect any data from MetaMask, Ledger, Rabby, or other wallet applications. Wallet providers may collect their own data independently.

2.2.3 Tracking Technologies

We may collect information through cookies that collect browser type, operating system, and device information, as well as web beacons and similar technologies used to personalize services accessible through the DeFi Protocol across sessions.

2.3 Third-Party Personal Data

If you provide us with Personal Data of third parties, you must obtain their express permission before providing their data to us, comply with all applicable legal obligations (such as informing them about data provision), and represent that you have the legal right to share their Personal Data.

2.4 Information We Do NOT Collect

VIRTUS Protocol does NOT collect, access, store, or have the ability to access:

Private keys or seed phrases
Wallet passwords or credentials
Personal identification documents (passports, ID cards, driver's licenses)
Financial account information (bank accounts, credit card numbers)
Social security numbers or tax identification numbers
Biometric data
Health or medical information
Racial or ethnic origin, political opinions, religious beliefs, or trade union membership

WE HAVE NO ABILITY TO ACCESS, CONTROL, OR RECOVER YOUR FUNDS, TOKENS, OR PRIVATE KEYS.

We will NEVER ask you for your private keys, mnemonic phrase, wallet seed, or any other wallet security information. Never provide your private keys or wallet seed to anyone or any website/form, and do not store them anywhere accessible by anyone other than you.

We will NEVER contact you on any social media, messenger, or other platform asking you for personal information and/or wallet information. You shall not send or submit private keys, mnemonic phrases, seed phrases, or any other private security information on any website, form, or email.

3. How We Use the Data

3.1 Data Collected Through the Site

We use Personal Data and other data collected through the Site for:

Customer Support and Communications: Answering your questions and inquiries, resolving technical issues or problems, providing guidance on using the Site or DeFi Protocol, and responding to feedback or complaints.

Compliance with Applicable Laws: Verifying that your IP address is not from a Restricted Territory, responding to lawful requests from authorities, complying with regulatory requirements, and defending against legal claims or proceedings.

Site Operations and Improvement: Delivering core functionality, debugging and troubleshooting, optimizing performance and user experience, and conducting analytics to understand usage patterns.

Internal and Operational Purposes: Ensuring security, identifying irregular website behavior, preventing fraudulent activity, and improving security at all possible levels.

Assessment and Analysis: Assessing and improving the performance of the Services, including via Google Analytics, Hotjar, and other analytics tools.

3.2 Data Collected Through the DeFi Protocol

We use data collected through the DeFi Protocol for:

Providing, Customizing, and Improving Services: Delivering DeFi Protocol functionality, personalizing user experience, and optimizing protocol performance.

Verification and Security: Verifying that you meet criteria for using the DeFi Protocol, checking wallet balances for transaction safeguards, safeguarding smart contract interactions, and preventing fraud, abuse, and unauthorized access.

Operating Liquidity Pools: Establishing the amount of tokens available in pools, broadcasting pool information on the Site, and managing protocol mechanics and parameters.

Compliance with Laws and Regulations: Verifying that IP addresses are not from Restricted Territories, conducting sanctions screening (checking blockchain addresses against sanctions lists), complying with anti-money laundering (AML) and counter-terrorism financing (CTF) requirements, and responding to lawful requests from authorities.

Fraud Prevention and Security: Investigating and restricting fraudulent, unauthorized, or illegal activities, tackling security vulnerabilities, resolving potential security concerns, and protecting the Protocol and users from malicious actors.

For users in the European Union, European Economic Area, and the United Kingdom, we process Personal Data based on the following legal grounds under GDPR:

4.1 Contact Channels

When you contact us for general inquiries, we process Personal Data based on our legitimate interest (Article 6(1)(f) GDPR) for information necessary to resolve your inquiry, and based on your consent (Article 6(1)(a) GDPR) for any excessive Personal Data you voluntarily provide beyond what is necessary.

4.2 Cookies

Essential cookies are processed based on our legitimate interest (Article 6(1)(f) GDPR) and are required for the Site to function properly without requiring consent. Optional cookies (analytics, marketing, and functional) are processed based on your consent (Article 6(1)(a) GDPR), which requires your explicit consent via cookie banner and can be withdrawn at any time.

Some analytical cookies may use automated profiling to evaluate selected factors about your behavior, create forecasts or predictions, and tailor content to your preferences and interests. You can object to profiling or withdraw consent at any time.

4.3 Compliance and Security Processing

We process data based on legal obligation (Article 6(1)(c) GDPR) for compliance with laws and regulations, and based on legitimate interest (Article 6(1)(f) GDPR) for fraud prevention, security, and risk management.

4.4 Other Data (Non-Personal Data)

We do not need a legal basis to process data that does not constitute Personal Data. However, we process such data based on your consent, our legitimate interests, or legal obligations.

5. Who Can Access the Data

We may share Personal Data with:

Authorities and Legal Advisors: When necessary to comply with legal requirements, court orders, regulatory inquiries, or compliance proceedings, and only to the essential extent required for legal compliance and defense of claims.

Service Providers and Advisors: When your questions or requests require their involvement, only to the extent necessary to carry out tasks necessary to respond to you. These service providers may include technical providers, legal advisors, and consultants.

We do NOT share Personal Data with third parties for other purposes.

We may share non-Personal Data with:

Service Providers and Vendors: To help with maintenance and development of the DeFi Protocol and Site. Examples include cloud hosting providers (AWS, Google Cloud, Cloudflare), analytics services (Google Analytics, Hotjar), and development and technical support providers.

Authorities and Legal Advisors: To comply with legal requirements, court proceedings, regulatory inquiries, or compliance matters.

Other Service Providers: If your questions or requests require their involvement.

Data collected through the DeFi Protocol is shared with third-party protocols in the standard information exchange process within blockchain networks, which is inherent to how public blockchains operate. Once data is on the blockchain, it is publicly accessible and permanent.

We may share data to safeguard, investigate, and restrict fraudulent, unauthorized, or illegal activities; protect the DeFi Protocol from security vulnerabilities or potential security concerns; and comply with sanctions screening and anti-money laundering (AML) requirements. This may include sharing with law enforcement and regulatory authorities, blockchain analytics and compliance providers (Chainalysis, Elliptic, TRM Labs, etc.), and security monitoring services.

5.4 Third-Party Form Service Provider

We use FormSubmit service provided by Devro LABS for our contact form. Data submitted through the contact form on the Site is shared with this provider. If you do not wish to share data with this third-party provider, please contact us directly via email at VIRTUSplatform@proton.me.

5.5 Third-Party Analytics Providers

We currently use the following analytics services:

Google Analytics: Collects usage data, browsing behavior, and device information. Privacy policy: https://policies.google.com/privacy. Opt-out: https://tools.google.com/dlpage/gaoptout.

Hotjar: Collects heatmaps, session recordings, and user behavior analytics. Privacy policy: https://www.hotjar.com/legal/policies/privacy.

You can opt out of these services through cookie settings or browser extensions.

5.6 No Sale of Personal Data

We do NOT sell your Personal Data to third parties.

5.7 Compliance Disclosure

We reserve the right to disclose Personal Data, IP addresses, blockchain addresses, or usage patterns to government agencies, law enforcement authorities, compliance and blockchain analytics providers (Chainalysis, Elliptic, TRM Labs, etc.), and regulatory bodies conducting investigations or enforcement actions.

Such disclosures may occur WITHOUT prior notice to you if we identify or suspect access from Restricted Territories, interaction with sanctioned blockchain addresses, prohibited activities or violations of our Terms, or illegal activity, fraud, money laundering, or terrorist financing.

We may not be able to guarantee that the recipients of your Personal Information will maintain the privacy or security of such Personal Information if we are required to disclose it in order to comply with official investigations or legal proceedings.

By using the Site or DeFi Protocol, you consent to such compliance-related disclosures.

5.8 Shared Data Limitations

The shared data with third parties for service provider purposes will never include your personal data or sensitive information beyond what is strictly necessary for the service being provided.

6. How We Protect the Data

6.1 Data Collected Through the Site

We implement security measures including:

Access Controls: Personal Data is accessible only by authorized individuals who deal directly with matters requiring access, and access is granted only to the extent necessary for the tasks they perform. We conduct periodic access reviews to determine whether access ranges need to be revised.

Ongoing Security: Risk assessments, adequacy monitoring of our security measures, and implementation of additional security measures when necessary.

Third-Party Requirements: When we engage third parties with access to Personal Data, we ensure they guarantee appropriate security measures and comply with data protection requirements.

Technical and Organizational Measures: Encryption of data in transit using HTTPS/TLS, secure storage of data in access-controlled environments, firewalls and network security to protect against unauthorized access, and regular security updates to keep systems and software up to date.

6.2 Data Collected Through the DeFi Protocol

Data collected through the DeFi Protocol is safeguarded through standard cryptographic techniques (encryption and hashing), consensus mechanisms (blockchain validation and security), and decentralized architecture (distributed network design).

For more information, visit our GitHub at https://github.com/VirtUsProtocol and our Security Page at https://docs.virtus-protocol.com/docs/Security/security-overview.

6.3 No Guarantee of Absolute Security

Despite our efforts, we cannot guarantee absolute security as no method of transmission or storage is 100% secure. Unauthorized access, hacking, data breaches, or security incidents may occur, and you provide information at your own risk.

VIRTUS is NOT liable for security breaches or unauthorized access, data loss or corruption, actions of third parties (hackers, malicious actors), or vulnerabilities in third-party services.

6.4 User Responsibility for Security

You are solely responsible for:

Protecting private keys and seed phrases (never share with anyone, including us)
Securing wallet credentials (use strong passwords and hardware wallets where appropriate)
Enabling security features (two-factor authentication, biometric authentication)
Keeping software updated (browsers, operating systems, wallet applications)
Protecting against malware (antivirus, anti-phishing tools)
Monitoring account activity (regularly review transactions and wallet activity)
Reporting suspicious activity (notify us immediately of any security concerns)

LOSS OR COMPROMISE OF PRIVATE KEYS RESULTS IN PERMANENT LOSS OF FUNDS. WE CANNOT RECOVER LOST OR STOLEN ASSETS. VIRTUS is not responsible for transferring, safeguarding, or maintaining your private keys or any virtual currency associated with them. If you lose, mishandle, or have your associated virtual currency private keys stolen, recovery of the associated virtual currency may not be possible, and VIRTUS bears no liability for such loss.

7. Data Retention

7.1 General Retention Principles

We conduct ongoing reviews to determine whether we still need to process data, particularly Personal Data. We seek to process data for the shortest possible period, considering the purpose for which data was collected, the need to defend against claims, and applicable legal requirements.

We reserve the right to process Personal Data for as long as necessary to fulfill the purposes for which we collected it, satisfy legal, accounting, or tax requirements, comply with regulatory obligations, and defend against legal claims.

Personal Information is securely destroyed or deleted when it is no longer required. Aggregated data, which cannot identify a device/browser (or individual) and is used for purposes of reporting and analysis, is maintained for as long as is commercially necessary.

7.2 Specific Retention Periods

Server Logs and IP Addresses: Typically retained for 30–90 days, with exceptions for data flagged for compliance review, investigation, or legal hold.

Blockchain Address Data: May be retained indefinitely for compliance, sanctions screening, fraud prevention, and security purposes.

Analytics Data: Typically aggregated and anonymized after 12–24 months for trend analysis and protocol improvement.

Communications and Support Tickets: Retained for 2–5 years or as needed for legal purposes to maintain customer support history and legal defense.

Compliance and Sanctions Screening Records: Retained for 5–10 years or as required by applicable law for regulatory compliance and audit requirements.

7.3 Deletion and Anonymization

Upon expiration of retention periods, Personal Data will be securely deleted or destroyed using industry-standard methods, anonymized so it can no longer identify individuals, or archived in restricted-access systems to prevent ordinary access.

7.4 Continued Processing After Deletion Request

If you request deletion of your Personal Data, we may continue to process it to the extent permitted by law (legal, tax, regulatory obligations), required by law (compliance with legal hold, ongoing investigations), or for legitimate business purposes (defense of legal claims, fraud prevention).

7.5 Blockchain Data Permanence

CRITICAL LIMITATION: Data recorded on public blockchains is PERMANENT and CANNOT be deleted. VIRTUS Protocol cannot delete, modify, or alter blockchain data. Blockchain data will remain publicly accessible indefinitely, including transaction hashes, wallet addresses, token transfers, and smart contract interactions. Third parties can view, analyze, and link blockchain data.

YOU ACKNOWLEDGE AND ACCEPT THAT BLOCKCHAIN DATA IS BEYOND OUR CONTROL AND CANNOT BE DELETED, EVEN UPON REQUEST.

If you are located in the European Union, European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

8.1 Right to Information (Articles 13–14 GDPR)

You have the right to request information about whether we process any of your Personal Data, the purposes and legal grounds for processing, the scope of Personal Data we process, the entities to whom we disclose your Personal Data, the planned date of deletion or retention period, and your rights regarding the data.

8.2 Right to Access (Article 15 GDPR)

You have the right to request access to your Personal Data, receive a copy of Personal Data we process, and check whether it is processed lawfully. We will provide the copy in the format of your choice if possible; otherwise, in a commonly used format.

8.3 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate or incomplete Personal Data, have us rectify any inconsistencies or errors, and have us complete incomplete Personal Data.

8.4 Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your Personal Data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, you withdraw consent (where processing is based on consent), you object to processing based on legitimate interests, the data was unlawfully processed, or erasure is required for legal compliance.

Important Limitations: We may refuse erasure if retention is necessary for legal obligations, defense of legal claims, or compliance or regulatory purposes. Blockchain data CANNOT be deleted — it exists on decentralized, immutable public ledgers. IP addresses and blockchain addresses retained for sanctions screening may not be deletable.

8.5 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we limit how we use your Personal Data if you contest the accuracy of the data (while we verify accuracy), processing is unlawful but you prefer restriction over deletion, we no longer need the data but you need it for legal claims, or you object to processing and we are verifying whether our legitimate grounds override yours.

When processing is restricted, we will cease performing operations on your Personal Data, only perform operations authorized by you or necessary for retention, and continue restriction until the reasons cease to exist.

8.6 Right to Data Portability (Article 20 GDPR)

You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and transmit your Personal Data to another controller without hindrance. This right applies only when processing is based on consent or contract and processing is carried out by automated means.

8.7 Right to Object (Article 21 GDPR)

You have the right to object to processing of your Personal Data. For general objections based on legitimate interests, you must provide justification based on your particular situation, and we must stop processing unless we demonstrate compelling legitimate grounds that override your interests. For marketing objections, no justification is needed and we must stop processing for marketing immediately.

8.8 Right to Withdraw Consent (Article 7(3) GDPR)

You have the right to withdraw consent at any time where processing is based on consent, and to withdraw as easily as consent was given. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.9 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to file a complaint with your local data protection authority (supervisory authority) and seek judicial remedy if you believe your rights have been violated.

EU/EEA Supervisory Authorities: https://edpb.europa.eu/about-edpb/board/members_en

UK Supervisory Authority (ICO): https://ico.org.uk/make-a-complaint/

8.10 How to Exercise Your Rights

To exercise any of the above rights, contact us by email at VIRTUSplatform@proton.me with the subject line "GDPR Rights Request". Please include in your request your full name and contact information, the specific right(s) you wish to exercise, sufficient information to verify your identity, and any relevant details (wallet address, dates of activity, specific data).

8.11 Response Timeline

We will respond to your request within one month of receipt. If we need to extend this deadline (for complex requests), we will inform you and explain the reasons. The maximum extension is an additional two months (total of three months).

8.12 Verification and Limitations

We may request additional information to verify your identity before fulfilling requests, which protects against fraudulent or unauthorized requests. Providing additional verification information is not mandatory; however, failure to provide verification may result in the request being refused. You can make requests in person or through a third party (e.g., proxy, legal representative), and we may require proof of authorization for third-party requests.

Your rights are not absolute. We reserve all available rights under applicable law to refuse manifestly unfounded or excessive requests, charge a reasonable fee for repetitive or excessive requests, decline requests that would compromise security, legal obligations, or the rights of others, and retain data despite erasure requests if required for legal, regulatory, or compliance purposes.

9. Cookies, Analytics, and Marketing

9.1 What Are Cookies

Cookies are small text files stored on your device by your web browser when you visit a website. They enable the website to remember your preferences and settings, track your activity and usage patterns, and improve user experience and functionality. Cookies may contain Personal Data if the information they collect can be linked to an identified or identifiable person (e.g., IP addresses, unique identifiers).

9.2 How We Use Cookies

We use cookies for analytics (understanding how users interact with the Site), marketing (personalizing content and advertisements, if applicable), functionality (storing preferences and improving user experience), and essential operations (ensuring the Site functions properly).

9.3 Types of Cookies We Use

Session Cookies: Track your actions as you navigate the Site, are stored temporarily and deleted when your browser is closed, and are used to maintain session state and form inputs.

Persistent Cookies: Save your preferences and settings for future visits, remain on your device for a predetermined timeframe or until manually deleted, and are used to remember login status, language preferences, and theme choices.

Essential Cookies (Strictly Necessary): Ensure the proper functioning of the Site and its essential features by enabling core functionality (navigation, security, accessibility), remembering your cookie preferences, and maintaining session state. These cookies do not require consent as they are necessary for the Site to function. Without them, you cannot use the Site and its services properly.

Optional Cookies (Require Consent):

(a) Analytics Cookies: Track the number and sources of visits to the Site to measure and improve Site performance, understand which pages are most or least visited, and analyze how visitors navigate the Site. Examples: Google Analytics, Hotjar. If refused, your visit will not be included in our statistics, but it will not restrict any Site functionality.

(b) Marketing Cookies: Personalize content and advertisements displayed on the Site and third-party websites to tailor advertisements to your interests, track advertising campaign effectiveness, and deliver personalized marketing on third-party platforms. If refused, you will be shown generic and non-personalized advertisements, but it will not restrict any Site functionality.

(c) Functional Cookies: Store and customize the Site according to your choices to remember language preferences, theme or display settings, and enhance user experience. If blocked, some parts of the Site may not work correctly.

(d) Third-Party Cookies: Currently provided by Google Analytics and Hotjar, which fall within Analytics and Marketing cookies. Their privacy policies are available at https://policies.google.com/privacy (Google Analytics) and https://www.hotjar.com/legal/policies/privacy (Hotjar). You can opt out of each or all of them without restricting Site functionality.

Essential cookies are installed and used automatically without your consent, as they are necessary for the Site to function. Optional cookies are only installed and used with your consent.

Upon your first visit to the Site, a cookie banner will inform you that cookies are used and present you with options:

Allow All: Gives consent for all Optional cookies (Analytics, Marketing, Functional, Third-Party) and affirms that you have read and agreed to this Policy.

Reject All: Rejects all Optional cookies. Essential cookies will still be installed and used (required for Site functionality).

Personalize / Cookie Settings: Choose which categories of Optional cookies to enable or disable. This option does not apply to Essential cookies (they cannot be disabled).

You can change your cookie consent at any time by accessing the cookie settings on the Site (usually in the footer or privacy settings), adjusting your preferences through the cookie banner (if it reappears), or using your browser settings to manage or delete cookies.

You can also manage cookies through your browser settings to block or disable cookies, receive notifications when cookies are being set, or delete existing cookies. Browser help documentation:

Note that blocking or deleting Essential cookies may prevent the Site from functioning properly.

10. International Data Transfers

10.1 We may process and transfer Personal Data outside of the European Economic Area (EEA) and the United Kingdom. This may include transfers to countries where our service providers, infrastructure, or third parties are located, and countries where regulatory authorities or law enforcement request information.

10.2 Any processing or transfer of Personal Data is conducted in accordance with appropriate transfer mechanisms under GDPR and UK GDPR.

10.3 If we transfer Personal Data to a country that has not been deemed by the EU as having an adequate level of data protection, we will ensure appropriate safeguards are in place. We will conclude contracts based on Standard Contractual Clauses published by the European Commission (available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en). We will implement supplementary measures to ensure the highest standards of data protection, which may include encryption, access controls, and contractual commitments from service providers.

10.4 The current list of countries with adequacy decisions is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

10.5 You have the right to request information about the safeguards in place for your data transfers and obtain a copy of Standard Contractual Clauses or other transfer mechanisms. Contact us at VIRTUSplatform@proton.me for more information about international data transfers.

11. Age Restriction

The Site and DeFi Protocol are strictly restricted to persons who are of legal age in their jurisdiction of residence and in no event under the age of 18 (or the age of majority in your jurisdiction, whichever is higher). By accessing or using the Services, you represent and warrant that you meet this age requirement.

We do NOT knowingly collect Personal Data from persons under 18. If we inadvertently process Personal Data from a person under 18, we will take legally permissible measures to cease processing the data immediately, delete or anonymize the data as soon as possible, and remove that data from our records.

VIRTUS bears no liability for any loss, damage, or consequence arising from access to or use of the Services by persons under 18, and any such access is a material breach of these Terms. Parents and legal guardians are solely responsible for monitoring and preventing unauthorized access by minors.

If you, as a parent or guardian, become aware that your child has provided Personal Data to us, please contact us immediately via email at VIRTUSplatform@proton.me with the subject line "Children's Privacy Concern". We will take prompt action to remove the data.

12. Blockchain Data Transparency and Permanence

CRITICAL NOTICE: All blockchain transactions and wallet addresses are publicly visible and permanently recorded on public blockchains. This includes:

All transactions you sign and broadcast
Your wallet address(es) and token balances
Smart contract interactions and function calls
Transaction amounts, timestamps, gas fees, and metadata
Staking activity, delegation history, and rewards

Blockchain data is NOT controlled by VIRTUS Protocol or any single entity, CANNOT be deleted, modified, or made private by us or anyone else, is accessible to anyone via block explorers, node queries, or APIs, and may be analyzed by third parties including blockchain analytics firms (Chainalysis, Elliptic, TRM Labs), researchers and academics, law enforcement and regulatory authorities, and other users or malicious actors.

Privacy Implications

Blockchain transactions are pseudonymous, NOT anonymous. Your wallet address is a pseudonym, not directly linked to your real name; however, sophisticated analysis can link wallet addresses to real-world identities. De-anonymization can occur through centralized exchange (CEX) KYC/AML data (if you deposited/withdrew), IP address logging by nodes or services, transaction graph analysis and clustering, social media disclosures (posting your address publicly), and on-chain activity patterns (unique behaviors).

Once a blockchain address is associated with you, ALL past and future transactions may be traced, transaction history is permanent and public, and privacy cannot be retroactively added.

BY USING THE SITE OR DEFI PROTOCOL, YOU ACKNOWLEDGE AND ACCEPT THAT blockchain transactions are public and permanent, your financial activity on blockchains may be visible to anyone, VIRTUS Protocol cannot delete, modify, or hide blockchain data, you assume all privacy risks associated with public blockchain transactions, and you are responsible for understanding and managing your own privacy on blockchains.

If you require privacy, consider using privacy-focused blockchains (where legal), employing best practices for pseudonymity (separate wallets for different purposes), avoiding linking blockchain addresses to personal identities, and understanding the inherent limitations of blockchain privacy.

13. Compliance and Reporting Obligations

13.1 VIRTUS Protocol may be legally obligated to collect, retain, and report certain information to regulatory authorities; cooperate with law enforcement investigations and proceedings; disclose information in response to valid legal processes (subpoenas, court orders, warrants); comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations; and implement sanctions screening and comply with economic sanctions programs.

13.2 We prioritize legal compliance over user privacy expectations. This means we will comply with lawful requests for information, even without user consent; disclose information if required or permitted by law; cooperate with regulatory investigations and enforcement actions; and not resist valid legal processes on behalf of users.

13.3 Disclosures to authorities, regulators, or compliance providers may occur WITHOUT prior notice to you if we are legally prohibited from notifying you (e.g., gag orders, ongoing investigations), notification would compromise an investigation or legal proceeding, we identify or suspect prohibited uses, illegal activity, or sanctions violations, or immediate disclosure is necessary to comply with urgent legal obligations.

13.4 By using the Site or DeFi Protocol, you consent to collection and retention of information for compliance purposes, disclosure of information to authorities, regulators, and compliance providers, sharing of information with sanctions screening services and blockchain analytics firms, and reporting of suspicious activity, violations of law, or prohibited conduct.

IF YOU DO NOT CONSENT TO SUCH COMPLIANCE-RELATED DATA PROCESSING AND DISCLOSURE, YOU MUST NOT USE THE SITE OR DEFI PROTOCOL.

14. Do Not Track (DNT) Signals

The Site does not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry-wide standard for DNT compliance.

15. Updates to This Privacy Policy

This Policy may be regularly reviewed and updated as required to reflect changes in our data practices, comply with new legal or regulatory requirements, address new technologies or features, and improve clarity and transparency.

The current Policy is always available at https://docs.virtus-protocol.com/docs/Legal/Privacy-Policy.

Each revision will include the date of the last revision at the top of the Policy. For material changes that significantly affect your rights, we may provide additional notice (email, in-app notification, prominent Site banner); however, such notice is not required for the changes to be effective.

Changes are binding on users and will take effect immediately upon posting. You are advised to check the Policy periodically to familiarize yourself with any changes. Continued use of the Site or DeFi Protocol after changes are posted constitutes your acceptance of the revised Policy. If you do not agree to the changes, you must cease using the Site and DeFi Protocol.

Please observe which version of the Policy applies to you before you use the Site or enter into any transaction using the DeFi Protocol.

16. Contact Us

For questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

Email: VIRTUSplatform@proton.me

Please use the following subject lines as appropriate:

"General Privacy Inquiry"
"GDPR Rights Request" (for EU/EEA/UK users)
"Data Protection Inquiry"
"Privacy Complaint"
"Children's Privacy Concern"

We will respond to your inquiry as promptly as possible, typically within 30 days (or as required by applicable law, such as one month for GDPR requests).

17. Acknowledgment and Acceptance

By accessing or using the Site or DeFi Protocol, you acknowledge that:

You have read and understood this entire Privacy Policy
You consent to the collection, use, processing, storage, and disclosure of your information as described herein
You understand that blockchain data is public, permanent, and beyond our control
You accept the privacy risks associated with public blockchain transactions
You agree to international transfers of your information
You consent to compliance-related disclosures to authorities and third parties
You have had the opportunity to seek independent legal advice
You voluntarily agree to be bound by this Policy

IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU MUST NOT USE THE SITE OR DEFI PROTOCOL.

Important Information​

Critical Blockchain Data Notice​

1. Data Controller and Contact Information​

2. Data We Collect​

2.1 Data Collected Through the Site​

2.2 Data Collected Through the DeFi Protocol​

2.3 Third-Party Personal Data​

2.4 Information We Do NOT Collect​

3. How We Use the Data​

3.1 Data Collected Through the Site​

3.2 Data Collected Through the DeFi Protocol​

4. Legal Basis for Processing (GDPR)​

5. Who Can Access the Data​

5.1 Sharing Personal Data Collected Through the Site​

5.2 Sharing Other Data Collected Through the Site​

5.3 Sharing Data Collected Through the DeFi Protocol​

5.4 Third-Party Form Service Provider​

5.5 Third-Party Analytics Providers​

5.6 No Sale of Personal Data​

5.7 Compliance Disclosure​

5.8 Shared Data Limitations​

6. How We Protect the Data​

6.1 Data Collected Through the Site​

6.2 Data Collected Through the DeFi Protocol​

6.3 No Guarantee of Absolute Security​

6.4 User Responsibility for Security​

7. Data Retention​

7.1 General Retention Principles​

7.2 Specific Retention Periods​

7.3 Deletion and Anonymization​

7.4 Continued Processing After Deletion Request​

7.5 Blockchain Data Permanence​

8. Your Rights Under GDPR (EU/EEA/UK Users)​

9. Cookies, Analytics, and Marketing​

9.1 What Are Cookies​

9.2 How We Use Cookies​

9.3 Types of Cookies We Use​

9.4 Managing Cookie Consent​

9.5 Changing Your Cookie Consent​

9.6 Browser-Level Cookie Management​

10. International Data Transfers​

11. Age Restriction​

12. Blockchain Data Transparency and Permanence​

Privacy Implications​

13. Compliance and Reporting Obligations​

14. Do Not Track (DNT) Signals​

15. Updates to This Privacy Policy​

16. Contact Us​

17. Acknowledgment and Acceptance​