Legal

Privacy Policy

This page explains how we collect, use, and protect your information when you use Decaf services.

Privacy Policy

Decaf, Inc. and its subsidiaries and affiliates (“Decaf,” “we,” “our,” or “us”) are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use: • The Decaf Wallet mobile application (“Wallet Services”) • The Decaf Visa Card program (“Card Services”) • Messaging-based financial interfaces, including WhatsApp (“Messaging Services”, https://decaf.so/chat) • AI-powered conversational financial automation (“AI Services”) • Disbursement programs facilitated through the Stellar Disbursement Platform (“SDP”) • Our website (https://decaf.so) and related services (collectively, the “Services”). By using our Services, you agree to this Privacy Policy.

1. Blockchain Services & Public Ledger Notice

The Wallet Services enable you to generate and broadcast transactions on public blockchain networks, including: • Stellar Development Foundation (Stellar Network) • Solana Labs (Solana Network) Transactions broadcast to public blockchains are: • Publicly visible • Immutable • Not controlled by Decaf • Not capable of deletion Blockchain data may include wallet addresses, public keys, timestamps, and transaction amounts. This Privacy Policy does not apply to information permanently recorded on public blockchains. Non-Custodial Wallet Model. The Decaf Wallet is designed to be non-custodial. Messaging and AI features may use third-party infrastructure to facilitate non-custodial wallet functionality.

2. Information We Collect

2.1 Information You Provide We may collect: • Full name • Date of birth • Email address • Phone number • Government-issued identification • Residential address • Tax ID / SSN (where required) • Wallet addresses • Bank account details (if linked) • Transaction instructions • Messages sent via Messaging Services • Uploaded identification documents, selfies, or verification materials • Voice notes or images voluntarily submitted • Customer support communications 2.2 Phone-Number–Based Wallets When using Messaging Services, your wallet may be associated with your phone number. We may use your phone number to: • Identify and provision your wallet • Facilitate peer-to-peer transfers • Link messaging-based wallets to app-based accounts • Conduct fraud detection and compliance screening 2.3 Messaging & Conversational Data When you interact with Decaf via messaging platforms (including WhatsApp), we may collect: • Message content • Financial instructions • Metadata (timestamps, delivery status) • Device type (where available) • Uploaded media Messaging platforms are operated by third parties, including Meta Platforms (which operates WhatsApp). Your use of those platforms is governed by their respective privacy policies. Where messaging platforms provide end-to-end encryption, such encryption is governed by the platform provider. 2.4 Information Collected Automatically We may collect: • IP address • Device identifiers • Usage logs • Transaction history • Fraud detection signals • Approximate location derived from IP For Card Services: • Tokenized card number • Merchant information • Transaction amounts • Spending limits • Authorization history Card transactions may involve payment networks such as Visa Inc.. 2.5 Information From Third Parties We may receive data from: • Identity verification providers • AML and sanctions screening providers • Fraud detection services • Banking partners • Card issuers • Payment processors • Institutional program sponsors • Blockchain analytics providers • Third-Party Infrastructure Providers (Messaging & AI Services). Decaf may use third-party infrastructure providers to support Messaging Services and AI Services, including wallet provisioning, transaction orchestration, and security and compliance tooling. For example, Decaf integrates services provided by Crossmint to support certain Messaging and AI features. In our current implementation, we use Crossmint’s non-custodial services. These providers process personal data only on Decaf’s instructions and under contractual obligations consistent with applicable law.

3. Stellar Disbursement Platform (SDP)

Decaf may facilitate disbursement programs implemented through the Stellar Development Foundation Stellar Disbursement Platform (“SDP”) or related ecosystem infrastructure. SDP is an ecosystem solution designed to support institutional and humanitarian disbursement programs. Decaf may act as: • A wallet provider for beneficiaries • A technical integration partner • A service provider facilitating onchain settlement • A data processor acting on behalf of a sponsoring organization Certain elements of SDP infrastructure may be operated or supported by ecosystem partners within the Stellar network. 3.1 For Sponsoring Organizations When organizations implement programs using SDP: • The sponsoring organization typically acts as the data controller for beneficiary data it collects and provides. • Decaf acts as a data processor or service provider, processing personal data solely to facilitate wallet provisioning, identity verification, regulatory compliance, and fund delivery. • Sponsoring organizations are responsible for obtaining required legal consents and providing appropriate privacy notices to beneficiaries. 3.2 For Beneficiaries If you receive funds through a program facilitated via SDP: • Certain personal data (e.g., name, phone number, country) may be provided to Decaf by the sponsoring organization. • We use that data only to deliver funds, verify identity where required, and comply with applicable law. • Questions regarding data collected directly by the sponsoring organization should be directed to that organization.

4. Artificial Intelligence & Automated Processing

Decaf uses artificial intelligence systems to: • Interpret conversational payment instructions • Facilitate messaging-based financial interactions • Detect fraud and suspicious activity • Conduct compliance screening • Improve reliability and service performance We do not use personal data to train publicly available AI models. Where AI tools are provided by third-party vendors, we implement contractual protections designed to limit secondary use of personal data. We may use automated systems for: • Fraud detection • Risk scoring • Transaction monitoring • KYC/AML screening Where required by law, you may request human review of automated decisions that significantly affect you.

5. How We Use Information

We use personal data to: • Provide Wallet, Card, Messaging, AI, and SDP Services • Verify identity and conduct KYC • Perform AML and sanctions screening • Process financial transactions • Prevent fraud • Provide customer support • Improve service performance • Comply with regulatory obligations • Protect platform security We do not sell personal information.

6. Legal Bases for Processing (EEA/UK/Switzerland)

Where applicable, legal bases include: • Contract performance • Legal obligation • Legitimate interests (fraud prevention, security) • Consent (where required)

7. Data Retention

We retain personal data: • While your account remains active • As necessary to provide Services • As required by financial and AML regulations (typically 5–7 years) • For legitimate business and legal purposes Blockchain data cannot be deleted once recorded.

8. Data Security

We implement industry-standard safeguards including: • TLS/SSL encryption in transit • AES-256 encryption at rest • Role-based access controls • Continuous monitoring • Periodic security audits • Secure SOC 2-compliant cloud infrastructure No system is completely secure, but we take reasonable steps to protect your information.

9. International Transfers

We operate globally and may transfer personal data across borders. Where required by law, we rely on: • Standard Contractual Clauses approved by the European Commission • Adequacy decisions • Other lawful transfer mechanisms

10. Your Privacy Rights

Depending on jurisdiction, you may have rights to: • Access personal data • Correct inaccuracies • Request deletion (subject to legal retention requirements) • Restrict or object to processing • Withdraw consent • Request portability • Lodge a complaint with a data protection authority To exercise rights: legal@decaf.so

11. California Privacy Rights (CCPA)

California residents may: • Request disclosure of collected personal information • Request deletion (subject to exemptions) • Confirm that we do not sell personal information • Exercise rights without discrimination Contact: legal@decaf.so

12. Brazil (LGPD)

Users in Brazil may exercise rights under the Lei Geral de Proteção de Dados (LGPD), including access, correction, anonymization, and deletion.

13. Children

Our Services are not directed to individuals under 18. We do not knowingly collect data from children.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes may be communicated via: • Website updates • Email notice • In-app notice Continued use of Services constitutes acceptance.

15. Contact Information

Decaf, Inc. 2055 Limestone Rd STE 200-C Wilmington, DE 19808 United States Email: legal@decaf.so Website: https://decaf.so