Privacy Policy

As of May 28, 2024

This Privacy Policy aims to inform you, the user (“you”, “your”, or “user”), about how Composable Finance Ltd. and its affiliates and related entities (“Composable”, “we”, “our”, “us”, or the “Company”) collect, use, manage, and share Personal Data in our product, Picasso, and its associated website https://www.picasso.network or online locations that link to this Privacy Policy. This policy also covers your rights and choices regarding your Personal Data, in compliance with Saint Lucia’s Data Protection Act, the United Kingdom’s Data Protection Act, the European Union’s General Data Privacy Regulation (GDPR), and other applicable privacy laws, rules, and regulations. Picasso, as part of our evolving suite of services, enables cryptocurrency transactions and management through and interactions with blockchain wallets. It allows users to stake cryptocurrency (via a novel restaking method) and to bridge assets across different supported blockchains.

The Privacy Policy applies to Personal Data collected, used, stored, disclosed, and/or processed by Picasso in connection with these functionalities as outlined in our Terms of Use (https://www.picasso.network/terms-of-use).

By connecting your blockchain wallet, submitting information, and/or signing up for Picasso, you consent to the collection, use, retention, and disclosure of your Personal Data and other information as described in this Privacy Policy. If you do not agree with these terms, you should immediately cease using Picasso and refrain from accessing related websites. We reserve the right to revise and update this Privacy Policy at any time. Changes will be effective immediately upon posting the updated Privacy Policy on Picasso-related websites. Your continued use of Picasso signifies your consent to the current version of the Privacy Policy.

1. Collected Information
When you interact with Picasso, we may collect the following information, which may include your Personal Data.
Blockchain Wallet Address: Refers to the unique identifier of your digital wallet in a blockchain network, used for sending and receiving digital assets. Transactions on the blockchain are permanent and public, allowing for the verification and tracking of asset movement between wallet addresses.
Log Files: Records events occurring during your use of Picasso, such as viewing content or interacting with the services.
Financial Information: Relates to your blockchain wallet, including balances, transaction history, trading data, and associated fees.
Transaction Information: Details of your transactions through Picasso, including type, amount, and timestamp.
Correspondence: Feedback, responses to surveys, and communications with our support teams, including through help chat or social media channels.
Online Identifiers: Geographical location or tracking details, browser fingerprint, operating system, browser name and version, and IP addresses.
Usage and Diagnostics Data: Conversion events, user preferences, crash logs, device information, and data collected via cookies and similar technologies.
Information from Third Parties: Information about you from other sources as required by law, including public databases. This is combined with information collected from Picasso for legal compliance and to prevent illicit activities.
Cookies and Tracking Technologies: We and authorized third parties use cookies, web beacons, and similar technologies for recording preferences, tracking use of Picasso, and collecting usage information. This may include IP addresses, browser type, ISP, referring/exit pages, operating system, device information, date or time stamp, clickstream data, and interactions with communications sent to you. Necessary cookies are used for essential site functionalities, and you may disable cookies, with the understanding that this could impact your ability to use certain services.
In addition, for user experience optimization and internal analysis, we may:
Store your cookie consent state for the current domain.
Register information regarding on-site behavior or actions taken.
Collect data from your navigation and interaction with Picasso.

2. Collection of Personal Data
Personal Data, which may include your blockchain wallet address and other identifying numbers, symbols, or information as defined under applicable law, is collected during your interaction with Picasso. This includes when you:
Stake Digital Assets: When you stake digital assets.
Interact with the Vault Contract: When you deposit or restake your Solana into our Vault contract.
Approve Transactions with Phantom Wallet: When you approve transactions through your Phantom wallet, which is the primary wallet supported by Picasso at this stage. Please note that this list is not exhaustive. For example, other wallets supported by Picasso also include Polkadot.js, Talisman, Leap, Metamask, and Keplr. We may also collect Personal Data through other activities related to the use of Picasso, or from other companies or third parties as permitted or required by law. This additional collection may be necessary for us to provide you with full functionality of our services, ensure compliance with regulatory requirements, or to enhance your user experience with Picasso.

3. Services and Features
The Personal Data we collect through Picasso is utilized to provide, maintain, and improve our services, as detailed in the Terms of Use. This includes using Personal Data to:
Operate and Maintain Picasso: Ensuring the smooth functioning of all features, including staking and bridging.
Customize and Improve User Experience: Tailoring services to user preferences and enhancing overall user interaction with Picasso.
Process Cryptocurrency Transactions: Facilitating actions such as staking, withdrawing, and managing digital assets through Picasso.
Create and Update User Accounts: Managing user account details relevant to Picasso’s features.
Send Communications: Distributing information, marketing messages, updates, security alerts, and other administrative messages related to Picasso.
Create De-identified or Aggregated Data: For analytical and statistical purposes, ensuring user privacy in such processes.
Ensure Safety and Security: Protecting the integrity and security of Picasso, its users, and their data.
Provide Customer Support: Offering assistance and resolving issues related to Picasso and its functionalities.
Test, Research, and Develop Products: Enhancing Picasso through user feedback, research, and development for improved features and services.
Compare Information with Third-Party Databases: For verification, compliance, and ensuring the authenticity of user information.This list is not exhaustive and may evolve as Picasso develops and introduces new features.
We are committed to using your Personal Data to enhance your experience with Picasso while ensuring the security and privacy of your information.

4. Sharing and Disclosure of Information
We uphold a strict principle of not selling, renting, exchanging, sharing, or otherwise disclosing your Personal Data to third parties for marketing purposes. Any sharing or disclosure of information we collect through Picasso adheres to the practices described in this Privacy Policy. The categories of parties and instances in which we may share your information include, but are not limited to:
Affiliates: Information may be shared with our affiliates and related entities, particularly when they act as our service providers in relation to Picasso.
Service Providers: We collaborate with third-party service providers for various business purposes. These include fraud detection and prevention, security threat detection, payment processing, customer support, data analytics, information technology, storage, and transaction monitoring for Picasso. All service providers are bound to adhere to this Privacy Policy, and they are restricted to using the information solely on our behalf and in accordance with our instructions.
Professional Advisors: Information may be shared with our professional advisors for audit purposes and to ensure compliance with legal and regulatory obligations.
Merger or Acquisition: In the event of a merger, sale, acquisition, or any business combination involving our assets, or transfer of our business to another entity, information may be shared as part of such transactions.
Security and Compelled Disclosure: We may disclose information to comply with legal processes or in response to lawful requests by public authorities, law enforcement agencies, data protection authorities, regulatory agencies, or government officials, including for national security or law enforcement requirements.
Facilitating User Requests: We may share information about you if requested or instructed by you.Consent: Information may be shared based on your consent.
Other Legitimate Purposes: We may share your information for the Company’s legitimate purposes, for the conclusion or performance of a contract, or for the provision of Picasso’s services.
Notwithstanding the above, we may share information that does not personally identify you (including aggregated or de-identified data), except where prohibited by applicable law.

5. Additional Disclosure
This Additional Disclosure outlines our practices regarding the collection, use, and sharing of Personal Data that users provide to us in the context of initiating, completing, or facilitating transactions related to the services offered by Picasso. In instances of conflict between this Additional Disclosure and other sections or provisions of this Privacy Policy, the terms of this Additional Disclosure will take precedence. Even after you cease using Picasso’s services, we may continue to share your information, which includes, but is not limited to, the following categories:
Contact Details: Personal contact information provided during the use of Picasso.
IP Addresses: IP addresses recorded during interactions with Picasso.
Trading History: Details of transactions and staking activities conducted through Picasso.
Blockchain Wallet Addresses and Information: Your unique blockchain wallet identifiers and related transactional data.
Conversion Events: Specific events related to the conversion or exchange of digital assets within Picasso.
Please note that, notwithstanding the above, we may share information as described in the broader context of this Privacy Policy, except where such sharing is prohibited by applicable law.

6. Other Parties
In the course of providing Picasso’s services, we may incorporate technologies operated or controlled by third parties. This could include, but is not limited to, linking to websites, platforms, and other services not operated or controlled by us, especially those pertinent to cryptocurrency transactions and wallet services. When you engage with these third-party entities, including when you navigate away from Picasso, these parties may independently collect information about you and may solicit information from you. It's important to note that the information collected and stored by these third parties is governed by their own privacy policies and practices. This includes how they share information with us, your rights and choices on their services and devices, and their practices regarding the storage of information in different locations globally.We do not exercise control over these third-party entities or their content. Therefore, we cannot be held liable or responsible for the content, privacy policies, or services provided by these third parties. We strongly advise you to familiarize yourself with their privacy policies and terms of use to understand how they manage your information.

7. Data Security
At Picasso, we are committed to safeguarding your Personal Data. We implement and maintain robust administrative, physical, and technical security measures designed to protect your Personal Data from external threats, loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. These measures are particularly crucial in the context of cryptocurrency transactions and digital wallet interactions. Our security protocols include, but are not limited to:
Encryption Technologies: To secure data transmissions and protect your information from unauthorized access.
Secure Wallet Interactions: Enhanced security measures for interactions with the Phantom wallet and other digital wallet services.
Regular Security Audits: Conducting periodic reviews and updates of our security infrastructure to address emerging threats and vulnerabilities.
Access Control Measures: Limiting access to your Personal Data to only those employees or agents of Picasso who need it to provide services to you.
Despite our rigorous security practices, it is important to acknowledge that no system can be completely secure. Therefore, we cannot guarantee the absolute security of your Personal Data against all possible breaches. As such, we urge you to take personal precautions, especially in managing your blockchain wallet and credentials. You are responsible for all activities conducted through Picasso that involve any of your blockchain addresses or cryptocurrency wallets. This includes ensuring the security of your wallet credentials and any devices used to access Picasso.

8. International Transfer
Given the global scope of cryptocurrency transactions and the decentralized nature of blockchain technology, information collected through Picasso may be subject to international transfer, processing, storage, and use. This includes transfers to and within the European Economic Area (EEA), the United Kingdom (UK), and other jurisdictions around the world.It's important to recognize that data protection laws in the EEA, the UK, and other jurisdictions may differ from those in your country of residence. By using Picasso and providing your information in the context of our services, you are consenting to:
The transfer of your Personal Data to various jurisdictions, which may include the EEA and the UK.
The processing and usage of your Personal Data in these jurisdictions.
The sharing and storage of your Personal Data in accordance with the practices outlined in this Privacy Policy.
Our commitment is to ensure that your Personal Data is protected and handled with the utmost care, irrespective of where it is processed or stored. We take steps to ensure that any such international transfers comply with applicable data protection laws and that your data remains secure and protected as per the standards set out in this Privacy Policy.

9. Your Rights
As a user of Picasso, you have specific rights regarding your Personal Data, in accordance with data protection laws. These rights include:
Access to Personal Data: You have the right to request access to and obtain a copy of your Personal Data that we hold.
Rectification of Personal Data: If you find that the Personal Data we hold about you is inaccurate or incomplete, you have the right to have it corrected or supplemented.
Objection to Processing: You have the right to object to the processing of your Personal Data under certain conditions.
Deletion of Personal Data: You can request the deletion or removal of your Personal Data from our systems, subject to certain exceptions.
Additionally, if we have collected and processed your Personal Data based on your consent, you have the right to withdraw this consent at any time. Please note that withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal. It's important to note that while we can edit or delete information stored in our systems, we cannot modify or erase data that is recorded on a blockchain. This includes transaction data associated with your blockchain wallet address and digital assets held in your wallet. To exercise any of these rights, please contact us at the email or postal address provided in this Privacy Policy. Specify the right(s) you wish to exercise, and we will respond to your request within thirty (30) days. We may need to verify your identity to process your request. We may retain information as necessary for the purposes for which it was collected and may continue to use this information even after your request, in accordance with our legitimate interests, legal obligations, dispute resolutions, fraud prevention, and enforcement of agreements. However, you retain the right to lodge a complaint with the data protection regulator in your jurisdiction.
Please understand that your ability to use Picasso or certain aspects of it may be contingent on providing certain Personal Data. Your data protection rights are not absolute, and we may deny your request in accordance with applicable data protection laws, providing reasons for such denial.

10. Retention Period
In line with the unique nature of cryptocurrency transactions and the management of digital assets on Picasso, we store and retain the Personal Data you provide for as long as necessary. This duration is determined by several factors:
Continued Use of Services: We retain your Personal Data for the period necessary to support your continued use of Picasso and its features, such as staking, team functionalities, and wallet interactions.
Contractual Obligations: The retention period also aligns with the duration of your contract with us, ensuring that we can fulfill our contractual commitments to you.
Compliance with Laws and Regulations: We adhere to applicable laws and regulations regarding data retention, particularly those pertaining to financial transactions and cryptocurrency operations. This includes maintaining records for a certain period as required by law for audit, regulatory compliance, and tax purposes. We regularly review our data retention policies to ensure they align with legal and regulatory requirements and the operational needs of Picasso. Once your data is no longer required for these purposes, or upon your request where applicable, we will either delete or anonymize your Personal Data, unless further retention is required by law.
Please note that due to the immutable nature of blockchain technology, certain transactional data recorded on the blockchain, associated with your wallet address, cannot be altered or deleted by us.

11. Withdrawal and Deactivation
If you choose to discontinue using Picasso, disconnect your blockchain wallet, or deactivate your account (where applicable), the handling of all Personal Data or information associated with you will be governed by this Privacy Policy, Saint Lucia law, and the Company’s other policies. It’s important to note that such deactivation is not automatically considered as a withdrawal of consent for our use and disclosure of your Personal Data, unless you explicitly request or inform us in writing. Should you decide to withdraw your consent for us to use and/or disclose your Personal Data, we will cease collecting your information, unless there is a legal basis for its continued collection. However, this decision may impact our ability to provide services to you or maintain any existing contractual relationship. The nature of your request might lead to the termination of our agreements and could be considered a breach of your contractual obligations. In such cases, we reserve the right to pursue any legal remedies available.Furthermore, the withdrawal of your consent does not affect the lawfulness of data collection based on consent given before its withdrawal. Additionally, due to the immutable nature of blockchain technology, we may not be able to alter or remove data recorded on the blockchain, such as transaction history associated with your wallet address.

12. Legal Age
Picasso is designed for a general audience but is specifically directed towards users who have reached the legal age of majority, which typically corresponds to the age at which a person can legally engage in cryptocurrency transactions and digital asset management. We do not knowingly provide services to minors who lack the legal capacity under applicable laws to engage in these activities. If it comes to our attention, or if any individual suspects that a minor is using Picasso, we request immediate notification. Upon confirmation, we will take appropriate steps to remove any information collected from the minor and ensure that their access to our services is restricted, in compliance with relevant laws. This action is crucial for aligning with legal requirements surrounding the use of financial and cryptocurrency services by minors.We strongly advise users to respect these age restrictions, as the use of Picasso involves complex financial activities and decisions that require a certain level of maturity and understanding of the risks involved in cryptocurrency transactions.

13. Applicable Law and Jurisdiction
This Privacy Policy, governing the use of Picasso, shall be interpreted and enforced in accordance with the laws of Saint Lucia. This choice of law is in line with our operational base and legal framework, notwithstanding the global reach and nature of our cryptocurrency services.It is important to note that while Picasso operates within a global context, involving users from various jurisdictions, any legal disputes or issues arising in relation to this Privacy Policy will be exclusively subject to the jurisdiction of the courts of Saint Lucia. This applies regardless of your location, the jurisdiction from which you access Picasso, or the jurisdiction in which the transaction takes place. By using Picasso, you agree to submit to the exclusive jurisdiction of Saint Lucia’s courts for any disputes arising under this Privacy Policy, irrespective of any conflict of law principles. This ensures a consistent legal framework for the interpretation and enforcement of the terms and conditions set forth in this Privacy Policy.

14. Specific Disclosures and Notices
Specific Notice to California Residents (“CCPA Notice”): Under the California Consumer Privacy Act of 2018 (“CCPA”), California residents are entitled to certain disclosures about the collection, use, and sharing of their Personal Data.
Privacy Practices: We do not sell your Personal Data or “personal information” as defined under the CCPA.
Privacy Rights: The CCPA grants the right to request information about our collection, use, and sharing of your personal information. You also have the right to request a copy of the information we hold about you and to ask for the deletion of your personal information, subject to certain limitations under the CCPA.
Submitting Requests: Requests for information, access, or deletion can be submitted to legal@composable.finance.
Identity Verification: We are required to verify the identity of individuals submitting CCPA requests to ensure the security of your personal information.
Authorized Agents: California residents may use an authorized agent for these requests, provided there is written authorization for their representation.
Additional Disclosures for European Union Data Subjects or Users (GDPR Notice): In compliance with the General Data Protection Regulation (GDPR), we process Personal Data as follows:
Basis for Processing: Our processing of your Personal Data is justified on several bases, including your consent, the necessity of processing for contractual performance, legal compliance, and legitimate interests pursued by us or a third party.
GDPR Rights: You have the right to access, rectify, or delete your personal data, object to or restrict processing, and request data portability. You may withdraw your consent at any time. However, we cannot modify or erase data recorded on the blockchain, such as transaction data or wallet address information.
Exercising GDPR Rights: To exercise your GDPR rights, please contact us at legal@composable.finance. We may need additional information from you to process your request. We may continue to retain information as necessary for purposes for which it was collected and may do so even after a data subject request, in line with our legitimate interests, legal obligations, dispute resolution, fraud prevention, and agreement enforcement.

15. Contact Us
For any inquiries, requests, or concerns related to this Privacy Policy, your Personal Data, or our data practices, you are encouraged to contact us. Whether you need assistance with exercising your rights as outlined above, have questions about how we handle your data, or wish to discuss our compliance with applicable laws, our team is ready to assist.
Please reach out to us through the following channels:
Email: For direct communication, send your queries or requests to legal@composable.finance.
Postal Mail: If you prefer to contact us via mail, please address your correspondence to:
1st Floor, The Sotheby Building, Rodney Village, Rodney Bay, LC 04 101, Gros Islet, Saint Lucia.
We are committed to addressing your concerns and queries in a timely and effective manner. Your privacy and trust are paramount to us, and we strive to ensure that your experience with Picasso is secure and compliant with relevant data protection standards.

16. Access and Acceptance
By connecting your blockchain wallet, accessing, or interacting with Picasso, or by acknowledging or accepting this Privacy Policy through any other means, you are affirming your understanding and agreement to the terms and conditions outlined in this Privacy Policy. Your interaction with Picasso, including staking activities and any other related services, signifies your consent to the collection, use, and sharing of your Personal Data as described herein. If at any point you do not agree to these terms, it is your responsibility to cease accessing and using Picasso and its associated services immediately. Continued use of Picasso following any changes to this Privacy Policy will constitute your acceptance of those changes. It is important to regularly review this Privacy Policy to stay informed about our information practices and the ways you can help protect your privacy. Your use of Picasso signifies your agreement to be bound by the terms of this Privacy Policy as amended from time to time.