# Privacy Policy **Last Updated:** February 2026 **Effective Date:** February 2026 ## **1. INTRODUCTION AND SCOPE** This Privacy Policy ("**Policy**") describes how Aurora Labs Limited ("Aurora," "we," "us," or "our") collects, uses, discloses, and protects personal information when you access or use the Aurora Intents Widget, related APIs, and associated services (collectively, the "**Services**"). This Policy applies to: * Integrators who register for and use the Intents Widget * Visitors to our websites and applications * Any person whose personal information we process in connection with the Intents Widget **This Policy does not apply to:** * End Users who interact with the NEAR Intents Protocol through Integrator platforms (Integrators are responsible for their own privacy policies) * Third-party services, including the NEAR Intents Protocol, blockchain networks, or wallet providers By accessing or using our Services, you acknowledge that you have read and understood this Policy. ## **2. DATA CONTROLLER** For the purposes of applicable data protection laws, the data controller is: **Aurora Labs Limited** **Contact:** ## **3. INFORMATION WE COLLECT** ### **3.1 Information You Provide Directly** | Data Type | Purpose | Collected Via | | :-------------------: | :----------------------------------------------------: | :--------------------------: | | **Email address** | Account registration, API Key issuance, communications | Privy authentication service | | **Wallet address** | Fee payout destination | Widget Configurator | | **Fee configuration** | Service customization | Widget Configurator | | **Support inquiries** | Customer support | Email, support channels | ### **3.2 Information Collected Automatically** | Data Type | Purpose | | ------------------------------------ | --------------------------------------------------- | | **IP address** | Security, fraud prevention, geographic restrictions | | **Browser type and version** | Service optimization, compatibility | | **Device information** | Service optimization, security | | **Usage data** | Service improvement, analytics | | **Log data** | Security monitoring, debugging | | **Cookies and similar technologies** | See Section 8 | ### **3.3 Information from Third Parties** | Source | Data Type | Purpose | | ----------------------- | ---------------------------------------------- | --------------------------------- | | **Privy** | Authentication data, email verification status | Account verification | | **Blockchain networks** | Public transaction data, wallet activity | Fee attribution, service delivery | ### **3.4 Information We Do NOT Collect** Aurora does not collect: * Private keys or seed phrases * End User personal information (this is the Integrator's responsibility) * Financial account information (bank accounts, credit cards) * Government-issued identification * Biometric data * Health information ## **4. HOW WE USE YOUR INFORMATION** ### **4.1 Purposes and Legal Bases** | Purpose | Legal Basis (GDPR/UK GDPR) | CCPA Category | | ------------------------------------------- | ---------------------------------------------- | ---------------- | | **API Key issuance and account management** | Performance of contract | Business purpose | | **Fee calculation and payout** | Performance of contract | Business purpose | | **Service delivery and maintenance** | Performance of contract | Business purpose | | **Security and fraud prevention** | Legitimate interests | Business purpose | | **Compliance with legal obligations** | Legal obligation | Business purpose | | **Service improvement and analytics** | Legitimate interests | Business purpose | | **Communications about the Services** | Performance of contract / Legitimate interests | Business purpose | | **Responding to inquiries and support** | Performance of contract | Business purpose | ### **4.2 Legitimate Interests** Where we rely on legitimate interests as a legal basis, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights. Our legitimate interests include: * Maintaining the security and integrity of our Services * Preventing fraud and abuse * Improving and developing our Services * Understanding how our Services are used You have the right to object to processing based on legitimate interests. See Section 10. ## **5. HOW WE SHARE YOUR INFORMATION** ### **5.1 Categories of Recipients** | Recipient | Purpose | Data Shared | | :---------------------------------: | :----------------------: | :------------------------------: | | **Privy (Authentication Provider)** | Account authentication | Email address | | **Cloud infrastructure providers** | Service hosting | All data (encrypted) | | **Analytics providers** | Service improvement | Anonymized/aggregated usage data | | **Professional advisors** | Legal, accounting, audit | As necessary | | **Law enforcement / regulators** | Legal compliance | As required by law | ### **5.2 We Do NOT Sell Your Personal Information** Aurora does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. For California residents: We do not "sell" or "share" (as defined under CCPA/CPRA) your personal information. ### **5.3 Blockchain Transparency** If you provide a wallet address for fee payouts, please note that: * Blockchain transactions are publicly visible * Your wallet address and transaction amounts will be recorded on public blockchains * This information cannot be deleted or modified once recorded * Aurora has no control over the transparency of public blockchains ## **6. INTERNATIONAL DATA TRANSFERS** Aurora is based in Gibraltar. If you are located in the European Economic Area ("EEA"), United Kingdom ("UK"), or other jurisdiction with data transfer restrictions, your information may be transferred to Gibraltar and other countries. ### **6.1 Transfer Safeguards** We ensure appropriate safeguards for international transfers through: | Mechanism | Application | | --------------------------------------- | ------------------------------------------------------------------------- | | **Adequacy decisions** | Gibraltar is recognized as providing adequate protection by the EU and UK | | **Standard Contractual Clauses (SCCs)** | For transfers to countries without adequacy decisions | | **Supplementary measures** | Technical and organizational measures as appropriate | ### **6.2 Gibraltar Data Protection** Gibraltar's Data Protection Act 2004 (as amended) provides data protection standards substantially similar to GDPR. Gibraltar has been recognized by the European Commission as providing an adequate level of data protection. ## **7. DATA RETENTION** We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law. | Data Type | Retention Period | Rationale | | ------------------------------- | ----------------------------- | ---------------------------------- | | **Account information (email)** | Duration of account + 3 years | Contract performance, legal claims | | **Transaction/fee records** | 7 years from transaction | Tax, legal, audit requirements | | **Usage logs** | 12 months | Security, service improvement | | **Support communications** | 3 years from resolution | Service quality, legal claims | Upon termination of your account, we will delete or anonymize your personal information within 90 days, except where retention is required for legal, tax, or audit purposes. ## **8. COOKIES AND TRACKING TECHNOLOGIES** ### **8.1 Types of Cookies We Use** | Cookie Type | Purpose | Duration | | :--------------------: | :-------------------------------------------: | :-------------: | | **Strictly necessary** | Authentication, security, basic functionality | Session | | **Functional** | Remember preferences, settings | Up to 12 months | | **Analytics** | Understand usage patterns, improve Services | Up to 12 months | ### **8.2 Third-Party Cookies** We may use third-party analytics services (e.g., privacy-focused analytics) that set their own cookies. These third parties have their own privacy policies. ### **8.3 Your Cookie Choices** You can control cookies through: * Browser settings (blocking or deleting cookies) * Our cookie consent mechanism (where applicable) Note: Disabling strictly necessary cookies may prevent you from using certain features of the Services. ## **9. DATA SECURITY** We implement appropriate technical and organizational measures to protect personal information, including: * Encryption in transit (TLS/SSL) and at rest * Access controls and authentication requirements * Regular security assessments * Employee training on data protection * Incident response procedures **No system is completely secure.** While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your API Key and account credentials. ## **10. YOUR RIGHTS** ### **10.1 Rights Under GDPR and UK GDPR (EEA and UK Residents)** If you are in the EEA or UK, you have the following rights: | Right | Description | | ------------------------------------- | ---------------------------------------------------------------------- | | **Access** | Request a copy of personal information we hold about you | | **Rectification** | Request correction of inaccurate or incomplete information | | **Erasure ("Right to be Forgotten")** | Request deletion of your personal information | | **Restriction** | Request limitation of processing in certain circumstances | | **Data Portability** | Receive your data in a structured, machine-readable format | | **Object** | Object to processing based on legitimate interests or direct marketing | | **Withdraw Consent** | Where processing is based on consent, withdraw at any time | | **Lodge a Complaint** | File a complaint with a supervisory authority | **To exercise your rights:** Email with your request. We will respond within 30 days (extendable by 60 days for complex requests). **Verification:** We may need to verify your identity before processing your request. **Supervisory Authorities:** * Gibraltar: Gibraltar Regulatory Authority ([www.gra.gi](http://www.gra.gi/)) * UK: Information Commissioner's Office ([www.ico.org.uk](http://www.ico.org.uk/)) * EU: Your local data protection authority ### **10.2 Rights Under CCPA/CPRA (California Residents)** If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act: | Right | Description | | -------------------------------------------------------- | ------------------------------------------------------------------------- | | **Right to Know** | Request disclosure of personal information collected, used, and disclosed | | **Right to Delete** | Request deletion of personal information | | **Right to Correct** | Request correction of inaccurate personal information | | **Right to Opt-Out of Sale/Sharing** | We do not sell or share your personal information | | **Right to Limit Use of Sensitive Personal Information** | We do not collect sensitive personal information as defined by CCPA | | **Right to Non-Discrimination** | We will not discriminate against you for exercising your rights | **To exercise your rights:** Email or submit a request through \[contact method]. **Verification:** We will verify your identity using the email address associated with your account. **Authorized Agents:** You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization. **Response Time:** We will respond within 45 days (extendable by an additional 45 days with notice). ### **10.3 Categories of Personal Information (CCPA Disclosure)** In the preceding 12 months, we have collected the following categories of personal information: | Category | Collected | Source | Purpose | Disclosed To | | ------------------------------- | --------- | ------------------------ | -------------------------- | ----------------- | | Identifiers (email, IP address) | Yes | Directly, automatically | Service delivery, security | Service providers | | Internet/network activity | Yes | Automatically | Analytics, security | Service providers | | Geolocation (general) | Yes | Automatically (IP-based) | Compliance, security | Service providers | | Professional information | No | N/A | N/A | N/A | | Financial information | No | N/A | N/A | N/A | | Sensitive personal information | No | N/A | N/A | N/A | ## **11. CHILDREN'S PRIVACY** The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at and we will promptly delete such information. ## **12. THIRD-PARTY LINKS AND SERVICES** The Services may contain links to third-party websites, services, or applications, including: * Blockchain explorers * Wallet providers * The NEAR Intents Protocol These third parties have their own privacy policies, and we are not responsible for their practices. We encourage you to review their privacy policies before providing any personal information. ## **13. DO NOT TRACK SIGNALS** Some browsers offer a "Do Not Track" ("DNT") feature. There is no uniform standard for responding to DNT signals. Currently, our Services do not respond to DNT signals. However, you can control tracking through cookie settings as described in Section 8. ## **14. CHANGES TO THIS POLICY** We may update this Policy from time to time to reflect changes in our practices or applicable law. **How we notify you:** * Material changes: Email notification to the address associated with your account * Minor changes: Updated "Last Updated" date at the top of this Policy **Your continued use** of the Services after changes become effective constitutes acceptance of the revised Policy. We encourage you to review this Policy periodically. ## **15. CONTACT US** If you have questions, concerns, or requests regarding this Policy or our privacy practices, please contact us: **Aurora Labs Limited** **Email:** **Postal Address:** \[Full registered address] Gibraltar **For data protection inquiries:** Data Protection Contact: **Response time:** We aim to respond to all inquiries within 30 days. ## **16. ADDITIONAL DISCLOSURES** ### **16.1 Gibraltar Data Protection** This Policy complies with the Gibraltar Data Protection Act 2004 (as amended), which implements standards equivalent to GDPR. **16.2 Privy as Data Processor** Aurora uses Privy (privy.io), a Stripe company, to provide authentication services for the Widget Configurator. In this context: * **Aurora is the data controller** - we determine the purposes and means of processing your email address for account registration and API Key issuance. * **Privy is a data processor** - they process your authentication data on our behalf and according to our instructions. Privy maintains SOC 2 Type II certification, uses hardware-backed security environments, and undergoes regular third-party audits. For more information about Privy's security practices, visit . Privy's processing of your data is governed by a Data Processing Agreement between Aurora and Privy, which includes Standard Contractual Clauses for international data transfers where required. ### **16.3 No Automated Decision-Making** We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. **END OF PRIVACY POLICY**