Privacy Policy

Last Updated: February 2026

Effective Date: February 2026

1. INTRODUCTION AND SCOPE

This Privacy Policy ("Policy") describes how Aurora Labs Limited ("Aurora," "we," "us," or "our") collects, uses, discloses, and protects personal information when you access or use the Aurora Intents Widget, related APIs, and associated services (collectively, the "Services").

This Policy applies to:

• Integrators who register for and use the Intents Widget

• Visitors to our websites and applications

• Any person whose personal information we process in connection with the Intents Widget

This Policy does not apply to:

• End Users who interact with the NEAR Intents Protocol through Integrator platforms (Integrators are responsible for their own privacy policies)

• Third-party services, including the NEAR Intents Protocol, blockchain networks, or wallet providers

By accessing or using our Services, you acknowledge that you have read and understood this Policy.

2. DATA CONTROLLER

For the purposes of applicable data protection laws, the data controller is:

Aurora Labs Limited

Contact: [email protected]

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

3.2 Information Collected Automatically

3.3 Information from Third Parties

3.4 Information We Do NOT Collect

Aurora does not collect:

• Private keys or seed phrases

• End User personal information (this is the Integrator's responsibility)

• Financial account information (bank accounts, credit cards)

• Government-issued identification

• Biometric data

• Health information

4. HOW WE USE YOUR INFORMATION

4.1 Purposes and Legal Bases

4.2 Legitimate Interests

Where we rely on legitimate interests as a legal basis, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights. Our legitimate interests include:

• Maintaining the security and integrity of our Services

• Preventing fraud and abuse

• Improving and developing our Services

• Understanding how our Services are used

You have the right to object to processing based on legitimate interests. See Section 10.

5. HOW WE SHARE YOUR INFORMATION

5.1 Categories of Recipients

5.2 We Do NOT Sell Your Personal Information

Aurora does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.

For California residents: We do not "sell" or "share" (as defined under CCPA/CPRA) your personal information.

5.3 Blockchain Transparency

If you provide a wallet address for fee payouts, please note that:

• Blockchain transactions are publicly visible

• Your wallet address and transaction amounts will be recorded on public blockchains

• This information cannot be deleted or modified once recorded

• Aurora has no control over the transparency of public blockchains

6. INTERNATIONAL DATA TRANSFERS

Aurora is based in Gibraltar. If you are located in the European Economic Area ("EEA"), United Kingdom ("UK"), or other jurisdiction with data transfer restrictions, your information may be transferred to Gibraltar and other countries.

6.1 Transfer Safeguards

We ensure appropriate safeguards for international transfers through:

6.2 Gibraltar Data Protection

Gibraltar's Data Protection Act 2004 (as amended) provides data protection standards substantially similar to GDPR. Gibraltar has been recognized by the European Commission as providing an adequate level of data protection.

7. DATA RETENTION

We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law.

Upon termination of your account, we will delete or anonymize your personal information within 90 days, except where retention is required for legal, tax, or audit purposes.

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 Types of Cookies We Use

8.2 Third-Party Cookies

We may use third-party analytics services (e.g., privacy-focused analytics) that set their own cookies. These third parties have their own privacy policies.

8.3 Your Cookie Choices

You can control cookies through:

• Browser settings (blocking or deleting cookies)

• Our cookie consent mechanism (where applicable)

Note: Disabling strictly necessary cookies may prevent you from using certain features of the Services.

9. DATA SECURITY

We implement appropriate technical and organizational measures to protect personal information, including:

• Encryption in transit (TLS/SSL) and at rest

• Access controls and authentication requirements

• Regular security assessments

• Employee training on data protection

• Incident response procedures

No system is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your API Key and account credentials.

10. YOUR RIGHTS

10.1 Rights Under GDPR and UK GDPR (EEA and UK Residents)

If you are in the EEA or UK, you have the following rights:

To exercise your rights: Email [email protected] with your request. We will respond within 30 days (extendable by 60 days for complex requests).

Verification: We may need to verify your identity before processing your request.

Supervisory Authorities:

• Gibraltar: Gibraltar Regulatory Authority (www.gra.gi)

• UK: Information Commissioner's Office (www.ico.org.uk)

• EU: Your local data protection authority

10.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

To exercise your rights: Email [email protected] or submit a request through [contact method].

Verification: We will verify your identity using the email address associated with your account.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization.

Response Time: We will respond within 45 days (extendable by an additional 45 days with notice).

10.3 Categories of Personal Information (CCPA Disclosure)

In the preceding 12 months, we have collected the following categories of personal information:

11. CHILDREN'S PRIVACY

The Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

If you believe we have inadvertently collected information from a child, please contact us at [email protected] and we will promptly delete such information.

12. THIRD-PARTY LINKS AND SERVICES

The Services may contain links to third-party websites, services, or applications, including:

• Blockchain explorers

• Wallet providers

• The NEAR Intents Protocol

These third parties have their own privacy policies, and we are not responsible for their practices. We encourage you to review their privacy policies before providing any personal information.

13. DO NOT TRACK SIGNALS

Some browsers offer a "Do Not Track" ("DNT") feature. There is no uniform standard for responding to DNT signals. Currently, our Services do not respond to DNT signals. However, you can control tracking through cookie settings as described in Section 8.

14. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in our practices or applicable law.

How we notify you:

• Material changes: Email notification to the address associated with your account

• Minor changes: Updated "Last Updated" date at the top of this Policy

Your continued use of the Services after changes become effective constitutes acceptance of the revised Policy.

We encourage you to review this Policy periodically.

15. CONTACT US

If you have questions, concerns, or requests regarding this Policy or our privacy practices, please contact us:

Aurora Labs Limited

Email: [email protected]

Postal Address: [Full registered address] Gibraltar

For data protection inquiries: Data Protection Contact: [email protected]

Response time: We aim to respond to all inquiries within 30 days.

16. ADDITIONAL DISCLOSURES

16.1 Gibraltar Data Protection

This Policy complies with the Gibraltar Data Protection Act 2004 (as amended), which implements standards equivalent to GDPR.

16.2 Privy as Data Processor

Aurora uses Privy (privy.io), a Stripe company, to provide authentication services for the Widget Configurator.

In this context:

• Aurora is the data controller - we determine the purposes and means of processing your email address for account registration and API Key issuance.

• Privy is a data processor - they process your authentication data on our behalf and according to our instructions.

Privy maintains SOC 2 Type II certification, uses hardware-backed security environments, and undergoes regular third-party audits. For more information about Privy's security practices, visit https://www.privy.io/security.

Privy's processing of your data is governed by a Data Processing Agreement between Aurora and Privy, which includes Standard Contractual Clauses for international data transfers where required.

16.3 No Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

END OF PRIVACY POLICY