Privacy Policy

Last Updated on 29th July 2025

1. Introduction

AFI is a decentralized, non-custodial protocol that powers cross-chain, risk-aware decentralized finance (DeFi) strategies through autonomous, algorithmic agents. As a decentralized system operating on smart contracts, AFI does not itself collect, process, or retain personal data from its users. Users interact directly with on-chain infrastructure and maintain full control over their wallets and data.

However, certain AFI-affiliated platforms, frontend interfaces, technology partners, or third-party service providers (collectively, “Affiliated Entities”) may require the collection and processing of personal data to deliver services, comply with applicable laws (such as KYC/AML obligations), or enhance user functionality. These affiliated platforms operate in jurisdictions that may impose obligations under data protection regulations, including but not limited to:

  • The General Data Protection Regulation (GDPR) — for users in the European Economic Area (EEA) (globally recognised);

  • Other applicable national or regional data protection laws — depending on the user’s location.

This Privacy Policy describes how personal data is collected, used, shared, and protected by or on behalf of AFI-affiliated entities and platforms. It applies to all individuals accessing or interacting with AFI through regulated or user-facing services where personal data is involved.

Please read this Policy carefully to understand your rights and how your data is handled.

2. Scope and Applicability

This Privacy Policy governs the collection, use, disclosure, and protection of personal data processed through AFI-affiliated platforms and services, to the extent that such processing occurs in connection with user interaction, regulatory compliance, or operational functionality.

Specifically, this Policy applies to:

  • Users Accessing AFI via Affiliated Frontends: Individuals who engage with AFI through third-party interfaces (including web and mobile applications) that provide access to AFI’s decentralized financial products and tools.

  • Users Undergoing KYC/AML Procedures: Individuals required to complete Know Your Customer (KYC), Anti-Money Laundering (AML), or other identity verification processes through integrated third-party compliance service providers. These procedures may be mandated by law or by AFI-affiliated platforms offering fiat on/off ramps, token offerings, or regulated financial services.

  • Institutional Counterparties and Partners: Legal entities, such as liquidity providers, decentralized autonomous organizations (DAOs), node operators, or infrastructure partners, that interact with AFI infrastructure or enter into legal agreements with AFI-affiliated service providers.

  • Visitors and Users of Informational Tools: Individuals who browse or interact with analytics dashboards, documentation sites, smart wallet interfaces, or other publicly accessible tools offered by AFI-affiliated platforms, even if they do not directly engage in DeFi transactions.

This Policy does not apply to on-chain interactions that do not involve personal data, nor to services or platforms that are not officially affiliated with AFI or its authorized partners. In decentralized environments, the ultimate responsibility for wallet security, transaction confidentiality, and pseudonymous activity remains with the user.

3. Data Controller and Data Processor Roles

Due to the decentralized and non-custodial nature of the AFI protocol, the collection and processing of personal data is not conducted by the protocol itself, but rather by affiliated frontend platforms and third-party service providers. The distinction between Data Controllers and Data Processors, as defined under the General Data Protection Regulation (GDPR), is outlined below:

  • AFI Protocol: AFI is a decentralized software infrastructure deployed on public blockchains. It does not collect, store, or manage any personal data and, therefore, does not act as a “Data Controller” or “Data Processor” under GDPR. AFI operates solely as a permissionless coordination layer for risk-aware, cross-chain DeFi strategies.

  • Frontend Operators and Affiliated Platforms: Independent or partnered platforms that provide user-facing access to the AFI protocol (via web or mobile applications) may collect personal information in connection with user onboarding, compliance requirements, or service customization. Depending on their implementation and contractual roles, such operators may act as:

    • Data Controllers, where they determine the purpose and means of personal data processing; or

    • Data Processors, where they process data solely on behalf of another controller, such as a regulated financial institution.

  • Third-Party KYC/AML Providers: Vendors such as Sumsub, Veriff, or Jumio may be integrated into affiliated frontends to carry out identity verification and compliance screening. These providers process personal data under contractual instructions from the frontend operator and do not interface directly with the AFI protocol. In such cases, the frontend operator remains the Data Controller, and the KYC/AML provider acts as a Data Processor.

  • Data Controller Contact Information: The specific identity and contact details of the applicable Data Controller for your personal data will be made available in the Terms of Use and Privacy Policy of the frontend platform or service you are interacting with.

Users are encouraged to review the privacy documentation of the frontend they use to understand how their data is handled and by whom.

4. Types of Data Collected

AFI itself, as a decentralized protocol, does not collect any personal information. However, certain personal data may be collected by AFI-affiliated frontends, partners, or integrated third-party service providers in accordance with applicable legal, technical, or operational requirements. The type and extent of data collected depend on your interaction with the platform and the services accessed. These data categories include:

A. Identity Verification Data

Collected when a user undergoes Know Your Customer (KYC), Anti-Money Laundering (AML), or identity verification procedures, typically conducted by a third-party provider:

  • Full legal name

  • Date of birth

  • Country of nationality and tax residency

  • Government-issued identification documents (e.g., passport, driver's license, national ID)

  • Real-time selfie or biometric data (used for liveness or facial recognition checks)

  • Social Security Number (SSN), Tax Identification Number (TIN), or other local equivalents, as required by law

This information is required to comply with regulatory obligations and prevent fraud, money laundering, or sanctions evasion.

B. Contact Information

Collected when a user registers an account, interacts with customer support, or subscribes to communications:

  • Email address

  • Mobile phone number (where required for two-factor authentication or alerts)

  • Residential or mailing address (as required for regulatory disclosures or identity validation)

C. Technical and Wallet Data

Collected automatically through your interaction with frontend interfaces or smart wallet tools:

  • Public blockchain wallet addresses

  • Device identifiers, including browser type and operating system

  • IP address and geolocation data (inferred from IP or device settings)

  • Session metadata, including login timestamps, interface navigation, and page interaction logs

  • Cookies and similar tracking technologies (as disclosed in the Cookie Policy of the respective frontend)

This data helps improve security, detect suspicious behavior, and optimize the user interface.

D. Financial and Transactional Data

Collected when users interact with fiat on/off ramps, participate in token offerings, or utilize AFI Vaults or DeFi strategies:

  • Fiat or crypto transaction history (e.g., deposits, withdrawals, swaps)

  • On-chain activity including yield participation, wallet-to-wallet transfers, and governance interactions

  • Declarations or records of source of funds or wealth (as part of Enhanced Due Diligence where required)

This data may be used for compliance screening, auditing, and risk assessment in line with global financial regulations.

5. Legal Bases for Processing Personal Data (Under GDPR Article 6)

AFI-affiliated frontends and service providers process personal data only when there is a valid legal basis to do so, as outlined under Article 6 of the General Data Protection Regulation (GDPR). Depending on the context and purpose of interaction, one or more of the following legal bases may apply:

A. Consent – Article 6(1)(a)

Users may be asked to provide explicit and informed consent for certain types of data collection and processing. This includes:

  • Submitting personal data for Know Your Customer (KYC) verification

  • Receiving marketing communications or product updates

  • Participating in optional platform features, such as rewards programs or community governance

Users retain the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

B. Contractual Necessity – Article 6(1)(b)

Processing may be necessary for the performance of a contractual relationship, or to take steps at a user's request prior to entering into such a contract. Examples include:

  • Enabling user access to regulated offerings or gated features of the protocol

  • Facilitating token purchases, fiat on-ramp/off-ramp services, or smart account activations

  • Providing essential customer support or technical assistance

Failure to provide the required data in such cases may prevent users from accessing certain services or fulfilling their intended transactions.

C. Legal Obligation – Article 6(1)(c)

Certain personal data must be collected and retained in order to fulfill statutory or regulatory obligations, particularly in relation to:

  • Anti-money laundering (AML) and counter-terrorism financing (CTF) compliance

  • Sanctions screening and monitoring as per OFAC, UN, or EU lists

  • Tax reporting requirements, including FATCA, CRS, or similar frameworks

Data collected under this basis may be disclosed to competent legal or regulatory authorities as required by applicable law.

D. Legitimate Interests – Article 6(1)(f)

In some cases, processing is necessary to serve the legitimate interests of AFI-affiliated entities or the broader user base, provided such interests are not overridden by the fundamental rights or freedoms of users. This includes:

  • Security monitoring, threat detection, and fraud prevention

  • Risk scoring for on-chain behavior, transaction volume, or access from high-risk jurisdictions

  • Platform optimization based on aggregated usage patterns and technical diagnostics

  • Ensuring protocol integrity and minimizing exposure to malicious actors

Where legitimate interests form the basis for processing, users may object to such processing, subject to applicable legal limits.

6. Use of Personal Data

AFI-affiliated frontends, partners, and third-party service providers may use personal data collected from users strictly for lawful and predefined purposes. These purposes are consistent with applicable data protection regulations, including the General Data Protection Regulation (GDPR), and aim to ensure platform integrity, user protection, and regulatory compliance. Personal data may be used for the following specific purposes:

A. Conducting KYC/AML and Identity Verification Checks

To verify user identity, prevent impersonation, and meet anti-money laundering (AML) and counter-terrorism financing (CTF) regulations. This includes:

  • Authenticating documents and biometric data

  • Cross-checking against global sanctions, politically exposed persons (PEP), and watchlists

  • Assessing user risk profile for access to regulated services

B. Facilitating Fiat On/Off-Ramp Transactions

To process and validate fiat-to-crypto or crypto-to-fiat conversions via integrated financial partners. Personal data may be used to:

  • Confirm account ownership

  • Enable transaction authorization

  • Satisfy banking partner compliance checks

C. Preventing Fraud, Abuse, and Financial Crime

To detect suspicious activity, prevent fraud, and maintain ecosystem trust. Data may be processed for:

  • Device fingerprinting and IP address tracking

  • Monitoring of high-risk behavior or unusual transaction patterns

  • Implementing security alerts or enforcement actions

D. Complying with Legal or Regulatory Obligations

To fulfill obligations under financial, tax, or data protection laws. This includes:

  • Retaining user data for statutory periods

  • Responding to valid requests from regulators, tax authorities, or courts

  • Generating compliance reports and audit trails

E. Managing Participation in Token Offerings, Rewards, and Governance

To enable qualified users to:

  • Participate in token sales, airdrops, or loyalty programs

  • Receive rewards, yield distributions, or governance tokens

  • Cast votes or submit proposals in on-chain or off-chain governance processes

F. Communicating with Users and Resolving Disputes

To ensure seamless user support and platform transparency. This includes:

  • Responding to inquiries or support tickets

  • Sending service-related notices, such as terms updates or security alerts

  • Addressing user complaints, appeals, or correction requests

7. Data Sharing and Disclosure

AFI-affiliated platforms and service providers recognize the importance of protecting personal data and only share such information when necessary, and always in accordance with applicable laws including the GDPR, CCPA, and other relevant frameworks. Data sharing is limited to well-defined circumstances, and all parties involved are bound by confidentiality, security, and lawful processing obligations.

Personal data may be shared with the following categories of recipients:

A. Third-Party KYC/AML and Identity Verification Providers

To carry out regulatory compliance procedures, your data may be shared with specialized service providers such as Sumsub, Veriff, or equivalent vendors. These providers:

  • Operate under strict data processing agreements

  • Are only authorized to use your data for identity verification and compliance checks

  • Must adhere to applicable privacy regulations, including GDPR Article 28 (Data Processor obligations)

B. Cloud, Hosting, and Analytics Providers

To maintain platform performance, monitor system health, and improve user experience, certain technical and behavioral data may be shared with:

  • Hosting providers (e.g., AWS, Cloudflare)

  • Analytics platforms (e.g., Plausible, Matomo – privacy-respecting alternatives to Google Analytics)

All such providers are contractually obligated to implement industry-standard data protection and security controls.

C. Regulatory or Legal Authorities

AFI-affiliated entities may disclose personal data if required to:

  • Comply with binding legal obligations

  • Respond to lawful subpoenas, court orders, or regulatory enforcement requests

  • Satisfy tax, anti-money laundering, or financial reporting requirements

Such disclosures will be limited to the minimum data necessary to fulfill the legal request.

D. Protocol Partners and Affiliate Frontend Operators

If you interact with the AFI protocol through a partner frontend or wallet interface, certain data may be shared between AFI-affiliated entities and the frontend operator to:

  • Enable or manage access to gated features

  • Facilitate communications or customer support

  • Enforce compliance or usage terms

All partner entities are required to provide transparent data handling policies and obtain user consent where applicable.

No Sale of Personal Data

AFI and its ecosystem participants do not sell, rent, or trade user personal data to any third parties. Data is only processed and shared as necessary for protocol operation, user support, and regulatory compliance.

8. International Data Transfers

AFI-affiliated platforms and service providers may engage vendors, partners, or data processors located outside the European Economic Area (EEA), including but not limited to jurisdictions such as the United States, Singapore, and other regions where data protection laws may differ from those in the EU. As part of our commitment to user privacy and regulatory compliance, all such international transfers of personal data are carried out in full accordance with the General Data Protection Regulation (GDPR), particularly Chapter V on data transfers.

To ensure that your data remains protected regardless of where it is processed, AFI or its affiliated frontend operators implement one or more of the following safeguards:

A. EU Standard Contractual Clauses (SCCs)

Where data is transferred to countries that have not been recognized by the European Commission as providing an adequate level of data protection, we utilize Standard Contractual Clauses as approved by the European Commission. These legally binding agreements obligate non-EEA recipients to provide equivalent protections to those guaranteed under EU law.

B. Adequacy Decisions

When transferring personal data to countries that the European Commission has deemed to offer an adequate level of protection (e.g., countries like Japan or the United Kingdom), data transfers are permitted without the need for additional safeguards.

C. Binding Corporate Rules (BCRs) or Equivalent Mechanisms

In some cases, personal data may be transferred within corporate groups or infrastructure providers operating under Binding Corporate Rules. These are internal policies approved by EU data protection authorities that ensure consistent, GDPR-level data protection across all global operations.

User Rights in the Context of International Transfers

Regardless of where your data is processed, you maintain all rights provided under GDPR, including the right to access, correct, delete, or object to the processing of your personal data. You may also request a copy of the applicable data transfer safeguards by contacting the relevant data controller as specified in the frontend's legal documentation.

9. Data Retention

AFI-affiliated platforms and their third-party service providers retain personal data only for as long as is necessary to fulfill the specific purposes for which it was collected, as described in this Privacy Policy. This includes compliance with applicable legal, regulatory, accounting, and reporting obligations, as well as dispute resolution, fraud prevention, and security monitoring.

Retention periods may vary depending on the type of data and the legal or operational context. Generally, the following retention standards apply:

A. KYC and AML Records

To comply with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations—such as the U.S. Bank Secrecy Act (BSA), the EU AMLD framework, and FATF guidelines—personal data collected during Know Your Customer (KYC) procedures is retained for a minimum of five (5) years from the date of:

  • Completion of the verification process, or

  • The end of the user relationship or last user interaction, whichever is later.

B. General User Account Data

Personal data related to general usage, platform preferences, and non-KYC-related information is retained:

  • Until the user deletes their account or requests data erasure, subject to applicable legal constraints, or

  • After a defined period of inactivity, typically not exceeding 24 months, after which data may be anonymized or deleted.

C. Regulatory Compliance and Dispute Resolution

Certain data may be retained:

  • As required by law, including tax reporting (e.g., FATCA/CRS), sanctions compliance, or transaction audits.

  • For fraud detection or abuse mitigation, where records may be maintained even after account closure if a legitimate risk is identified.

D. Anonymization and Aggregation

Where data is no longer needed for a legal or business purpose, it may be anonymized and retained in an aggregated format for analytics, protocol performance, and risk modeling—without retaining any personally identifiable information.

Data Minimization Principle

In line with GDPR Article 5(1)(e), AFI and its partners ensure that personal data is not retained for longer than necessary. All retention timelines are periodically reviewed to ensure compliance with evolving legal requirements and best industry practices.

10. Your Rights (Under GDPR)

If you are located in the European Economic Area (EEA) or are otherwise subject to the General Data Protection Regulation (GDPR), you are entitled to a range of rights in relation to your personal data. These rights aim to give you greater transparency and control over how your data is used by AFI-affiliated platforms and third-party service providers.

Subject to applicable laws and certain limitations, your rights include:

A. Right of Access

You have the right to request confirmation of whether personal data concerning you is being processed, and to access a copy of such data, including the purposes of processing, categories of data, recipients, and data retention periods.

B. Right to Rectification

If any of your personal data is inaccurate or incomplete, you may request that it be corrected or supplemented.

C. Right to Erasure ("Right to be Forgotten")

You may request the deletion of your personal data where:

  • The data is no longer necessary for the purpose for which it was collected,

  • You have withdrawn consent (where consent was the legal basis),

  • You have objected to processing and there are no overriding legitimate grounds,

  • Processing was unlawful, or

  • Deletion is required to comply with a legal obligation.

Note: This right may be limited where data must be retained to comply with legal or regulatory obligations (e.g., KYC retention under AML laws).

D. Right to Restriction of Processing

You can request the temporary suspension of processing where:

  • You contest the accuracy of your data,

  • Processing is unlawful but you oppose deletion,

  • Data is no longer needed but required for legal claims, or

  • You have objected and verification of legitimate grounds is pending.

E. Right to Data Portability

You may request a copy of your personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller where processing is based on consent or contract and carried out by automated means.

F. Right to Object

You can object at any time to:

  • Processing based on legitimate interests (including profiling),

  • Direct marketing (if applicable), which will result in immediate cessation.

G. Right to Withdraw Consent

Where processing is based on your consent (e.g., optional KYC, marketing communications), you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.

How to Exercise Your Rights

You may exercise these rights by submitting a request:

  • Via the frontend interface (where user tools are available), or

  • Through the KYC provider’s or data controller’s designated support channels.

For your protection, you may be asked to verify your identity before a request can be processed. Responses to valid requests will typically be provided within 30 days unless otherwise permitted under applicable law.

11. Cookies and Analytics

Certain AFI-affiliated frontends and web interfaces may use cookies and similar tracking technologies to enhance user experience, ensure platform functionality, and analyze usage patterns. These tools help the frontend operators understand how users interact with their services and improve performance accordingly.

A. Types of Cookies and Tools Used

The following categories of cookies and analytics tools may be implemented:

  • Essential Cookies: Required for the basic operation of the site (e.g., wallet connection, session management, security verification). These cannot be disabled through cookie settings.

  • Performance and Analytics Cookies: Used to gather data on site usage, traffic sources, and performance metrics (e.g., Google Analytics). This helps frontend operators improve the usability and efficiency of the interface.

  • Preference Cookies: Used to remember user settings or preferences, such as selected language or wallet connection state.

  • Marketing or Tracking Cookies (if applicable): Only used where marketing tools are integrated. These track behavior across sites and are disabled by default unless the user opts in.

B. User Consent and Control

In compliance with GDPR and other privacy regulations:

  • Users will be presented with a cookie consent banner or modal when accessing AFI-affiliated websites for the first time.

  • Non-essential cookies (e.g., analytics or marketing) will only be activated if the user provides explicit consent.

  • Users may manage or revoke their cookie preferences at any time via the frontend’s privacy or cookie settings page.

C. Third-Party Services

Some analytics and cookie tools may be operated by third-party providers (e.g., Google, Plausible, Cloudflare). These providers may collect data according to their own privacy policies and are subject to contractual obligations for data protection.

12. Data Security

AFI and its affiliated platforms prioritize the protection of personal data by implementing robust technical and organizational safeguards, in line with industry best practices and regulatory expectations.

A. Security Measures

All personal data processed by or on behalf of AFI-affiliated services is:

  • Encrypted in Transit and at Rest: Utilizing modern encryption protocols (e.g., TLS, AES-256) to protect data from interception or unauthorized access.

  • Stored in Access-Controlled Environments: Hosted on infrastructure with strict access controls, authentication mechanisms, and role-based permissions to prevent unauthorized access or misuse.

  • Processed by Certified Vendors: Service providers involved in data processing are required to adhere to recognized security standards, such as:

    • SOC 2 (System and Organization Controls)

    • ISO/IEC 27001 (Information Security Management Systems)

    • Other equivalent international certifications

B. Decentralized Protocol Assurance

As a decentralized protocol, AFI itself does not store, access, or process personal data, including user credentials or wallet keys. All sensitive data handling is delegated to third-party service providers or frontend operators under strict contractual obligations and data privacy requirements.

C. Incident Response

In the unlikely event of a data breach involving affiliated services, users will be notified in accordance with applicable data protection laws, and remediation measures will be promptly initiated.

13. Changes to This Policy

AFI-affiliated platforms reserve the right to update or modify this Privacy Policy at any time, in order to reflect:

  • Changes in regulatory or legal requirements

  • Updates to AFI’s protocol architecture, features, or services

  • Shifts in data processing practices by third-party providers

A. Notification of Changes

When material changes are made, users will be informed through one or more of the following methods:

  • A prominent notice on the relevant frontend or dashboard

  • Email notification (if the user has provided a valid email address)

  • In-app or website banners indicating the update

B. Review and Acceptance

Continued use of AFI-affiliated services after such changes are published will constitute acknowledgment and acceptance of the updated policy. Users are encouraged to periodically review this Privacy Policy to stay informed about how their personal data is handled.

C. Version History

The effective date and last updated date will always be listed at the top of this document for transparency and auditability.

14. Contact

For data protection-related inquiries, rights requests, or complaints, please contact the Data Protection Officer (DPO) of the affiliated frontend operator at:

📧 [email protected]

PreviousTerms of UseNextThird Party Disclaimer

Last updated