LEGAL

Privacy Policy

Effective date: July 8, 2026  |  Version: 3.0

This Policy applies globally, to users in the United States, the European Economic Area, and the rest of the world.

1. Who We Are and Scope

This Privacy Policy explains how AlemX collects, uses, shares, and protects personal data when you access or use the AlemX mobile application, websites, bots, and related services (together, the "Services"). It applies worldwide. The controller responsible for your personal data depends on where you live:

  • United States and rest of world (outside the EEA, UK, and EFTA): AlemX Inc., a Delaware corporation, 16192 Coastal Highway, Lewes, DE 19958, United States.
  • European Economic Area, the United Kingdom, and EFTA States: Alemx OÜ (Estonian registry code 17385062), Narva mnt 5, Kesklinna linnaosa, Tallinn, Harju maakond, 10117, Estonia.

In this Policy, "AlemX", "we", "us" means the applicable controller above, and "you" means the individual using the Services.

2. Our Model: Non-Custodial Software

AlemX provides non-custodial technology. AlemX does not hold your private keys, does not take custody of your crypto-assets or funds at any time, does not transmit money, and does not itself operate a crypto-asset exchange or provide regulated crypto-asset services. Where a feature involves regulated activity, that activity is provided directly to you by an independent, licensed third-party provider under its own terms and privacy policy. This affects privacy, because several categories of data described below are collected and controlled by those providers, not by AlemX.

These include Crossmint, a MiCA-authorized crypto-asset service provider and PSD2-authorized payment institution in the EU, that supplies self-custodial wallet infrastructure and, for fiat top-up and cash-out, an on/off-ramp; and licensed card issuers and payment providers who issue and process the AlemX payment card. The current providers are named in Schedule A, and their own privacy policies govern the data they control.

3. Information We Collect

3.1 Information you provide

  • Account data: name or display name, username, email, phone number, authentication credentials, and profile details.
  • Content you create: posts, reels, stories, comments, reactions, and media you publish.
  • Communications: messages to our support team, reports you submit, and survey or feedback responses.

3.2 Identity verification (KYC) handled by providers

AlemX does not perform identity verification (KYC) itself. Where a feature requires it (for example fiat on/off-ramp or card issuance), the relevant licensed provider collects and controls your identity documents (such as government ID, proof of address, and a selfie). AlemX may receive only a status result (for example, verified or not verified) and does not store your identity documents.

3.3 Wallet and blockchain data

  • Public wallet addresses linked to your account. Because the wallet is self-custodial, AlemX does not hold or store your private keys or recovery phrase.
  • On-chain transaction data recorded on public blockchains (such as Solana), which is by design permanent, public, and pseudonymous, and cannot be altered or deleted by AlemX.

3.4 Activity within the Services

We process records of your in-app activity, including Paid Attention payments, peer-to-peer transfers, Paid Messenger and Paid Calls, tips, donations, Stars, referral activity, and card spend metadata (such as amount, merchant category, and timestamp). Full payment card numbers are handled by the card providers under PCI standards and are not stored by AlemX. AlemX never holds the underlying funds for any of these interactions; value moves wallet-to-wallet or through non-custodial smart contracts.

3.5 Paid Attention and attention verification

When you use Paid Attention, on-device computer vision (the Attention Ring) verifies genuine attention through face presence, gaze, and liveness checks. This processing happens on your device; biometric data is not transmitted to us or stored on our servers. We receive attention signals such as view events, an attention score, completion status, and fraud signals used to confirm a valid view and calculate the payment due to you.

3.6 Messaging data

Messages sent through the AlemX messenger are encrypted in transit. We process limited metadata needed to deliver messages (such as sender and recipient identifiers and timestamps) and information you report to us. Content processed through our systems may be scanned for safety as described in Section 8.

3.7 AI assistant and moderation data

The in-app assistant ("Sara") and our moderation systems process the content you submit to them to respond to you and to keep the platform safe. These features use third-party AI models, including models provided by Anthropic, which acts as a sub-processor under a data processing agreement. See Sections 7 and 8.

3.8 Device, technical, and usage data

  • Device and connection data: IP address, device identifiers, operating system, app version, and language.
  • Usage and diagnostics: features used, interactions, and crash or performance data.
  • Cookies and similar technologies on our websites (see Section 14).

4. How We Use Personal Data

We use personal data to operate and maintain the Services and your account; to route your requests to licensed providers for regulated features and reflect their results; to calculate and deliver Paid Attention, referral, Stars, tips, and other payments, and applicable fees; to verify genuine attention and prevent fraud and abuse; to keep the platform and its users safe, including child-safety and counter-terrorism measures; to communicate with you, including service and security notices; to comply with legal obligations; and to improve the Services, using aggregated or de-identified data where practicable.

5. Legal Bases (EEA / UK Users)

  • Performance of a contract: to provide the Services you request.
  • Legal obligation: to meet AML, tax, sanctions, child-safety, and other legal duties.
  • Legitimate interests: to secure the platform, prevent fraud and harm, and improve the Services, balanced against your rights.
  • Consent: for certain cookies, marketing, or optional features, which you may withdraw at any time.

6. How We Share Personal Data

We do not sell your personal data. We share it only as described here:

  • Licensed providers and sub-processors: including Crossmint (a MiCA-authorized crypto-asset service provider) and licensed card and payment providers, to deliver wallet, ramp, and card features. The current list is in Schedule A. Where they act as controllers (for example for KYC and regulated services), their privacy policies govern.
  • Infrastructure vendors: cloud hosting, analytics, communications, and security vendors acting as processors under contract.
  • AI providers: providers of the AI models used for the assistant and moderation.
  • Advertisers (Paid Attention): aggregated or campaign-level performance data only. Advertisers do not receive your identity documents or account credentials.
  • Safety organizations and authorities: as described in Section 8, and where required by law or to protect the rights and safety of AlemX, our users, or the public.
  • Corporate transactions: in connection with a merger, financing, or sale of assets, subject to this Policy.
  • Public blockchain: on-chain activity is inherently public (see Sections 3.3 and 10).

7. Automated Processing and AI

We use automated systems for fraud prevention, Paid Attention verification, and content moderation. Some content is screened automatically and may be reviewed by a person. The in-app assistant produces automated responses that may be inaccurate and are not financial, legal, or tax advice. If you are in the EEA or UK and a solely automated decision produces legal or similarly significant effects, you may request human review as described in Section 12.

8. Content Integrity, Child Safety, and Counter-Terrorism

AlemX takes safety seriously and participates in, or is in the process of implementing prior to launch, leading industry programs. To detect and act on illegal or harmful content, content that we are able to access through our systems may be scanned and matched against known-harm databases:

  • Microsoft PhotoDNA: we use PhotoDNA image-hash matching to detect known child sexual abuse material (CSAM).
  • NCMEC CyberTipline: we report apparent CSAM to the U.S. National Center for Missing & Exploited Children through its CyberTipline, as required by law, which may involve sharing relevant account and content data.
  • StopNCII.org: we participate in StopNCII to help prevent the sharing of non-consensual intimate images using privacy-preserving hashes.
  • GIFCT: as a subscriber to the Global Internet Forum to Counter Terrorism, we use its shared hash database to detect and remove terrorist and violent extremist content.

This processing is carried out to comply with legal obligations and for the substantial public interest of protecting children and public safety.

9. Data Retention

We keep personal data only as long as necessary for the purposes in this Policy, including to provide the Services, comply with legal, tax, AML, and child-safety obligations (which may require multi-year retention by us or our providers), resolve disputes, and enforce our agreements. On-chain data cannot be deleted because of the nature of public blockchains. After you delete content or close your account, residual copies may remain in backups or logs for a limited period before they are overwritten or securely deleted.

10. Public Blockchain Disclosure

Transactions recorded on a public blockchain are permanent and cannot be changed, deleted, or hidden by AlemX or by you. Wallet addresses and transaction details are publicly visible and may be linked to your identity by third parties analyzing the blockchain. This is an inherent feature of the technology and is outside AlemX's control.

11. Security

We maintain technical and organizational measures designed to protect personal data, including encryption in transit, access controls, and monitoring. AlemX is SOC 2 certified, reflecting independently assessed controls over security. No system is perfectly secure, and because the wallet is self-custodial, safeguarding your keys and recovery method is your responsibility.

12. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or object to processing, to data portability, and to withdraw consent. EEA and UK users have these rights under the GDPR and UK GDPR. California and other U.S. state residents have rights to know, delete, correct, and opt out of certain sharing, and not to be discriminated against for exercising them.

To exercise your rights, contact privacy@alemx.com. We may need to verify your identity. Some data cannot be erased (for example on-chain records, or KYC data held by providers for legal reasons). You may also complain to your local data protection authority.

13. International Data Transfers

Your personal data may be processed in countries other than your own, including the United States and the European Union. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision, supported where required by a transfer impact assessment. This includes transfers to our AI provider (Anthropic), which processes data under a data processing agreement incorporating SCCs.

14. Cookies and Similar Technologies

Our websites use cookies and similar technologies for essential functionality, security, preferences, and analytics. Where required, we ask for your consent to non-essential cookies, which you can manage through your browser or our cookie settings.

15. Children

The Services are for adults. You must be at least 18 years old, or the age of majority in your jurisdiction if higher, to use them. We do not knowingly collect personal data from anyone under 18, and we will delete such data if discovered. We are committed to child safety and act on apparent CSAM as described in Section 8.

16. Contact and Changes

For privacy questions or to exercise your rights, contact privacy@alemx.com. EEA and UK users may also contact our Data Protection Officer at dpo@alemx.com. Postal contact: AlemX Inc., 16192 Coastal Highway, Lewes, DE 19958, United States; or, for EEA/UK/EFTA users, Alemx OÜ, Narva mnt 5, Kesklinna linnaosa, Tallinn, Harju maakond, 10117, Estonia.

We may update this Policy. If we make material changes, we will notify you through the Services or by other appropriate means and update the effective date. Continued use after changes take effect means you accept the updated Policy.

Schedule A. Service Providers and Sub-processors

The providers below process personal data to deliver regulated and infrastructure features. Each operates under its own terms and privacy policy. AlemX may update this list as providers change; where required, we will give notice of material changes.

  • Crossmint: self-custodial wallet infrastructure and fiat on/off-ramp; a MiCA-authorized crypto-asset service provider (CASP) and PSD2-authorized payment institution in the EU, supervised by Spain's CNMV and Bank of Spain. In the United States, on/off-ramp is provided through Paxos.
  • Paxos: regulated fiat on/off-ramp for users in the United States, including related identity verification.
  • Card issuer(s): issuance and processing of the AlemX payment card, currently Wasabi (global) and Bridge (United States and Canada).

Additional infrastructure sub-processors (such as cloud hosting, analytics, communications, security, and AI-model providers) process data on our behalf under contract.

Schedule B. Version History

VersionDateSummary
1.0June 2026Initial draft.
2.0July 1, 2026Non-custodial model; worldwide controllers with Estonian entity; provider and sub-processor schedule; child-safety and counter-terrorism programs; SOC 2; data rights (GDPR and US state).
3.0July 8, 2026Legal review: Crossmint confirmed as fully MiCA-authorized CASP and PSD2 Payment Institution; child-safety programs conditionally worded; SCC and transfer impact assessment for international transfers (including Anthropic); residual copies disclosure; content-scanning limited to accessible content.