Last updated October 20, 2025

This Privacy Notice for Bron Foundation (“Bron,” “we,” “us,” or “our”) explains how we collect, use, disclose, and protect personal information when you use our website and software (together, the “Services”). Bron.org is owned and operated by Bron Foundation.

In this Notice, “Website” means bron.org and any site that links to this Notice.
“Software” means Bron Wallet and any related applications or code we make available. “Services” means the Website and Software together.

• Visit our Website at bron.org or any site of ours that links to this Privacy Notice.
• Use Bron Wallet. Bron Wallet is a self-custody tool that lets you independently interact with public blockchains and digital assets. It does not recommend or encourage trading. You control your own keys and assets. We cannot access or recover your private keys, seed phrases, or digital assets without your explicit authorisation and participation.
• Engage with us in other ways, including support, marketing, or events.

Questions? If you do not agree with our practices, do not use the Services. Contact legal@bron.org.

SUMMARY OF KEY POINTS

What personal information do we process? We process minimal account and contact details you provide, and limited technical data via cookies when you use the Services. See What information we collect.

Do we process sensitive personal information? No.

Do we collect from third parties? No.

How do we use information? To operate the Website and Software, provide support, secure our Services, and comply with law. See How we process your information.

Do we sell or rent personal data? No. We do not sell or rent your personal data. We share only as described in When and with whom we share.

Public blockchains. On-chain activity is public and immutable. We are the data
controller only for off-chain Website and account information. See Public blockchain data.

Cross-border transfers. We use recognised safeguards for international transfers. See International data transfers.

Your rights. Depending on where you live, you may access, correct, delete, or object to certain processing. See Your privacy rights.

TABLE OF CONTENTS

1. What information do we collect?
2. How do we process your information?
3. What legal bases do we rely on?
4. When and with whom do we share your personal information?
5. Do we use cookies and other tracking technologies?
6. How long do we keep your information?
7. How do we keep your information safe?
8. Do we collect information from minors?
9. A. International data transfers
10. What are your privacy rights?
11. Controls for do-not-track features
12. Do United States residents have specific privacy rights?
13. A. Government and law-enforcement requests
14. Do we make updates to this notice?
15. How can you contact us?
16. How can you review, update, or delete your data?

[01] WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information you provide.

We collect personal information that you voluntarily provide when you create an account, sign up for updates, request support, or otherwise contact us.

Personal information provided by you. We may collect:
• Email address
• Username or display name
• Support communications you send to us

Public blockchain data

In Short: On-chain activity is public and immutable.

Transactions and smart-contract interactions you initiate are recorded on public blockchain networks. Anyone can read, copy, analyse, and link that on-chain data, including wallet addresses, token balances, transactions, and contract interactions. Do not include personal information in transaction data fields.

Controller role. We act as data controller only for off-chain information we collect through our Website, accounts, support, and communications. We do not control public blockchain networks and are not the controller for personal information written to a blockchain. Our Software enables you to interact with networks you choose.

Keys and payment data. We do not store full private keys, seed phrases, or payment-card details.

Payment data

If you make a purchase, payment information is processed by our payment provider, Stripe. Stripe independently processes your payment data. See Stripe’s privacy notice: https://stripe.com/gb/privacy. We do not store payment-card details.

[02] HOW DO WE PROCESS YOUR INFORMATION?

In Short: We use information to operate the Website and Software, provide support, secure the Services, and comply with law. We process for the purposes below and, where required, with your consent.

Purposes. Depending on your interactions, we process personal information to:
• Operate and maintain accounts. Facilitate sign-up, login, and account administration.
• Provide and improve the Services. Deliver and enhance the Website and Software you request.
• Support and communicate. Respond to inquiries, troubleshoot, and send service notices.
• Security and fraud prevention. Protect accounts and our Services, detect, investigate, and prevent harmful or illegal activity.
• Usage analytics. Identify usage trends to improve performance and user experience.
• Marketing with consent. Send updates consistent with your preferences. You can opt out at any time.
• Vital interests and legal obligations. Act to prevent harm and comply with applicable laws.

[03] WHAT LEGAL BASES DO WE RELY ON?

In Short: We process your personal information when necessary and permitted by applicable law, including with consent, to perform a contract, for legitimate interests, to comply with legal obligations, or to protect vital interests.

• Consent. Where required, we process with your consent. You may withdraw consent at any time.
• Performance of a contract. To provide the Services you request.
• Legitimate interests. For security, analytics, and improvement, balanced against your rights.
• Legal obligations. To comply with applicable laws and lawful requests.
• Vital interests. To prevent harm.

[04] WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We do not sell or rent your personal data. We share limited data with service providers and others as needed to operate the Services or comply with law.

We share limited data with:
• Service providers (cloud hosting, analytics, cybersecurity, customer support, and similar vendors) under contracts that restrict use.
• Legal and regulatory authorities when required by applicable law.
• Professional advisers (auditors, lawyers) under confidentiality duties.
• Business transfers. In connection with a merger, acquisition, or similar transaction.
• Affiliates. Only as necessary and subject to this Notice.

We also maintain internal records of disclosures. We are not responsible for the privacy practices of third-party sites, dApps, or services you choose to use; review their policies.

[05] DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use cookies and similar technologies for essential functions, security, and analytics. Third parties may provide analytics or measurement.

Some cookies are necessary to operate the Services. Others help us analyse usage or remember preferences. You can manage cookies in your browser settings. For details, see our Cookie Notice: https://bron.org/cookies.

To the extent any tracking is deemed a “sale” or “sharing” under US laws, you may opt out as described in US privacy rights.

[06] HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep personal information only as long as needed for the purposes described or as required by law.

We retain personal information for the period necessary to fulfil the purposes in this Notice, then delete or de-identify it. No purpose requires retention longer than six (6) months after account termination, unless law requires otherwise or we need the data to protect our rights. Backups are isolated and deleted on a schedule.

[07] HOW DO WE KEEP YOUR INFORMATION SAFE?

We implement reasonable technical and organisational measures, including access controls, encryption in transit, and data minimisation. No method is 100% secure. If we are legally required to notify you of a breach, we will do so consistent with applicable law.

[08] DO WE COLLECT INFORMATION FROM MINORS?

In Short: Our Website and Services are not intended for anyone under 18

We do not knowingly collect, solicit, or market to individuals under 18 years of age, nor do we knowingly sell such data. If we learn that we have collected such information, we will delete it. Contact legal@bron.org if you believe a minor has provided personal information.

[08a] INTERNATIONAL DATA TRANSFERS

We operate globally. Your personal information may be transferred to and processed in countries other than your own. Where required, we use appropriate safeguards, including:
• European Commission Standard Contractual Clauses and UK/Swiss equivalents, as applicable;
• other recognised transfer mechanisms; and
• technical and organisational measures such as encryption, access controls, and minimisation.

You may request information about our transfer safeguards at  legal@bron.org.

[09] WHAT ARE YOUR PRIVACY RIGHTS?

Depending on where you live, you may have rights to access, correct, delete, restrict, or object to processing, and data portability. If a decision with legal or similarly significant effects is made solely by automated means, we will inform you and offer a way to request human review. Exercise rights by contacting legal@bron.org. We will respond per applicable law.

Withdrawing consent

Where processing relies on consent, you may withdraw it at any time by contacting us. This does not affect processing prior to withdrawal or processing based on other legal grounds.

Marketing opt-out

You can unsubscribe from marketing emails at any time using the link in the email or by contacting us.

Account information

You can review or update account information in your settings, or request deletion. We may retain limited information as required by law or for legitimate interests such as fraud prevention.

[10] CONTROLS FOR DO-NOT-TRACK FEATURES

There is no uniform standard for responding to DNT signals. We do not respond to them at this time. If a standard is adopted, we will update this Notice.

[11] DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: Residents of certain US states may have rights to know, access, correct, delete, obtain a copy, and opt out of certain processing.

Categories of personal information we collect (past 12 months)

Your rights and choices. Depending on your state, you may have rights to know, access, correct, delete, obtain a copy, and opt out of targeted advertising (or “sharing”), sale, or certain profiling. You may appeal a request decision by emailing legal@bron.org. We will not discriminate against you for exercising your rights.

[12a] GOVERNMENT AND LAW-ENFORCEMENT REQUESTS

We may preserve or disclose personal information when we reasonably believe it is necessary to: (i) comply with applicable law, valid legal process, or enforceable governmental requests; (ii) enforce our terms; or (iii) protect the rights, property, or safety of users or others.

Process. We assess each request for legal validity, scope, and proportionality;
require proper legal process; and seek to narrowly tailor any disclosure. We may challenge unlawful or overbroad requests.

User notice. Where legally permitted and practical, we will notify affected users
before producing information so they can seek remedies. We may delay or withhold notice if prohibited by law or where notification could cause harm.

Transparency. We maintain internal records of requests and, where lawful, may
publish high-level transparency information about volumes and types of requests.

[12] DO WE MAKE UPDATES TO THIS NOTICE?

In Short: We update this Notice as needed to stay compliant.

We will post updates here and revise the “Last updated” date. For material changes, we may provide additional notice.

[13] HOW CAN YOU CONTACT US?

Email: legal@bron.org

[14] HOW CAN YOU REVIEW, UPDATE, OR DELETE YOUR DATA?

You can request access to, correction of, or deletion of your personal information by emailing legal@bron.org. If permitted by law, you may also withdraw consent where applicable. We will respond consistent with applicable requirements.