Privacy Policy

Last updated: 29 April 2026

IMPORTANT NOTICE

This Privacy Policy (the "Policy") explains how Alula Finance Corp., the operator of the Alula Finance website and user interface (the "Operator"), processes personal data in connection with your access to and use of the Site and the Services.

The Site provides a non-custodial graphical user interface to a permissionless lending protocol deployed as autonomous smart contracts on the Stellar network (the "Protocol"). Because the Protocol operates on a public blockchain, the personal-data implications of using the Site differ in a number of respects from those of a conventional online service. This Policy describes those differences honestly and in reasonable detail so that you can make an informed decision before connecting your wallet.

This Policy forms an integral part of our Terms of Service. Capitalised terms used but not defined herein have the meaning given to them in the Terms of Service. If any provision of this Policy conflicts with mandatory provisions of applicable data-protection law, the latter shall prevail.

1. Data Controller

The data controller for the processing described in this Policy is:

Alula Finance Corp., a corporation (Sociedad Anónima) duly organised and existing under the laws of the Republic of Panama, registered under No. 155782425, with its registered office at 55th Street East, SL55 Building, 21st Floor, Office 3, Panama City, Republic of Panama.

Email: support@alula.finance

You may contact the Operator at any time using the contact details set out in Section 15 to exercise your rights or to raise any question concerning the processing of your personal data.

2. Scope of this Policy and Application of EU Data-Protection Law

This Policy applies to personal data processed by the Operator through the Site and the Services. It does not cover the processing of personal data by independent third parties — including, without limitation, your wallet provider, the Stellar network and its validators, RPC providers, third-party block explorers, third-party analytics services chosen by you, decentralised exchanges, Swap Providers, Oracles, blockchain analytics or compliance providers. The privacy practices of those third parties are governed by their own privacy notices, which you should review separately.

The Operator is incorporated in the Republic of Panama and operates the Site from outside the European Economic Area. The processing of personal data described in this Policy is, accordingly, primarily subject to the data-protection law of the Republic of Panama, namely Law No. 81 of 26 March 2019 on the Protection of Personal Data and its implementing regulations (the "Panama Data Protection Law"), under the supervision of the Autoridad Nacional de Transparencia y Acceso a la Información (the "ANTAI") acting in its capacity as the competent data-protection authority of the Republic of Panama.

In addition, because the Site is generally accessible to users worldwide, including residents of the European Union and the European Economic Area, the Operator processes personal data of data subjects who are in the EU/EEA. To the extent that the Operator's processing of personal data of data subjects in the EU/EEA falls within the territorial scope of Article 3(2) GDPR, the GDPR applies to such processing. Where this Policy refers to the GDPR, those references are made for the benefit of EU/EEA data subjects; equivalent rights and obligations may arise under other applicable data-protection laws (including, without limitation, the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act, the Brazilian Lei Geral de Proteção de Dados, or any analogous law that may apply to the relevant data subject). The Operator gives effect to such laws to the extent that they are mandatorily applicable to the processing concerned.

2.1. Scope as at the date of this Policy

As at the date of this Policy, the Operator makes available, through the Site, a graphical user interface to open (permissionless) Pools of the Protocol — that is, Pools that any User may access by connecting a self-custodial wallet, without prior identity verification, registration or allow-listing.

The categories of personal data, the purposes of processing, the recipients and the retention periods described in this Policy are calibrated to that scope.

Should the Operator in the future enable additional features — including, in particular, permissioned Pools, Pools comprising real-world assets (RWAs), institutional onboarding subject to KYC/AML procedures, fiat on-/off-ramps, or any analogous feature requiring the collection of additional categories of personal data or involving additional recipients — the Operator will update this Policy before such features become operational, or, where appropriate, will publish a separate notice addressed to the Users concerned.

Continued use of any such additional feature after the relevant update or notice will be subject to the updated Policy or notice (and, where required by Applicable Law, to the User's prior consent).

3. Wallet Addresses, the Public Blockchain and the Limits of this Policy

Two characteristics of the Services materially affect the application of this Policy and you should bear them in mind throughout.

(a) Wallet addresses are treated as personal data. Each Stellar wallet address is a unique alphanumeric identifier that, when combined with the on-chain transactions associated with it, can be used — by the Operator or by any third party with access to the Stellar ledger — to single you out, to monitor your behaviour or to link further information to you. For the purposes of this Policy and consistent with the prevailing interpretation of Article 4(1) GDPR and Recital 30 GDPR, the Operator treats wallet addresses (and the on-chain data associated with them) as personal data, even though they do not by themselves contain a person's name or contact details.

(b) On-chain data is public and effectively immutable. Any data that you cause to be recorded on the Stellar ledger by interacting with the Protocol — including your wallet address, the transactions you sign, the positions (Obligations) you build, your supply, borrow and collateral balances and the timestamps of your interactions — is broadcast to and stored by the Stellar network. Such data is publicly accessible to any third party (for example, through a block explorer or through blockchain-analytics services), is replicated across multiple nodes, and cannot be amended, removed or deleted by the Operator. The Operator does not control the Stellar network and does not act as a controller in respect of the further processing of on-chain data by third parties. As a consequence, where this Policy describes rights such as the right to erasure or the right to rectification, those rights are necessarily limited in respect of on-chain data. The Operator will give effect to your rights to the maximum extent that the Operator is technically and legally able to do so on its own systems, but it cannot procure the deletion or amendment of data recorded on the Stellar ledger or held by independent third parties.

Before connecting a wallet, you should consider whether you are comfortable with the public and immutable nature of on-chain data.

4. Categories of Personal Data Processed

The Operator processes only the limited categories of personal data set out below. The Operator does not, in connection with the Services as currently offered, collect identity documents, photographs, video recordings, proof of address, source-of-funds documentation, payment-card details, telephone numbers, postal addresses, dates of birth, government-issued identifiers, or any special categories of personal data within the meaning of Article 9 GDPR (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data or sexual orientation).

4.1. Wallet and on-chain data

When you connect your wallet to the Site (for example, by means of WalletConnect-compatible protocols or supported wallet extensions such as Freighter), the Operator processes the following data:

1. your Stellar wallet address (and, where relevant, an associated ObligationKey identifying a specific position);
2. on-chain data associated with that address, including transaction history, positions (Obligations) within the Protocol, supply, borrow, collateral and Multiply balances, fees paid, the timestamps of such transactions and any other state recorded on the Stellar ledger as a result of your interaction with the Protocol;
3. any further on-chain data of yours that is publicly available on the Stellar ledger and that the Operator may consult to display the User-interface (such as native asset balances or trustlines).

Such data is generated automatically by your interaction with the Stellar network. The Operator does not write this data into the Stellar ledger; it is recorded by the Stellar network as a consequence of the transactions that you sign with your wallet. The Operator reads such data from the public Stellar ledger in order to display it to you and to enable you to interact with the Protocol.

4.2. Technical data automatically generated when you visit the Site

When you access the Site, the following technical data may be automatically processed by the Operator and by the infrastructure providers that host or protect the Site (including, for example, content-delivery networks and DDoS-protection services):

1. IP address of the device used to access the Site (typically truncated or pseudonymised at the earliest practicable opportunity);
2. approximate geographic location derived from such IP address (typically at the country-level, used to enforce the geographic restrictions set out in the Terms of Service);
3. information about the device, browser and operating system used to access the Site (including type, version and language);
4. date and time of access, pages visited, features used and similar usage information;
5. referrer URL and any campaign-tracking parameters (where applicable).

4.3. Local browser settings

Certain non-personal user-interface settings (such as the choice between Stellar Testnet and Public network, theme preferences, dismissal of notifications and similar interface state) may be stored locally in your browser (for example, in browser local storage). Such information remains on your device and is not transmitted to or stored by the Operator unless this Policy or the Site indicates otherwise.

4.4. Information you choose to provide

If you contact the Operator (for example, by email at support@alula.finance, or through any community channel made available by the Operator), the Operator will process the personal data that you choose to include in such communication, including any contact identifier (such as an email address, Telegram or Discord handle), the content of your message and any attachments.

4.5. Data not collected

The Site, as currently offered, does not include a registration form, does not require you to create an account and does not request an email address, password, telephone number or other identification information as a precondition to interacting with the open (permissionless) Pools of the Protocol. The foregoing is without prejudice to information that you may voluntarily provide under Section 4.4.

5. Purposes of Processing and Legal Bases

The Operator processes personal data for the purposes and on the legal bases set out below. Where Users are located in the EU/EEA, the relevant legal bases are those of Article 6(1) GDPR; equivalent legal grounds may apply under other data-protection laws.

5.1. To provide and operate the Site and the Services

The Operator processes wallet, on-chain and technical data in order to display the Site to you, to read your positions and balances from the Stellar ledger, to compose and submit transactions to your wallet for signing, to enforce the Terms of Service, and otherwise to make the Services available.

The legal basis is Article 6(1)(b) GDPR (performance of a contract to which the data subject is party, namely the Terms of Service, or in order to take steps at the request of the data subject prior to entering into such contract).

5.2. To comply with sanctions, anti-money-laundering and other legal obligations

The Operator may screen wallet addresses, IP addresses and approximate geographic location against publicly available sanctions and high-risk lists (including those administered by the United Nations, the European Union, the United States Office of Foreign Assets Control, His Majesty's Treasury and analogous authorities), restrict access to the Site from Restricted Jurisdictions and respond to lawful requests from competent authorities.

To the extent that such processing is required by law applicable to the Operator, the legal basis is Article 6(1)(c) GDPR (compliance with a legal obligation). To the extent that such processing is undertaken to protect the integrity of the Services and the legitimate interests of the Operator and other Users, the legal basis is Article 6(1)(f) GDPR (legitimate interests pursued by the controller, as further described in Section 5.5).

5.3. To prevent fraud, abuse and security incidents

The Operator processes technical data and, where appropriate, wallet and on-chain data, in order to detect, investigate and prevent fraud, exploits, malicious activity, abuse of the Services, denial-of-service attacks and similar security incidents, and to protect the rights and property of the Operator and other Users.

The legal basis is Article 6(1)(f) GDPR (legitimate interests).

5.4. To respond to enquiries

Where you contact the Operator, the Operator processes the personal data you provide in order to respond to your enquiry.

The legal basis is Article 6(1)(b) or 6(1)(f) GDPR depending on the context.

5.5. Legitimate-interest balancing

Where processing is based on Article 6(1)(f) GDPR, the Operator's legitimate interests are:

1. operating, securing and improving the Site and the Services;
2. protecting the integrity of the Protocol, the Operator and other Users against fraud, abuse, money laundering, sanctions violations and other unlawful activity;
3. defending its legal rights and complying with regulatory expectations applicable to virtual-asset services; and
4. maintaining a sustainable and lawful business.

The Operator has assessed those interests against the rights and freedoms of the data subjects and considers, in light of the limited categories of personal data processed and the nature of the Services, that such processing does not override the rights and freedoms of data subjects. You may object to such processing on grounds relating to your particular situation in accordance with Section 8.

6. Recipients of Personal Data and Third Parties

The Operator does not sell, rent or trade your personal data. Personal data may, however, be made available to or processed by the following categories of recipients:

6.1. The Stellar network and any person consulting the public ledger

As described in Section 3, on-chain data is, by design, broadcast to the Stellar network and made available to any person who consults the public Stellar ledger or any third-party block explorer. The Operator does not control such further processing. The fact that on-chain data is publicly available is an inherent feature of public blockchains and an unavoidable consequence of using the Services.

6.2. Infrastructure and IT service providers

The Operator engages reputable third-party providers to host, deliver, secure and operate the Site. Such providers may, in the course of providing their services, process technical data on the Operator's behalf as data processors within the meaning of Article 28 GDPR. Categories of such providers currently include, without limitation, cloud-hosting and content-delivery providers, DDoS-protection providers, log-management and error-monitoring providers, and providers of Stellar RPC and indexing services.

The Operator selects providers offering appropriate technical and organisational measures and enters into data-processing agreements with them where required.

6.3. Compliance and analytics providers

In connection with the open (permissionless) Pools of the Protocol described in Section 2.1, the Operator does not transfer personal data to fiat on-/off-ramp providers or to KYC providers. For the purpose of blockchain analytics and Wallet Address screening as described in Section 12(b) of the Terms of Service, and with the sole purpose of identifying Wallet Addresses associated with sanctions, criminal activity or other prohibited counterparties, the Operator transmits the User's Wallet Address — and no other category of personal data — to an analytics or screening service.

The legal basis for such transfer and the safeguards applicable to any international transfer will be set out in this Policy and updated before any change in processing arrangements takes effect.

Geographic restrictions described in the Terms of Service are enforced through technical means (such as IP-based geo-blocking) operated by the Operator and its infrastructure providers.

Should the Operator in the future introduce features that require KYC, AML or other identity-verification procedures (in particular, in connection with permissioned Pools, real-world asset Pools or institutional onboarding), additional categories of personal data may be collected and additional recipients (including, where relevant, fiat on-/off-ramp providers, KYC providers and regulated financial intermediaries) may receive such personal data. In any such case, this Policy will be updated and, where required by Applicable Law, the affected Users will be separately informed and, where applicable, their consent will be obtained, before such processing begins.

6.4. Public authorities and legal proceedings

The Operator may disclose personal data where required by applicable law, by a binding order, request or similar measure issued by a competent authority, or where reasonably necessary to establish, exercise or defend legal claims, to comply with judicial proceedings, court orders or legal process, or to protect the rights, property or safety of the Operator, its users or third parties.

6.5. Successors and acquirers

In the event of a merger, acquisition, restructuring, sale of assets or comparable corporate transaction (including in the context of any bankruptcy or analogous proceeding) involving the Operator, personal data may be transferred to the relevant counterparty, subject to the protections required by applicable data-protection law and to a continuation of the protections set out in this Policy.

7. International Transfers

The Operator is established in the Republic of Panama. Some of the recipients identified in Section 6 are also established outside the European Economic Area, including in jurisdictions that have not been recognised by the European Commission as offering an adequate level of protection of personal data.

Where personal data of EU/EEA data subjects is transferred to a country outside the EEA in the absence of an adequacy decision, the Operator will rely on appropriate safeguards within the meaning of Article 46 GDPR, in particular the European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented where necessary by additional technical, organisational and contractual measures consistent with the Court of Justice of the European Union's judgment of 16 July 2020 (Case C-311/18, "Schrems II").

You may obtain further information about such transfers and a copy of the relevant safeguards by contacting the Operator at support@alula.finance.

In addition, by the inherent nature of public blockchains, on-chain data described in Section 4.1 is broadcast to and replicated across nodes of the Stellar network located worldwide, including in jurisdictions outside the EEA. Such cross-border replication is necessary for the operation of the Stellar network and forms an inherent feature of the Services.

8. Your Rights

Subject to applicable data-protection law and to the limits described in Section 3, you have the following rights in respect of personal data concerning you that is processed by the Operator:

1. Right of access — to obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, to obtain a copy of such personal data and information about the processing (Article 15 GDPR);
2. Right to rectification — to obtain the rectification of inaccurate personal data, and to have incomplete personal data completed (Article 16 GDPR);
3. Right to erasure — to obtain the erasure of personal data concerning you in the circumstances set out in Article 17 GDPR;
4. Right to restriction — to obtain the restriction of processing in the circumstances set out in Article 18 GDPR;
5. Right to data portability — to receive personal data concerning you that you have provided in a structured, commonly used and machine-readable format, and to transmit such data to another controller, in the circumstances set out in Article 20 GDPR;
6. Right to object — to object, on grounds relating to your particular situation, to processing of personal data concerning you that is based on legitimate interests (Article 6(1)(f) GDPR), in accordance with Article 21 GDPR;
7. Right to withdraw consent — where processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before such withdrawal;
8. Right to lodge a complaint — to lodge a complaint with a competent supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work or place of the alleged infringement (Article 77 GDPR).

You may exercise the above rights by contacting the Operator at support@alula.finance. The Operator may, before responding, take reasonable steps to verify your identity, including by requiring you to demonstrate control of the wallet address concerned by signing a designated message with that wallet.

Equivalent rights — including, in particular, rights of access, rectification, cancellation, opposition and portability — are guaranteed to data subjects in the Republic of Panama by the Panama Data Protection Law. Such data subjects may also lodge a complaint with the ANTAI in respect of the processing of their personal data by the Operator. The Operator gives effect to such rights in accordance with the procedures and deadlines provided by the Panama Data Protection Law and its implementing regulations.

Equivalent rights granted by other data-protection laws applicable to a data subject (such as those listed in Section 2) are likewise honoured by the Operator to the extent mandatorily applicable.

8.1. Practical limitations relating to on-chain data

As explained in Section 3, on-chain data is technically and effectively impossible for the Operator to alter or erase. In particular:

1. where you exercise the right to rectification or the right to erasure in respect of on-chain data, the Operator can take steps only on its own off-chain systems (for example, by ceasing to associate the relevant wallet address with you in the Operator's own logs, by deleting off-chain copies, or by ceasing further processing on the Site); the Operator cannot remove or amend the underlying records on the Stellar ledger;
2. where the Operator engages a processor whose own systems retain off-chain copies of on-chain data, the Operator will use reasonable efforts to procure that such processor likewise gives effect to your request to the maximum extent technically possible;
3. you should consider these limitations carefully before connecting a wallet to the Site or signing any transaction.

9. Retention

The Operator retains personal data only for as long as is necessary for the purposes for which it is processed, in accordance with the following principles:

1. on-chain data described in Section 4.1 remains on the Stellar ledger indefinitely, by virtue of the immutability of the Stellar network; the Operator has no control over such retention;
2. technical data described in Section 4.2 (including IP address and access logs) is typically retained for a period of up to twelve (12) months, save where a longer retention period is necessary to investigate or defend against a security incident, fraud, abuse, sanctions violation or other unlawful conduct, or where a longer period is required by applicable law;
3. records of sanctions screening and similar compliance checks may be retained for the period required to evidence compliance with applicable law (typically up to five (5) years);
4. correspondence with the Operator (Section 4.4) is retained for the period necessary to address your enquiry and, thereafter, for a reasonable period to evidence the response, taking into account applicable limitation periods;
5. data processed on the basis of consent is retained until the consent is withdrawn or until the purpose of processing is fulfilled, whichever occurs first.

Upon expiry of the relevant retention period, personal data is deleted or, where deletion is not possible (in particular, in respect of on-chain data and immutable backup media), securely isolated until deletion is feasible.

10. Security

The Operator implements appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful access, alteration, disclosure or destruction, accidental loss and other unlawful forms of processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for the rights and freedoms of data subjects (Article 32 GDPR).

Such measures include, without limitation, encryption of data in transit, access controls, segregation of duties, logging, periodic review of access rights and the careful selection of vendors offering appropriate guarantees.

Notwithstanding the above, no system of electronic transmission or storage can be guaranteed to be entirely secure. You are responsible for the security of your wallet, your private keys, your seed phrase and the device used to access the Site, as further described in the Terms of Service. The Operator is not in a position to recover lost private keys, to reverse transactions signed with your wallet, or to prevent the consequences of a compromise of your own equipment.

11. Cookies and Similar Technologies

The Site may use cookies and similar technologies (such as browser local storage) for the limited purposes set out below. Where required by Article 5(3) of Directive 2002/58/EC (the "ePrivacy Directive") as transposed in the relevant EU/EEA Member State, the Operator obtains your consent before storing or accessing non-essential information on your device, by means of a consent banner displayed on first access to the Site.

11.1. Strictly necessary cookies and storage

The Operator uses cookies and local-storage entries that are strictly necessary for the operation of the Site, including for security (such as DDoS protection and bot mitigation provided by content-delivery networks), for the storage of non-personal user-interface settings (as described in Section 4.3) and for compliance with these Terms (such as the recording of your acknowledgement of risk warnings). Such items do not require your consent under applicable law.

11.2. Analytics and performance

The Operator may use privacy-respecting analytics tools to understand how the Site is used and to improve its performance. Where such analytics involve the storage or access of information on your device that is not strictly necessary for the operation of the Site, they are activated only with your prior consent (where required by applicable law). You may withdraw your consent at any time through the cookie-preference controls available on the Site or through your browser settings.

11.3. No cross-site advertising tracking

The Operator does not use the Site to engage in cross-site advertising tracking and does not share personal data with third-party advertising networks for the purpose of targeted advertising.

12. Children

The Site and the Services are not directed to, and are not intended for use by, persons under the age of eighteen (18). The Operator does not knowingly collect personal data from minors. If the Operator becomes aware that personal data of a minor has been collected, it will take steps to delete such data without undue delay.

13. Changes to this Policy

The Operator may update this Policy from time to time, in particular to reflect changes to the Services, to applicable law or to the Operator's practices. The updated Policy will become effective upon publication on the Site, with a revised "Last updated" date. Where the changes are material, the Operator will use reasonable efforts to bring the changes to your attention (for example, by means of a notice displayed on the Site upon wallet connection). Your continued use of the Site or the Services after the effective date of any update constitutes your acceptance of the revised Policy.

14. Governing Law of this Policy

This Privacy Policy is governed by the laws of the Republic of Panama, in particular the Panama Data Protection Law referred to in Section 2. Nothing in this Section affects, derogates from or limits any mandatory right granted to a data subject by the GDPR or by any other data-protection law applicable to the data subject in his or her jurisdiction; such rights remain available to the data subject and are honoured by the Operator in accordance with this Policy.

15. Contact

For any question, request or complaint concerning this Policy or the processing of personal data by the Operator, please contact:

Operator: Alula Finance Corp.

Registered office: 55th Street East, SL55 Building, 21st Floor, Office 3, Panama City, Republic of Panama

Email: support@alula.finance