Privacy Policy for MyTonWallet

Effective Date: November 4, 2025

This Privacy Policy ("Policy") explains how My Wallet Apps Ltd., a company registered on September 3, 2025, under the laws of the British Virgin Islands with company registration number 2186197 ("we," "us," or "our"), handles information in connection with your use of the MyTonWallet application and related services.

Our commitment is to your privacy and the principles of data minimization. We have designed our services to function without collecting data that directly identifies you, such as your name or email address.

By accessing, browsing, or otherwise making use of MyTonWallet, you acknowledge that you have read, understood, and agree to the terms of this Policy. If you do not agree with this Policy, you must immediately stop using the application.

Please note that ceasing to use MyTonWallet does not affect your ownership of or access to your digital assets, as they are stored on the blockchain and not controlled by MyTonWallet itself. You can manage your digital assets at any time by any other compatible wallet software.

This Policy has been developed with due consideration of the guidelines of the European Data Protection Board on the processing of personal data in blockchain technologies, adopted on 8 April 2025.

1. Core Principles

1.1. Our Privacy Philosophy. The core functionality of MyTonWallet is designed to be "userless" and operate without collecting personal data that directly identifies you, such as your name, email, or phone number. You are not required to create an account or register to use the core features of our non-custodial wallet. Our goal is to minimize data collection while providing you with a secure and convenient tool to interact with the blockchain and manage your assets.

1.2. Our Commitment to Transparency. To provide a secure and functional platform, and to enable specific services like staking, we must process a limited set of both technical and transactional data. We are committed to being fully transparent about our data practices. The following sections provide a detailed description of what data we process, why we do it, and for how long it is stored.

1.3. Blockchain Disclaimer (PLEASE READ CAREFULLY!). MyTonWallet is a multi-chain software interface designed to help you interact with different blockchain networks. Our fundamental purpose is to enable user access to these decentralized ecosystems. Our use of public and permissionless blockchain technology is not an optional choice but is inherent and essential to the very service we provide.

It is critical for you to understand the fundamental nature of these networks. Each public blockchain, such as TON or Tron, is a decentralized publicly available ledger, meaning it is not operated or controlled by us or any other single entity. The rules of each network, including what data is required for a transaction to be valid and how that data is processed and stored, are determined by that network's specific protocol, not by us. When you conduct a transaction, its details (including, but not limited to, your wallet address, the recipient's address, and the transaction amount) are broadcasted to this public network, verified by its participants, and permanently recorded in this public ledger ("On-Chain Data"). This has several important consequences for your data:

  • Public and Permanent by Design. All data recorded on the blockchain is visible to anyone in the world with an internet connection;
  • Immutability. Once data is recorded on the blockchain, it cannot be altered or deleted. It is permanent;
  • Global Data Distribution. Due to the decentralized nature of public blockchains, your On-Chain Data is copied, stored, and distributed across a global network of computers (nodes). This means your data will be replicated in numerous countries around the world, including those that may not offer the same level of data protection as your country of residence;
  • Limitation of Data Protection Rights. Due to the immutable and decentralized nature of blockchain technology, certain data protection rights, such as the "right to erasure" or the "right to rectification", are technically impossible to exercise for data that has been recorded on-chain.

1.4. Roles Under Data Protection Law.

  • Your Role as the Controller for General Transactions. Data protection laws define a "controller" as the person or entity who decides the "why" and "how" personal data is processed (the "purposes and means"). For your general, self-initiated on-chain transactions (like sending funds), you act as the sole data controller. You alone determine the purpose and the key elements of the transaction:

    • a) The Purpose: You decide why you are making a transaction (e.g., to send funds);
    • b) The Means & Data: You exclusively determine the key elements of the transaction, deciding upon the recipient's address, the amount, when to send it, and what, if any, additional information to include.

    MyTonWallet does not initiate, approve, or have knowledge of the purpose of these transactions. We provide a non-custodial software tool that acts on your explicit instructions. For these reasons, you, and not MyTonWallet, are the controller of this data. You are solely responsible for this data, and we urge you to carefully consider the permanent and public nature of the blockchain before proceeding.

  • Our Role as a Data Controller. MyTonWallet acts as a data controller in two specific contexts. First of all, we are the controller for the limited technical and communication data that we process on our servers to secure and operate our services. Furthermore, when you choose to use our specific financial services (such as our swap aggregator or staking), we also act as a controller for the data strictly necessary to provide that service. In these situations, you are instructing us to process your On-Chain data to fulfill a service you have requested.

  • The Role of the Blockchain Network. Network participants who merely validate and add transactions to the blockchain without determining their purpose or means (such as network validators) are generally not considered data controllers for those transactions. They act as part of the decentralized infrastructure on which your data is recorded at your instruction. This reinforces that the ultimate responsibility and control over On-Chain Data lie with you, the user.

1.5. Age Limitation. Our services are not directed to or intended for use by individuals under the age of 18. We do not knowingly collect personal data from anyone under this age. By using MyTonWallet, you represent and warrant that you are at least 18 years old.

1.6. If you are a parent or guardian and you become aware that your child has provided us with personal data without your consent (for example, by contacting our support service), please contact us immediately at https://t.me/mysupport. If we become aware that we have inadvertently collected personal data from a child under the age of 18, we will take immediate and reasonable steps to delete that information from our systems.

2. Data We Process, Purpose, and Legal Basis

2.1. This section details the limited data we process to ensure the security and functionality of our services, the specific purposes for which we use it, and the legal grounds for its processing under data protection laws.

2.2. Off-Chain Data We Process. While we do not require you to provide directly identifying information, we process the following categories of data that are not recorded on the blockchain ("Off-Chain Data"):

  • Security Log Data. To protect our services and infrastructure, our servers automatically process technical information, which includes your IP address. This data is essential for identifying and mitigating security threats such as DDoS attacks and fraudulent activity;
  • Unique Anonymous Identifier. We generate a unique, random identifier for your application installation. This identifier is not linked to your real-world identity and is used for anonymized product analytics to improve user experience. Specifically, we use it to analyze high-level user engagement metrics like session duration and retention. This helps us understand, for example, whether a new feature encourages users to return to the app;
  • Aggregated Technical Data. We collect fully anonymized, non-personal data for statistical purposes, such as your country (derived from your IP address), device platform, and app version;
  • Communications with Support Service. If you choose to contact our support service (e.g., via Telegram), we will inevitably process the data associated with your profile (such as your username and the content of your message) solely for the purpose of responding to your inquiry and providing assistance. We ask that you do not share any unnecessary personal or sensitive information in your support requests.

2.3. On-Chain Data We Process. When you use certain integrated financial services in MyTonWallet application, we process publicly available On-Chain Data for specific purposes. This includes:

  • Staking Services. When you use our integrated staking services, we process On-Chain data to provide you with the specific benefits of each program. While the user interface is similar, the purposes differ:
    • Liquid Staking. The purpose of this service is to allow you to earn network rewards (e.g., in TON). When you participate, we process your wallet address and the amount of staked assets to manage your position in our validator pool and accurately distribute your network rewards;
    • $MY Token Staking. The purpose of staking our native utility token ($MY) is to grant you access to specific in-app benefits (such as swap fee waivers), in addition to any rewards earned in $MY. To make this possible, our system processes the on-chain link between your wallet address and your staked $MY balance to automatically verify your eligibility for these benefits.
  • Swap Aggregator. Our swap aggregator is a tool that searches multiple decentralized exchanges to find the best possible rate for your trade. When you initiate a swap, we process your transaction data. This data is necessary for our system to construct the optimal transaction route for your approval, facilitate the exchange and administer any related rewards programs.

2.4. Biometric Authentication. For your convenience and enhanced security, our application allows you to use your device's native fingerprint authentication to confirm actions. We want to be perfectly clear: we do not collect, store, receive, or have any access to your biometric data (fingerprint). The entire authentication process is handled securely within your device's operating system (e.g., Apple's Touch ID or Android's Biometric Prompt). Your biometric data never leaves your device. Our application only receives a confirmation from the operating system that the authentication was successful.

2.5. Purpose of Processing. We process the data described above for the following specific purposes:

  • To Secure Our Platform: Ensuring the security, stability, and integrity of our services is our top priority. This includes protecting our platform from malicious activity and ensuring we adhere to our legal obligations. As part of these efforts, we enforce geographical restrictions to comply with applicable international sanctions, laws, and regulations;
  • To Ensure Core Functionality: Processing technical data is necessary for the Platform to operate correctly;
  • To Improve Our Services: We use aggregated and anonymized data to understand usage patterns, analyze feature popularity, and optimize the user experience. This data is always used in a way that does not identify individual users;
  • To Provide and Manage Financial Services and Benefits: We process your data to deliver the specific services you request, such as managing our staking pools to accurately distribute your rewards, or verifying $MY balance staked with your wallet address to grant you access to in-app benefits;
  • To Provide User Support: Responding to your inquiries and providing assistance.

2.6. Legal Basis for Processing. We rely on different following legal bases under data protection laws for our processing activities.

2.6.1. Performance of a Contract. We process your On-Chain Data described above because it is necessary to provide the financial services you request, which form a contract between you and us. This includes processing your transaction data to facilitate an exchange via our swap aggregator, as well as processing your wallet address and staked asset amounts to manage your position in our staking programs and to verify your eligibility for benefits related to staking the $MY token, and any other related rewards.

2.6.2. Our legal basis for processing other data described above is Legitimate Interests. This means we process data because it is necessary for us to operate our service effectively and securely. We do not rely on your consent for this essential processing, as providing a secure, functional, and supported platform cannot be optional. Our legitimate interests are:

  • Operating, maintaining, and securing our application. This includes protecting our platform, our users, and our infrastructure from security threats, ensuring stability, and enforcing our Terms of Use;
  • Improving our application. Analyzing anonymized usage patterns allows us to understand which features are popular, and make informed decisions about future development of MyTonWallet;
  • Providing user support. When you contact our support service, we process the data you provide (such as your Telegram username and the content of your message) to assist you. Our legitimate interest is to provide timely and effective support to our users. As you initiate the contact, you have a reasonable expectation that we will process your data to provide a response, and this processing is not overridden by your fundamental rights.

2.7. Under data protection laws, relying on legitimate interests requires us to carefully balance our interests against your fundamental rights and freedoms. We have conducted this balancing test and concluded that our processing is justified for the following reasons:

  • Minimal Privacy Impact. We process a very limited scope of technical data for a short period. We do not collect directly identifying information, and analytical data is always anonymized or aggregated. We do not use this data for profiling or for making automated decisions that affect you;
  • Reasonable User Expectation. Users reasonably expect a secure and stable application and the ability to receive support. This aligns with global data protection principles, as the General Data Protection Regulation (Recital 49) and other data protection laws recognize that processing personal data to the extent strictly necessary for ensuring network and information security constitutes a legitimate interest. Similarly, users who initiate contact with our support service reasonably expect their inquiry to be processed to provide a response;
  • Commitment to Data Protection by Design. Our commitment to protecting your data is a key part of our justification. We build our services on the principles of data minimization and continuously assess risks. This proactive approach includes our readiness to conduct a formal Data Protection Impact Assessment (DPIA) for any new feature that could pose a high risk to your rights, demonstrating that we prioritize user privacy throughout our development process.

2.8. Your Right to Object. Because we rely on legitimate interests, you have the right to object to our processing of your technical data on grounds relating to your particular situation. You can find a detailed explanation of this right and how to exercise it in Section VIII.

3. Third-Party Services

3.1. We, particularly within the "Explore" section, may provide links and access to third-party websites, applications, protocols, or services (collectively, "Third-Party Services") that are not owned, controlled, or operated by MyTonWallet. These links are provided for your convenience and informational purposes only.

3.2. No Endorsement or Control. The inclusion of any link to a Third-Party Service does not constitute an endorsement, approval, vetting, or recommendation by MyTonWallet. We have no control over, and assume no responsibility for, the content, functionality, or privacy policies of any Third-Party Service. We do not monitor or review these external services.

3.3. Your Responsibility and Assumption of Risk. Your interaction with any Third-Party Service is solely at your own risk. This applies especially to financial activities such as staking tokens with third-party projects or validators, where we act only as an interface. We strongly advise you to conduct your own due diligence and to carefully read the terms of service and privacy policy of any Third-Party Service before providing them with any information or engaging in any transactions.

3.4. MyTonWallet shall not be responsible or liable, directly or indirectly, for any damage, loss, or other harm, including financial loss, caused or alleged to be caused by or in connection with your use of or reliance on any Third-Party Service accessed through our platform.

4. Cookies and Similar Technologies

4.1. MyTonWallet does not use cookies or similar tracking technologies on its platform. We do not store data on your device to monitor your preferences, track your behavior across different sites, or deliver personalized advertising.

4.2. Distinction from Internal Analytics. For clarity, the essential, anonymized internal analytics we collect (as detailed in Section II) are for the sole purposes of ensuring security, maintaining core functionality, and improving our services by understanding usage patterns. These practices are distinct from the cross-site tracking described above and do not rely on cookies or similar technologies.

5. Data Sharing and Disclosure

5.1. Our core principle is to limit the sharing of your data. We do not sell or rent your personal data to any third parties for marketing or any other purposes. We only share data in the limited circumstances detailed below.

5.2. To develop, operate, and improve our services, we may share the technical data we process with our development partners. This company acts as a data processor on our behalf, operating strictly under our instructions. Access to data is provided for specific purposes such as technical support, development, and security analysis. We have implemented strict data protection agreements between our companies to ensure your data remains secure and is processed only in accordance with this Policy.

5.3. To provide our services, we operate on a global scale. Our technical infrastructure, support teams, and affiliated legal entities are located in various countries. Therefore, it is operationally necessary for us to process and transfer your limited personal information across borders. When we transfer your data outside of your country of residence, we ensure it is protected by implementing suitable technical, organizational, and contractual safeguards (such as Standard Contractual Clauses), as required by applicable data protection rules.

5.4. We may disclose the technical data we hold if we believe in good faith that such disclosure is strictly necessary to:

  • Comply with applicable law or to respond to a valid and legally binding order from a competent court or law enforcement agency, which we are compelled to follow. The Company is committed to challenging overly broad or questionable requests whenever legally feasible;
  • Protect the security or integrity of our application;
  • Prevent or investigate possible wrongdoing in connection with the service.

We will only disclose data when legally compelled to do so and will aim to provide the minimum amount of information required.

5.5. We also may engage trusted third-party companies and individuals to provide essential services on our behalf. This includes infrastructure and hosting providers who have access to the technical data we process only to perform these tasks on our behalf. They are bound by contractual obligations to keep this data confidential and secure and are prohibited from using it for any other purpose.

6. Data Retention

6.1. In accordance with the data protection principle of storage limitation, we do not store personal data for longer than is necessary for the purposes for which it was processed. Our retention periods for different categories of Off-Chain Data are detailed below.

6.2. Retention Periods by Data Category.

  • Security Log Data (IP Addresses). We retain security logs containing your full IP address for 90 days from the date of collection. After this period, the logs are automatically deleted or fully anonymized. This period is necessary to investigate and mitigate security incidents;
  • Communications with Support Service. Data from your communications with our support team is retained for as long as necessary to resolve your inquiry and for a reasonable period afterward (typically 6 months) to handle any follow-up questions. You may also request the deletion of this data at any time;
  • Anonymized Analytical Data. Aggregated and fully anonymized data that cannot be linked to any individual may be retained for longer periods for statistical and product improvement purposes;
  • Unique Anonymous Identifier. We retain this identifier for 24 months from the user's last interaction with the application. This retention period is necessary to analyze long-term user retention. After this period, the identifier is deleted or fully anonymized;
  • Swap Aggregator and Staking Data. The off-chain records that link your wallet address to our integrated services are retained for as long as necessary to administer the service, plus an additional 6 months thereafter to resolve any potential disputes. After this period, these records are deleted from our database.

6.3. On-Chain Data. As stated in Section I, all data recorded on the public blockchain (such as your wallet address and transaction history) is permanent and immutable. We do not control this data, and therefore, it is not subject to our retention policies.

7. Data Security

7.1. We are committed to protecting the data we process and the integrity of our services. We implement appropriate technical and organizational measures designed to protect the limited Off-Chain Data we control from unauthorized access, alteration, disclosure, or destruction.

7.2. Our security measures are tailored to the low volume and limited sensitivity of the data we process. These measures include:

  • Encryption. We use encryption to protect data in transit and at rest;
  • Access Controls. We enforce strict access controls to ensure that our backend systems and the technical data they contain are accessible only to authorized personnel;
  • Infrastructure Security. We use trusted, secure cloud infrastructure providers to host our services;
  • Regular Assessments. We periodically review our security practices to adapt to new threats and vulnerabilities.

7.3. While we strive to implement robust security measures for our systems, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee the absolute security of the data we process.

8. Data Protection Rights

8.1. We are committed to ensuring you can exercise your rights over your data under applicable data protection laws. The applicability of these rights depends on the type of data in question: Off-Chain Data, which we process, and On-Chain Data, which we do not control.

8.2. Rights Concerning Your Off-Chain Data. You can exercise the following rights with respect to the limited technical and communication data that we control:

  • Right of Access. You have the right to request information about the personal data we hold about you. This may include security log data (such as your IP address from within our 90-day retention period) and any communications you have had with our support team;
  • Right to Erasure ("Right to be Forgotten"). You can request the deletion of personal data we control. For example, we will delete the history of your communications with our support team upon your request. Technical log data is automatically deleted on a rolling basis as described in the Data Retention section;
  • Right to Rectification. You have the right to have inaccurate personal data we hold about you corrected. This is primarily relevant for information you may have provided during a support conversation;
  • Right to Object. Where we process your data based on legitimate interests, you have the right to object to this processing on grounds relating to your particular situation. This is different from withdrawing consent. If you object, we will stop processing the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, fundamental rights, and freedoms.

8.3. Limitations Regarding On-Chain Data. As explained in Section I, MyTonWallet is an interface to public blockchains, which are immutable and decentralized public ledgers. Consequently, for any data recorded on-chain the right to erasure and the right to rectification are technically impossible to exercise once a transaction has been recorded. We have no ability to alter or delete data on the blockchain. These limitations are not a policy of MyTonWallet; they are a direct and inherent consequence of the fundamental design of the public blockchain protocols you choose to interact with. Each public blockchain is an independent, decentralized network over which we have no control or authority. Any inquiries regarding the immutable nature of a specific blockchain should be directed to the community and governance bodies of that particular network, as we have no ability to alter its core functions.

8.4. To make a request regarding your data protection rights for the Off-Chain Data we control, please contact us at https://t.me/mysupport. All requests are handled free of charge, unless they are manifestly unfounded or excessive. Please note that because our service is designed to be anonymous, our ability to verify you and fulfill your request depends on the data in question:

  • For Support Communications. To access or delete your support history, you must contact us from the same account (e.g., Telegram profile) you originally used. This is the only way we can verify that the request is genuinely from you;
  • For All Other Data (Including Technical and Service Data). We do not link data such as security logs or our internal records of your activity to a verifiable identity. Therefore, we generally cannot identify which data belongs to you. We may only be able to fulfill a request if you can provide highly specific information that allows us to locate your data, such as the exact IP address used during a specific and precise time frame.

8.5. You also have the right to lodge a complaint with a data protection supervisory authority in your country of residence if you believe your rights have been violated.

9. Concluding Provisions

9.1. Changes to This Policy. We reserve the right to update this Policy from time to time. If we make changes that we consider material, we will provide reasonable notice through the Platform (for example, by a notice on the main screen). A change will be considered "material" if it significantly alters how we collect, use, or share your data, or substantially changes your data protection rights. Examples of material changes include, but are not limited to: collecting new categories of personal data, using your data for a new purpose not previously disclosed, sharing your data with new types of third parties, or significantly extending our data retention periods. For minor changes, such as correcting typographical errors, we may not provide a specific notice. Your continued use of the Platform after any changes become effective will constitute your acceptance of the new Policy. We encourage you to regularly review the current version at https://mytonwallet.io/privacy-policy to stay informed about our data practices.

9.2. Personal Data Breach. We implement appropriate security measures to protect the limited personal data we process. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will take steps to notify you and the relevant supervisory authority as required by applicable data protection laws.

9.3. For any questions, concerns, or requests related to this Privacy Policy or your data protection rights, please contact us at https://t.me/mysupport.

9.4. This Privacy Policy and any disputes related to it shall be governed by and construed in accordance with the laws of the British Virgin Islands, without regard to its conflict of law provisions.