Privacy & Cookies Policy

Prometheus Solutions Inc., a corporation doing business as "Fire" ("Prometheus," the "Company," "we," "our," or "us"), respects the privacy of the individuals who visit our website, download our applications, and use the products and services we make available. This Privacy and Cookies Policy (the "Policy") describes how we collect, use, process, disclose, retain, and protect information, including Personal Information (as defined below), in connection with your access to and use of the Services (as defined below), and explains the choices and rights available to you with respect to such information.

This Policy applies to: (i) the website located at fire.co and any subdomains thereof (collectively, the "Site"); (ii) the Fire Wallet application (available as a browser extension, iOS application, and Android application); (iii) the Fire ecommerce tools; (iv) the Fire Business Suite; (v) the Fire developer API; and (vi) all related content, applications, services, tools, and features made available therein (collectively with the Site, the "Services").

For purposes of this Policy, the following terms have the meanings set forth below:

• "User," "you," and "your" mean any individual or entity that accesses, browses, downloads, installs, registers for, or otherwise uses the Services, including visitors to the Site, holders of Fire Wallet accounts, subscribers to the Fire Business Suite, merchants integrating the Company's ecommerce payment tools, and developers using the APIs.
• "Third-Party Partner" means any third-party service provider, vendor, processor, licensed financial institution, or other partner with which the Company has a contractual or commercial relationship in connection with the provision of the Services, including those identified in Section 1 of this Policy.

The Fire Wallet is a self-custody, non-custodial software interface. The Company does not hold, control, or have access to your private keys, seed phrases, or digital assets, and does not provide money transmission, custodial, exchange, or brokerage services. Certain functionality available through the Services—including fiat on/off-ramp services, token swaps, payment settlement, and identity verification—is provided by Third-Party Partners that are subject to their own terms of service and privacy policies. Your use of such functionality is subject to those third-party terms and policies in addition to this Policy.

This Policy is incorporated by reference into, and forms a part of, the Prometheus Terms of Service (the "Prometheus Terms of Service"). Capitalized terms used but not defined in this Policy have the meanings given to them in the Prometheus Terms of Service. By accessing or using the Services, you acknowledge that you have read, understood, and agree to the collection, use, disclosure, and other handling of information as described in this Policy. IF YOU DO NOT AGREE WITH ANY PROVISION OF THIS POLICY, YOU MUST NOT ACCESS OR USE THE SERVICES.

The Company reserves the right to modify, supplement, or amend this Policy from time to time in accordance with Section 10. The "Last Revised" date set forth above indicates when this Policy was most recently updated. Your continued access to or use of the Services following the effective date of any such modification constitutes your acceptance of the Policy as modified.

The Services are not intended to provide, and do not constitute, financial advice, investment recommendations, or legal counsel. Nothing provided through the Services constitutes an offer to sell or a solicitation of an offer to buy any securities, tokens, or financial instruments.

1. Types of Information Collected by Us or Third-Parties

In the course of providing the Services, the Company and its authorized Third-Party Partners may collect, receive, and process several categories of information from and about Users. The categories of information collected, the manner of collection, and the purposes for which such information is used are described below.

1.1 Personal Information

For purposes of this Policy, "Personal Information" means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information collected by the Company or its Third-Party Partners may include, without limitation: (a) full legal name; (b) email address; (c) telephone number; (d) postal or mailing address; (e) username and password or other account credentials; (f) public blockchain wallet addresses associated with the User; (g) financial information, including transaction history, payment card and bank account details, and payment instrument identifiers; (h) information collected for purposes of anti-money laundering ("AML"), know-your-customer ("KYC"), and identity verification procedures; (i) government-issued identification, including driver's license, passport, national identification card, Social Security number, or taxpayer identification number; and (j) any other information that constitutes "personal information," "personal data," or analogous terms under applicable law.

1.2 Non-Personal Information

"Non-Personal Information" means information that does not, on its own, identify a specific User and is not reasonably capable of being associated with a specific User or household. Non-Personal Information may include, without limitation, aggregated, de-identified, or anonymized data; browser type and version; operating system; device type and identifiers that are not linked to a User; referring and exit pages; general geographic information derived from IP address (such as country or region); and aggregated usage statistics relating to the Services. The Company reserves the right to use, disclose, and retain Non-Personal Information for any lawful purpose, subject to applicable law.

1.3 Biometric Information

"Biometric Information" means information based on an individual's physical, physiological, or behavioral characteristics, including without limitation fingerprint, facial geometry, voiceprint, iris or retina scan, keystroke patterns, or other unique biological or behavioral identifiers. The Services may use biometric authentication, such as fingerprint or facial recognition, through the User's device hardware to authorize transactions. Biometric data processed through on-device hardware is not transmitted to or stored by the Company. The Company does not collect, receive, retain, sell, lease, trade, or otherwise profit from a User's Biometric Information processed through such on-device authentication.

1.4 Third-Party Identity Verification

Where a User accesses fiat on/off-ramp services, institutional services, or other features that require identity verification, designated Third-Party Partners providing identity verification services may request and process pictures, video, or other images of the User's face and government-issued identification documents in order to perform identity verification, sanctions screening, and regulatory compliance checks on behalf of the Company. Such Third-Party Partners do not retain extracted biometric identifiers once the applicable verification check is complete, except to the extent necessary to provide the Services or required by applicable law. The Company's collection and use of any data received from such Third-Party Partners is governed by this Policy, and the applicable Third-Party Partner's own collection and processing is governed by its respective privacy policy.

1.5 Information Collected When Accessing or Using the Services

The Company and its Third-Party Partners may collect Personal Information and Non-Personal Information when a User registers for an account, creates or imports a wallet, initiates or completes transactions, configures payment tools or integrations, uses the Fire Business Suite, accesses the developer APIs, communicates with the Company, responds to surveys or promotional offers, or otherwise interacts with the Services or with the Company.

The Services or related channels may, from time to time, provide forums, comment functions, community boards, social media features, or other public or semi-public venues in which Users may post or transmit content (collectively, "Public Venues"). Any information that a User voluntarily discloses in Public Venues, including the User's username and any Personal Information contained in the User's posts, may be read, collected, used, and redistributed by other persons, and the Company cannot control such third-party uses. Users should exercise caution when disclosing Personal Information in any Public Venue.

1.7 Information Collected by Third-Party Partners

The Company engages certain Third-Party Partners that may collect, receive, or process Personal Information in connection with the Services. The categories of such Third-Party Partners, the data they collect, the purposes for which such data is used, and links to their respective privacy policies are set forth in the table below.

Third-Party Partner	Data Collected	Purpose and Use	Link to Third-Party Partner's Privacy Policy
ZeroEx Holdings, Inc. ("0x")	Wallet addresses, token types and amounts, transaction parameters, swap routes, IP addresses, and device or browser information transmitted in connection with swap requests.	0x provides swap routing and aggregation services, sourcing liquidity through connected liquidity providers, market makers, and decentralized exchanges to execute token swap transactions initiated by Users through the Services. 0x collects and processes the foregoing information for purposes of trade execution, liquidity sourcing, and related operational and compliance purposes. Please read 0x's Privacy Policy for more information.	https://0x.org/legal/privacy-notice https://0x.org/legal/cookie-notice
BitGo Bank & Trust, National Association ("BitGo")	Name, email address, bank account or payment card information, wallet addresses, transaction amounts and history, government-issued identification, information required for fiat on/off-ramp transactions, AML/KYC and identity verification data, authorized person credentials, ACH payment and linked bank account details, and trading and settlement transaction records	BitGo collects and processes Personal Information for purposes of digital asset custodial services, non-custodial wallet services, digital asset trading and settlement, fiat on/off-ramp transactions, ACH payment processing, AML/KYC and identity verification, sanctions screening, regulatory compliance, and fraud prevention. Please read BitGo's Privacy Policy for more information.	https://www.bitgo.com/legal/bitgo-privacy/

The Company is not responsible for the independent privacy practices of the Third-Party Partners identified above or any other third party. Users are encouraged to review the privacy policies of each such Third-Party Partner prior to providing Personal Information.

2. How We Collect Your Information

The Company collects information about Users through a variety of methods. The specific methods of collection are described below.

2.1 Information Collected Directly From You

The Company collects Personal Information that you voluntarily provide to us, including, without limitation, in the following circumstances:

• Registration and Account Creation. When you register for an account, create a profile, or otherwise access or use the Services, we may collect identifiers such as your name, email address, telephone number, username, password, wallet address, and postal address.
• User-Generated Content. When you post, upload, submit, or otherwise transmit content through the Services (including in any public or semi-public venue of the Services, support requests, community forums, or developer submissions), we collect the content of such communications, together with any metadata associated with them.
• Surveys, Promotions, and Research. When you participate in surveys, contests, promotions, beta programs, customer-research initiatives, or similar activities offered by the Company, we collect the information you provide in connection with your participation.
• Customer Support and Direct Communications. When you contact the Company by email, through in-Service messaging, or by other means, we collect the information you choose to share with us, including the contents of your correspondence and any documents or attachments you submit.
• Transactional Interactions. When you initiate or attempt to initiate a transaction through the Services, including fiat on/off-ramp transactions, token swaps, payment processing, or use of the Fire Business Suite (Invoice, Payroll, and Books), we collect information necessary to facilitate, record, and audit such transactions, including wallet addresses, transaction amounts, and payment details.
• Identity Verification Submissions. When you access Services requiring identity verification (such as fiat on/off-ramp services or institutional services), you may be asked to submit information, including government-issued identification, date of birth, taxpayer identification numbers, and facial images or video, either directly to the Company or to a designated third-party KYC/AML verification provider.
• Contact Form Submissions. If you submit an inquiry through the contact form on fire.co or any other contact mechanism provided by the Company, the Company will collect your name, email address, the subject of your inquiry, and the content of your message. This information is used solely to respond to your inquiry and is not added to any marketing or mailing list unless you separately opt in to receive such communications.

2.2 Information Collected Automatically

When you access or use the Services, the Company and its service providers may automatically collect certain Non-Personal Information and technical information through cookies, log files, pixel tags, software development kits, and similar technologies. Such information may include your device type, operating system, browser type and version, internet protocol (IP) address, general geographic location derived from IP address, referring and exit pages, session identifiers, pages viewed, navigation paths, session duration, and other usage data. Additional information regarding the use of cookies and similar technologies is set forth in Section 13.

2.3 Information Collected From Third Parties

The Company may receive information about you from third parties, including, without limitation, KYC/AML verification providers, on/off-ramp providers, analytics providers, sanctions-screening providers, blockchain analytics services, fraud-prevention partners, advertising and marketing partners, affiliates, and publicly available sources. The Company is not responsible for, and makes no representations regarding, the data-collection practices of any third party, and any information collected by a third party is governed by such third party's privacy policy. A description of the Third-Party Partners with whom the Company shares or from whom the Company receives Personal Information is set forth in Section 1.

2.4 Information From Blockchain Networks

Because Fire Wallet enables Users to interact with public blockchain networks, the Company may observe, query, or otherwise access information recorded on such blockchains, including wallet addresses, transaction amounts, transaction timestamps, and associated on-chain metadata. Such information is publicly accessible and is not under the Company's control. Additional disclosures regarding blockchain data are set forth in Section 9.

2.5 Combination of Information

The Company may combine information collected from the various sources described in this Section 2 with other information in its possession in order to operate the Services, comply with applicable law (including AML, counter-terrorism financing, and sanctions requirements), and otherwise pursue the purposes described in Section 3.

2.6 Online Tracking and Do Not Track Signals

Certain web browsers and other user agents may transmit "Do Not Track" ("DNT") signals or similar privacy preference indicators to the websites and online services that the User visits. There is no universally accepted standard governing how online services should interpret or respond to such signals. Accordingly, the Company does not currently recognize or respond to DNT signals or other similar mechanisms transmitted by web browsers. The Company will continue to monitor developments regarding DNT and similar technologies and may revise this practice in the future. For information on how to manage cookies and similar technologies, please refer to Section 13.

3. Use and Processing of Your Information by the Company

The Company collects, uses, and processes Personal Information, Non-Personal Information, and other information as described in Section 1 for the business, operational, legal, and compliance purposes set forth in this Section 3. By accessing or using the Services, you acknowledge and consent to the Company's collection, use, and processing of your information for the following purposes:

• To provide, operate, maintain, and deliver the Services and any products, features, or functionality you request;
• To facilitate financial transactions, payment processing, fiat on/off-ramp services, token swaps, and settlement through the Services and through the Company's financial services partners, and to route, confirm, reconcile, and complete such transactions;
• To establish, administer, maintain, and service your account, including authenticating your access, processing your registration, managing account preferences, and providing account-related support;
• To communicate with you regarding your account, transactions, security alerts, technical notices, updates, and changes to features, functionality, terms, or policies, and to respond to your inquiries, requests for support, and other communications directed to the Company;
• To ensure the consistency of the Services and our business operations with applicable local, state, federal, and international laws, rules, and regulations;
• To personalize and tailor content, features, recommendations, and user experiences delivered through the Services;
• To detect, investigate, prevent, mitigate, and respond to illegal activity, fraud, security incidents, unauthorized access, abuse of the Services, and violations of the Prometheus Terms of Service, this Policy, or other applicable Company policies;
• To optimize, improve, develop, test, and enhance the Services, including the design, performance, reliability, and security of the Fire Wallet, the fire.co website, the Fire Business Suite, and the developer APIs;
• To personalize and improve user experiences across the Services, including by adapting interfaces, default settings, and supported functionality to your usage patterns;
• To monitor and analyze usage, traffic, navigation paths, session activity, performance metrics, and trends relating to the Services, in the aggregate and on an individualized basis where appropriate;
• To verify your identity, residency, and location, and to conduct AML, KYC, customer due diligence, enhanced due diligence (including with respect to politically exposed persons), and beneficial ownership procedures, and to connect such verifications to your historical transaction and account data, in each case through the Company's designated third-party verification providers;
• To screen wallet addresses, counterparties, customers, beneficial owners, and transactions against the Specially Designated Nationals and Blocked Persons List maintained by the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") and other sanctions, watchlist, and embargo lists maintained by applicable governmental and regulatory authorities, and to enforce geographic restrictions on comprehensively sanctioned jurisdictions, in each case consistent with the Company's OFAC Sanctions Screening Policy and the Company's AML/BSA compliance program;
• To monitor transactions for suspicious activity, to investigate and report suspected money laundering, terrorist financing, sanctions evasion, fraud, or other unlawful conduct, and to prepare, maintain, and file such records and reports as may be required by applicable law or regulatory authority;
• To satisfy tax reporting, recordkeeping, audit, and regulatory examination obligations, and to respond to lawful requests, subpoenas, orders, and inquiries from law enforcement, regulators, courts, and other governmental bodies;
• To enforce the Prometheus Terms of Service and any other agreements between you and the Company, and to protect the rights, property, safety, and security of the Company, its personnel, its users, its partners, and the public;
• To send you, with your consent where required by applicable law, promotional communications, marketing materials, newsletters, product announcements, and information about features, services, or events that may be of interest to you, subject in each case to your right to opt out as described in Section 12; and
• To carry out such other purposes as are described to you at the point of collection or as may otherwise be permitted or required by applicable law.

The Company will not use your Personal Information for purposes that are materially different from, or incompatible with, those identified above without providing you with notice and, where required by applicable law, obtaining your consent. Non-Personal Information may be used and disclosed by the Company for any purpose, except where the Company is otherwise required to treat such information as Personal Information under applicable law.

4. Sharing Your Information With Other Companies

The Company values the trust that Users place in it and treats Personal Information as confidential. The Company does not sell Personal Information, and the Company shares Personal Information with third parties only in the limited circumstances described in this Section 4 or as otherwise expressly disclosed to the User at the point of collection.

4.1 Circumstances in Which Personal Information May Be Shared

The Company may share Personal Information with third parties in the following limited circumstances:

• User-Directed Sharing. When the User directs or authorizes the Company to share Personal Information with a designated third party.
• Service Partners and Vendors. When the Company contracts or partners with third-party service providers, processors, vendors, or business partners (including hosting providers, analytics providers, identity verification providers, fiat on/off-ramp providers, settlement partners, customer support providers, communications providers, and similar parties) to provide, support, or improve the Services. The Company requires such third parties, by contract, to process Personal Information in a manner consistent with this Policy and applicable law and to implement appropriate technical and organizational safeguards.
• Corporate Transactions. In connection with, or during negotiations of, any merger, acquisition, financing, reorganization, sale of assets, change of control, bankruptcy, insolvency, receivership, or similar corporate transaction involving all or a portion of the Company's business or assets, in which case Personal Information may be transferred to the successor or acquiring entity, subject to the protections of this Policy.
• Legal and Protective Disclosures. To enforce the Prometheus Terms of Service or any other agreement between the User and the Company; to investigate, prevent, or take action regarding suspected or actual illegal activities, fraud, security incidents, or violations of Company policies; to protect the safety, rights, or property of the Company, its Users, or any other person; to comply with applicable law, regulation, subpoena, court order, or other legal process; or where the Company has a good-faith belief that disclosure is required or permitted by law.
• Non-Personal Information. The Company may share Non-Personal Information, aggregated information, or de-identified information with third parties for any lawful purpose, including analytics, research, marketing, and business development, provided that such information cannot reasonably be used to identify a particular individual.

4.2 Financial Data Handling and Regulatory Disclosure

• Non-Custodial Operation. Fire Wallet operates as a non-custodial software interface. The Company does not custody User funds, hold or have access to User private keys, or perform money transmission. Transactions initiated through Fire Wallet are signed locally on the User's device and broadcast directly to the applicable blockchain network or routed to independent third-party service providers selected by the User.
• Sharing With On/Off-Ramp and Settlement Providers. When the User accesses fiat on/off-ramp services, token swap functionality, payment processing, or related settlement services through the Services, the User's Personal Information may be shared with the applicable Third-Party Partner to the extent necessary to facilitate the requested transaction, conduct identity verification, perform sanctions screening, and comply with applicable regulatory requirements. Such Third-Party Partners process Personal Information in accordance with their own privacy policies and applicable law.
• Governmental, Law Enforcement, and Regulatory Disclosures. The Company may disclose Personal Information to law enforcement agencies, regulatory authorities, self-regulatory organizations, courts, tax authorities, or other governmental bodies when the Company believes in good faith that such disclosure is necessary or appropriate to comply with applicable law, regulation, legal process, or governmental or regulatory request, including, without limitation, requests or obligations relating to AML, counter-terrorism financing, tax reporting, sanctions compliance, suspicious activity reporting, and the Company's OFAC Sanctions Screening Policy and AML/BSA compliance program.
• Professional Advisors. The Company may disclose Personal Information to its professional advisors, including outside legal counsel, accountants, auditors, consultants, and insurers, as reasonably necessary in connection with the services they render to the Company.

Except as described in this Section 4 or as otherwise disclosed to the User, the Company will not share or otherwise disclose Personal Information to third parties without the User's consent.

5. Public Venues and Semi-Public Venues of the Services

Public Venues may include, without limitation, community forums, comment threads, support discussion boards, social features integrated with the fire.co website or Fire Wallet, developer channels associated with the developer APIs, and any chat, messaging, or collaboration features made available through the Fire Business Suite. Users should have no expectation of privacy with respect to any information they choose to disclose in the Public Venues.

When a User participates in a Public Venue, the User's username, display name, profile image (if any), public wallet address (if linked or voluntarily disclosed), and the content of any post, message, comment, or other submission may be visible to other Users of the Services, to the general public, and, in the case of semi-public venues, to a defined subset of Users or invitees with access to that venue. The Company does not control, and is not responsible for, the use, redistribution, indexing, scraping, archiving, or republication of information that a User voluntarily makes available in a Public Venue.

By posting, transmitting, or otherwise making information available in a Public Venue, the User acknowledges and agrees as follows:

• Any Personal Information, Non-Personal Information, wallet address, transaction reference, or other content disclosed by the User in a Public Venue is disclosed at the User's own risk and may be collected, used, and disseminated by other Users or third parties without the Company's knowledge or consent;
• Information disclosed in a Public Venue is not subject to the confidentiality protections otherwise described in this Policy, and the Company shall have no obligation to treat such information as confidential or proprietary;
• The Company reserves the right, but does not assume the obligation, to monitor, review, moderate, remove, or restrict access to content posted in any Public Venue if the Company determines, in its sole discretion, that such content violates the Prometheus Terms of Service, applicable law, or the rights of any third party, or that such removal is necessary to protect the safety, security, or integrity of the Services;
• Requests to remove or delete content that a User has posted in a Public Venue may be submitted in accordance with Section 6, provided that the Company cannot guarantee complete removal of content that has been copied, cached, indexed, or further disseminated by other Users or third parties, or that has been recorded on a public blockchain as described in Section 9; and
• Users are solely responsible for ensuring that any information they post in a Public Venue does not infringe the intellectual property, privacy, publicity, or other rights of any third party, and does not include sensitive Personal Information such as government-issued identification numbers, financial account credentials, private keys, seed phrases, or recovery codes.

Users are strongly cautioned not to disclose private keys, seed phrases, recovery phrases, passwords, two-factor authentication codes, or any other credentials associated with the Fire Wallet or any other account in any Public Venue or in any communication purporting to originate from the Company. The Company will never request such credentials through a Public Venue or through unsolicited communications.

6. Your Control and Choices

The Company respects your right to exercise control over the Personal Information. Subject to the limitations set forth in this Section 6 and elsewhere in this Policy, you may access, review, correct, update, or request deletion of your Personal Information at any time.

6.1 Rights

You may exercise the following rights and choices with respect to your Personal Information:

• Account Information. You may correct, update, or delete the registration information associated with your account through the account settings available within the Services or by contacting the Company using the methods set forth in Section 14. You are responsible for maintaining the accuracy and currency of the information you provide.
• Communication Preferences. You may change your preferences with respect to newsletters, alerts, product announcements, and other non-transactional communications at any time by following the unsubscribe instructions included in each such communication, by adjusting your communication preferences within your account profile, or by contacting the Company using the methods set forth in Section 14. Notwithstanding the foregoing, the Company reserves the right to send you transactional, account-related, security, legal, and other non-promotional communications relating to your use of the Services.
• Access, Amendment, and Deletion. You may request access to the Personal Information the Company maintains about you, request that such Personal Information be amended or corrected if it is inaccurate or incomplete, or request that such Personal Information be deleted. Requests should be submitted in writing to the Company using the methods set forth in Section 14. To protect your privacy and the security of your Personal Information, the Company may require you to verify your identity before processing any such request, including by providing additional information sufficient to confirm that you are the individual to whom the Personal Information pertains or an authorized representative thereof.
• Opt-Out. You may exercise any opt-out rights described in this Policy at any time by using any opt-out mechanism made available within the Services, by adjusting your account profile settings, or by contacting the Company using the methods set forth in Section 14.

6.2 Legal Retention Exceptions

Notwithstanding any request you may submit to delete, amend, or restrict the processing of your Personal Information, the Company's ability to honor such requests is subject to applicable legal, regulatory, accounting, reporting, and recordkeeping obligations. Where the Company is required by applicable law to retain certain Personal Information, the Company will inform you of the basis for such retention and will retain only the minimum Personal Information reasonably necessary to satisfy the applicable legal obligation. Further information regarding retention periods is set forth in Section 9.

In addition, certain information associated with blockchain transactions initiated through the Services is recorded on public, decentralized blockchain networks and is, by its nature, permanent, immutable, and outside the control of the Company. As more fully described in Section 9, on-chain data cannot be modified, deleted, or removed by the Company in response to a request submitted under this Section 6.

6.3 Response Timeline

The Company will use commercially reasonable efforts to respond to verified requests submitted pursuant to this Section 6 within thirty (30) days of receipt. If the Company is unable to complete its response within such period due to the complexity or volume of the request, the Company will notify you in writing of the reason for the delay and the date by which a response may reasonably be expected, in each case consistent with applicable law.

6.4 Questions Regarding Specific Personal Information

If you have any questions concerning the specific Personal Information that the Company maintains about you, the sources from which it was collected, the purposes for which it is processed, or the third parties with whom it has been shared, you may contact the Company in writing using the methods set forth in Section 14. Additional rights available to residents of the State of California are described in Section 11.

7. Third-Party Websites and Links

The Services may contain hyperlinks, references, or integrations to websites, applications, platforms, content, products, or services operated, owned, or controlled by third parties, including, without limitation, social media platforms, blockchain explorers, decentralized exchange aggregators, on/off-ramp providers, and other third parties (collectively, "Third-Party Sites"). Such hyperlinks and references are provided solely for the convenience and information of Users and do not constitute an endorsement, sponsorship, authorization, recommendation, affiliation, or approval by the Company of any Third-Party Site or the operators thereof.

Third-Party Sites are not operated, owned, or controlled by the Company. When a User accesses, navigates to, or otherwise interacts with a Third-Party Site, the User leaves the Services and is governed by the terms of service, privacy policies, cookie policies, and other applicable terms and conditions of the relevant Third-Party Site. The Company is not a party to such terms, has no responsibility for, and exercises no control over, the content, materials, practices, security measures, data collection, data use, or data sharing of any Third-Party Site or its operators.

The Company makes no representation, warranty, or guarantee, whether express or implied, regarding any Third-Party Site, including, without limitation: (a) the accuracy, completeness, reliability, legality, or suitability of any information, content, products, or services made available through any Third-Party Site; (b) the privacy or security practices employed by any Third-Party Site; (c) the manner in which any Third-Party Site collects, uses, stores, transfers, retains, discloses, or otherwise processes Personal Information or other data; or (d) the compliance of any Third-Party Site with applicable laws, regulations, or industry standards.

Users are solely responsible for reviewing the privacy policies, cookie policies, terms of use, and other applicable terms and conditions of any Third-Party Site prior to providing Personal Information to, or otherwise interacting with, such Third-Party Site.

To the fullest extent permitted by applicable law, the Company expressly disclaims any and all liability, responsibility, and obligations arising out of or in connection with: (i) any User's access to, use of, reliance upon, or inability to access or use any Third-Party Site; (ii) the acts, omissions, conduct, or business practices of any operator of a Third-Party Site; (iii) any collection, use, disclosure, loss, breach, or unauthorized access of Personal Information or other data by or through any Third-Party Site; and (iv) any damages, losses, costs, expenses, or other harms, whether direct, indirect, incidental, consequential, special, exemplary, or punitive, arising from any of the foregoing. Any disputes, claims, or concerns regarding a Third-Party Site must be directed to the operator of that Third-Party Site.

For the avoidance of doubt, this Policy applies solely to the Company's collection, use, and disclosure of Personal Information through the Services and does not apply to any Third-Party Site, even where such Third-Party Site is linked to, integrated with, or referenced within the Services.

8. Children's Privacy

The Services are intended for use by individuals who are at least eighteen (18) years of age. The Company does not knowingly collect, solicit, or maintain Personal Information from children under the age of 18, and no portion of the Services is directed to children under the age of 18. By accessing or using the Services, the User represents and warrants that the User is at least 18 years of age and possesses the legal capacity to enter into a binding agreement with the Company.

If the Company becomes aware, or has reason to believe, that it has collected Personal Information from a child under the age of 18 without verifiable parental or guardian consent (where such consent would not otherwise satisfy the age requirement set forth above), the Company will take commercially reasonable steps to delete such Personal Information from its systems and to terminate any associated account. Such deletion shall be subject to the retention exceptions set forth in Section 9 of this Policy.

A parent, legal guardian, or other authorized individual who believes that a child under the age of 18 has provided Personal Information to the Company may submit a request for review, correction, or deletion of such Personal Information by contacting the Company using the methods set forth in Section 14. To enable the Company to process the request, the requesting party should provide the following information:

• the full name and, if known, any username, email address, or wallet address associated with the child;
• a description of the Personal Information that the requesting party believes the Company has collected;
• a statement, made under penalty of perjury, that the requesting party is the parent or legal guardian of the child or is otherwise legally authorized to act on the child's behalf; and
• contact information at which the Company may respond to the request.

The Company will respond to verified requests submitted pursuant to this Section 8 within the timeframe set forth in Section 6 of this Policy. Nothing in this Section 8 shall be construed to limit any additional rights or protections that may be afforded to minors under applicable law, including, without limitation, the rights of California residents under the age of 18 set forth in Section 11.

9. Data Security, Integrity, and Retention

9.1 Security Measures

The Company implements and maintains commercially reasonable administrative, technical, organizational, and physical safeguards designed to protect the confidentiality, integrity, and availability of Personal Information against unauthorized access, use, alteration, disclosure, or destruction. Such safeguards include, without limitation:

• encryption of Personal Information in transit and at rest using industry-standard cryptographic protocols, including Transport Layer Security (TLS) version 1.2 or higher for data in transit and Advanced Encryption Standard with 256-bit keys (AES-256) for data at rest, supported by documented key management procedures governing key generation, storage, rotation, and destruction;
• logical access controls and authentication mechanisms (including role-based access provisioning, multi-factor authentication, and audit logging) designed to limit access to Personal Information to authorized personnel on a need-to-know basis and to permit timely revocation of access upon role change or separation; and
• secured information systems, files, and facilities maintained in a manner consistent with applicable federal and state laws, regulations, and recognized industry standards governing the protection of Personal Information.

9.2 Transmission Risk and Limitations

You acknowledge that no method of electronic transmission or electronic storage is fully secure, and that the transmission of information via the internet, mobile networks, or other communication channels involves inherent risks. While the Company employs commercially reasonable measures to protect Personal Information, the Company cannot and does not guarantee the absolute security of Personal Information transmitted to or stored by the Company or its service providers. You transmit Personal Information to the Company at your own risk.

9.3 Data Retention

The Company will retain Personal Information for the length of time reasonably necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by applicable law, regulation, legal process, or governmental request, or is necessary to enforce the Prometheus Terms of Service, resolve disputes, or protect the Company's legal rights. Notwithstanding the foregoing, Personal Information collected, generated, or maintained in connection with the Company's AML, KYC, customer due diligence, sanctions screening, or transaction monitoring activities shall be retained for a minimum of five (5) years from the date of the relevant transaction, screening event, or account closure (whichever occurs later), consistent with the Company's AML/BSA compliance program and the Company's OFAC Sanctions Screening Policy. When Personal Information is no longer required for the purposes for which it was collected and is no longer subject to a legal or regulatory retention obligation, the Company will securely delete, destroy, or anonymize such Personal Information in accordance with its data disposal procedures.

9.4 Wallet Applications

The Services include the Fire Wallet, a self-custody wallet application that employs a hardware-backed key management architecture in which the User's private keys are generated, split, and distributed across geographically distributed hardware security modules ("HSMs") using a threshold cryptographic scheme. No single HSM holds a complete private key, and the Company does not have the ability to reconstruct or access the User's private keys. The Company does not custody User funds and does not perform money transmission. The Services do not require Users to create or store a seed phrase or mnemonic recovery phrase. While the Company does not have access to your private keys, you are responsible for maintaining the security of any authentication credentials, biometric enrollments, and device access controls used to authorize transactions through the Services. Loss, theft, or compromise of your authentication credentials or device access controls may result in the permanent and irrecoverable loss of digital assets, and the Company shall have no ability to recover, restore, reverse, or reissue access to any associated digital assets. Certain transactions initiated through Fire Wallet or other Services may interact with third-party blockchain networks, decentralized exchange aggregators, payment processors, on/off-ramp providers, or settlement providers, and any such interactions are subject to the terms, conditions, and privacy policies of the applicable third parties.

9.5 Blockchain Data Disclosure

The Services interact with blockchain networks, including privacy-focused networks that employ ring signatures, encrypted transaction fog, and other cryptographic techniques designed to protect transaction privacy. While these features are designed to make individual transactions untraceable, certain metadata associated with blockchain transactions (including wallet addresses involved in cross-chain bridges, fiat on/off-ramp transactions, or interactions with non-privacy-preserving networks) may be recorded on public blockchains and may be permanently and publicly accessible. Such on-chain data cannot be modified, deleted, or removed by the Company or any other party. Your use of the Services to interact with blockchain networks constitutes your acknowledgment that any data recorded on a public blockchain is outside the scope of any deletion, correction, or access rights provided under this Policy or applicable law.

10. Updating This Policy

10.1 Amendments

The Company reserves the right, in its sole discretion, to modify, amend, supplement, or otherwise revise this Policy at any time and from time to time. Whenever this Policy is revised, the Company will update the "Last Revised" date. The version of this Policy posted on the fire.co website shall be the operative version and shall supersede all prior versions.

10.2 Notice of Material Changes

In the event of any material change to this Policy, the Company will use commercially reasonable efforts to provide Users with advance notice of such change. Such notice may be provided by one or more of the following methods, as determined by the Company in its discretion: (a) sending an electronic notification to the email address associated with the User's account; (b) posting a prominent notice on the fire.co website or within the Fire Wallet or Fire Business Suite interfaces; or (c) requiring a mandatory click-through acceptance of the revised Policy upon the User's next access to the Services. Non-material changes, including clarifications, corrections, and editorial revisions, may be made without advance notice.

10.3 User Responsibility to Review

It is the User's responsibility to review this Policy periodically to remain informed of the Company's current privacy practices. The User's continued access to or use of the Services following the posting of any revised Policy shall constitute the User's acceptance of, and agreement to be bound by, the revised Policy.

10.4 Rejection of Revised Policy

IF YOU DO NOT ACCEPT THE TERMS OF THIS POLICY, AS IT MAY BE AMENDED FROM TIME TO TIME, THEN YOU MUST NOT ACCESS OR USE THE SERVICES. Continued use of the Services after the effective date of any revised Policy constitutes the User's binding acceptance thereof.

10.5 Data Protection Officer

The Company has designated its Chief Executive Officer to serve as its Data Protection Officer (the "DPO"). The DPO is responsible for overseeing the Company's data privacy practices and monitoring the Company's compliance with this Policy, the Prometheus Terms of Service, and applicable data protection laws and regulations. Users, regulators, and other interested parties may contact the DPO regarding any matter relating to the processing of Personal Information or the exercise of privacy rights under this Policy using the methods set forth in Section 14.

10.6 Incident Response Plan

The Company maintains a written incident response plan governing the identification, investigation, containment, remediation, and reporting of data security incidents and suspected or actual breaches of Personal Information. The incident response plan is reviewed and updated periodically and is coordinated with the Company's broader information security, AML/BSA compliance, and OFAC Sanctions Screening Policy frameworks.

10.7 Breach Notification

In the event of a data breach or other security incident involving the unauthorized acquisition, access, use, or disclosure of Personal Information, the Company will, in accordance with and to the extent required by applicable law:

• notify affected Users without undue delay, and in no event later than the time period required by applicable law, regarding the nature of the incident, the categories of Personal Information involved, the measures taken or proposed to be taken by the Company in response, and any recommended steps that Users may take to mitigate potential harm;
• notify applicable regulatory authorities, supervisory bodies, and law enforcement agencies as required by applicable law or regulation; and
• cooperate with regulators, law enforcement, financial services and settlement partners, and other affected parties in the investigation and remediation of the incident.

10.8 Coordination With Compliance Programs

The Company's procedures under this Section 10 are designed to operate consistently with, and in furtherance of, the Company's AML/BSA Compliance Program, OFAC Sanctions Screening Policy, and other written compliance policies and procedures maintained by the Company.

11. Your California Privacy Rights

This Section 11 provides disclosures to all Users of the Services and sets forth the additional rights available to residents of the State of California pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the "CCPA"). Capitalized terms used in this Section 11 and not otherwise defined herein shall have the meanings ascribed to them in the CCPA.

11.1 No Sale of Personal Information

The Company does not sell Personal Information as the term "sell" is defined under the CCPA, and the Company has not sold Personal Information in the preceding twelve (12) months. The Company does not share Personal Information for purposes of cross-context behavioral advertising. The Company will not sell or share Personal Information without first providing California residents with the right to opt out of such sale or sharing as required by applicable law. Because the Company does not engage in the sale or sharing of Personal Information, it does not currently offer a "Do Not Sell or Share My Personal Information" mechanism.

11.2 Categories of Personal Information Collected

In the preceding twelve (12) months, the Company has collected the following categories of Personal Information from California residents:

• Identifiers, such as name, email address, postal address, telephone number, username, and public blockchain wallet address;
• Internet and other electronic network activity information, including IP address, browser type and version, device identifiers, referring and exit pages, pages viewed, navigation paths, and session activity;
• Financial information, including wallet addresses, transaction history, and payment details; and
• Identifiers used for AML/KYC verification, including government-issued identification, date of birth, Social Security number or tax identification number, and facial images or video collected by third-party identity verification providers.

11.3 Sources of Personal Information

The Company collects Personal Information from the following categories of sources:

• Directly from you, including information you provide when registering for an account, using the Services, completing identity verification, or otherwise interacting with the Company;
• From individuals authorized by you to act on your behalf;
• From the devices you use to access the fire.co website, Fire Wallet, the Fire Business Suite, and the developer APIs; and
• From third-party sources, including KYC/AML verification providers, on/off-ramp providers, analytics providers, sanctions-screening providers, blockchain analytics services, fraud-prevention partners, and publicly available sources.

11.4 Business or Commercial Purposes for Collection

The Company collects, uses, and processes Personal Information for the following business and commercial purposes:

• To provide, operate, maintain, and deliver the Services, including facilitating financial transactions, payment processing, fiat on/off-ramp services, token swaps, and settlement;
• To establish, administer, and service your account, and to communicate with you regarding your account, transactions, security alerts, and changes to features, terms, or policies;
• To improve the Services, including the fire.co website, the Fire Wallet, the Fire Business Suite, and the developer APIs, and to monitor and analyze usage, performance metrics, and trends relating to the Services;
• To personalize and tailor content, features, recommendations, and user experiences delivered through the Services;
• To prevent, detect, and investigate fraud, security incidents, and unauthorized or unlawful activity;
• To enforce the Prometheus Terms of Service;
• To verify your identity and conduct AML, KYC, customer due diligence, and sanctions screening through the Company's designated verification providers; and
• To comply with the Company's legal and regulatory obligations, including those relating to AML, KYC, tax reporting, and sanctions screening requirements administered by OFAC and other applicable regulatory authorities.

11.5 Categories of Third Parties to Whom Personal Information Is Disclosed

The Company has disclosed Personal Information for business or commercial purposes to the following categories of recipients in the preceding twelve (12) months:

• Affiliates of the Company;
• Technology service providers;
• Financial services and settlement partners, including the Third-Party Partners identified in Section 1;
• Law enforcement agencies, regulatory authorities, courts, and other governmental bodies, as required by applicable law; and
• Professional advisors, including outside legal counsel, accountants, auditors, consultants, and insurers.

11.6 Categories of Personal Information Disclosed

In the preceding twelve (12) months, the Company has disclosed for business or commercial purposes the following categories of Personal Information:

• Internet and other electronic network activity information and online identifiers (including email address, mailing address, and name); and
• Financial information (including wallet addresses, transaction amounts, and payment details).

11.7 California Privacy Rights

Subject to the exceptions and limitations set forth in the CCPA and other applicable law, California residents have the following rights with respect to their Personal Information:

• Right to Know. The right to request that the Company disclose the categories and specific pieces of Personal Information it has collected about you, the categories of sources from which the Personal Information was collected, the business or commercial purposes for collecting, selling, or sharing the Personal Information, and the categories of third parties to whom the Company has disclosed Personal Information.
• Right to Delete. The right to request that the Company delete Personal Information it has collected from you, subject to certain exceptions, including where retention is necessary to comply with the Company's legal obligations (including AML/KYC and OFAC sanctions screening recordkeeping obligations, which require retention for a minimum of five (5) years as further described in Section 9).
• Right to Correct. The right to request that the Company correct inaccurate Personal Information that it maintains about you.
• Right to Opt Out of Sale or Sharing. The right to opt out of the sale or sharing of Personal Information for cross-context behavioral advertising purposes. As stated above, the Company does not sell or share Personal Information.
• Right Against Discrimination. The right not to receive discriminatory treatment by the Company for exercising any of the rights conferred by the CCPA. The Company will not deny Services, charge different prices, or provide a different level or quality of Services because you exercised any of your CCPA rights.

11.8 Under-18 Content Removal Right

California residents under the age of eighteen (18) who are registered Users of the Services may request the removal of content or information that they have publicly posted on the Services by contacting the Company using the methods set forth in Section 14. The Company will use commercially reasonable efforts to remove such content from public view; however, complete removal may not be possible in all circumstances (for example, where content has been republished by third parties or where on-chain blockchain data is involved, as further described in Section 9).

11.9 Submitting a Request

California residents (or their authorized agents) may submit a request to exercise their rights under this Section 11 by contacting the Company using the methods set forth in Section 14. To process your request, the Company is required to verify your identity. You will be asked to provide certain Personal Information, which may include government-issued identification, to confirm that you are the individual to whom the Personal Information pertains. An authorized agent acting on your behalf must provide a valid written power of attorney or other documentation sufficient to demonstrate that the agent has been authorized to act on your behalf, and the Company may require you to verify your own identity directly with the Company.

11.10 Response Timeline

The Company will respond to verifiable consumer requests within the time periods required by the CCPA, and in any event will use reasonable efforts to acknowledge receipt of a request within ten (10) business days and substantively respond within thirty (30) days of receipt, subject to extensions permitted by applicable law. If the Company is unable to comply with all or part of your request, it will inform you of the reasons in its response.

11.11 Questions

For questions or concerns about the Company's privacy practices with respect to California residents, please contact the Company using the methods set forth in Section 14.

12. Opt-Out of Marketing Communications

From time to time, the Company may send you promotional communications, newsletters, product announcements, marketing materials, and other communications regarding the Services, including information about new features, product updates, events, and offerings that the Company believes may be of interest to you. Such communications may be delivered via email, in-application notifications, or other electronic means using the contact information you have provided to the Company.

You may opt out of receiving promotional communications from the Company at any time and at no cost by: (a) following the "unsubscribe" instructions, link, or mechanism included at the bottom of each promotional email communication; (b) adjusting your communication preferences within your account settings, where such functionality is made available; or (c) contacting the Company directly using the methods set forth in Section 14 and requesting to be removed from the applicable marketing distribution list. The Company will process your opt-out request within a commercially reasonable period of time following receipt.

Notwithstanding your election to opt out of promotional communications, the Company reserves the right to continue to send you non-promotional, transactional, and service-related communications, including, without limitation: (i) communications regarding your account, transactions, or use of the Services; (ii) security alerts, fraud notifications, and incident response communications; (iii) notices of changes to this Policy, the Prometheus Terms of Service, or other applicable agreements; (iv) communications required to comply with applicable laws, regulations, or legal process, including those relating to AML, KYC, sanctions screening, and tax reporting obligations; and (v) responses to inquiries, requests, or complaints submitted by you. You may not opt out of these service-related communications while you continue to access or use the Services.

The Company does not control, and is not responsible for, the collection, use, or disclosure of information by third parties for purposes of interest-based advertising or cross-context behavioral advertising. Advertising networks, analytics providers, social media platforms, and other third parties may collect information about your online activities over time and across different websites, applications, and online services through cookies, web beacons, pixels, software development kits, device identifiers, and similar tracking technologies. The Company has no control over the practices of such third parties, and your interactions with such third parties are governed by their respective privacy policies and terms of service. You may be able to exercise opt-out choices with respect to certain third-party interest-based advertising practices by visiting the resources identified in Section 13 of this Policy, including www.networkadvertising.org/choices/ and www.youronlinechoices.eu.

13. Cookies

The fire.co website does not use cookies, tracking pixels, browser fingerprinting, or third-party analytics services. However, certain product-level Services (such as the Fire Business Suite applications accessible at firesuite.io subdomains) may use Strictly Necessary Cookies to maintain session state and enable core functionality. To the extent any Service uses cookies, the following provisions apply. By accessing or using any such Service, you consent to the use of cookies as described in this Section 13, except where you have exercised the management or opt-out rights set forth below.

13.1 What Are Cookies

Cookies are small text files that are placed in the directories of your web browser by websites that you visit. Cookies allow a website to recognize a user's device, store certain information about user preferences or past actions, and facilitate the operation and analysis of the website. Cookies may be "session" cookies (which are deleted when you close your browser) or "persistent" cookies (which remain on your device for a defined period or until you delete them).

13.2 How We Use Cookies

To the extent cookies are used in connection with product-level Services, the Company uses cookies solely for essential operation purposes and does not use cookies for advertising, cross-context behavioral advertising, or the sale of Personal Information. Cookies enable the Company to maintain session integrity and enable core functionality of the applicable product-level Services.

13.3 Categories of Cookies

The Company uses the following categories of cookies on the Services:

• Strictly Necessary Cookies. These cookies are essential to enable you to navigate and use product-level Services, including accessing secure areas of those Services. Without these cookies, certain services you have requested cannot be provided. Strictly Necessary Cookies do not require your prior consent under applicable law but are described here for transparency. These cookies are not deployed on the fire.co website itself.
• Analytics Cookies. Where deployed in connection with product-level Services, these cookies collect information about how Users interact with those Services, including the pages visited, the duration of each visit, navigation paths, and general usage patterns. Analytics Cookies are deployed only with your consent where required by applicable law and are not used on the fire.co website.

13.4 Managing the Use of Cookies

You have the right to decide whether to accept or reject cookies (other than Strictly Necessary Cookies that are required for the operation of the Services). You may exercise your cookie preferences by adjusting the settings within your web browser or, where made available by the Company, through any cookie consent banner or preference center presented on the applicable Service.

13.5 Removing Cookies

You may remove cookies that have already been stored on your device by clearing your browser's browsing history or cache. The procedure for doing so varies depending on the browser you use; please consult your browser's help documentation for specific instructions.

13.6 Managing Site-Specific Cookies

For more detailed control over site-specific cookies, you should review the privacy and security settings of your particular web browser, which typically allow you to view, manage, and delete cookies on a per-site basis.

13.7 Blocking Cookies

Most modern browsers allow you to block all cookies, or to block cookies set by specific websites or third parties. Please be advised, however, that blocking cookies may impair the functionality of the Services and may prevent certain features from operating as intended. For additional information regarding cookies and how to manage them, you may consult the following independent resources:

• www.allaboutcookies.org — general information about cookies and how to manage them across browsers;
• www.youronlinechoices.eu — information regarding online advertising and cookie preferences for Users located in the European Union; and
• www.networkadvertising.org/choices/ — information regarding the Network Advertising Initiative (NAI) opt-out tools available to Users located in the United States.

13.8 Cookie Retention

The Company retains cookies for so long as the User's consent (where required) and a legitimate basis for processing remain in effect. In no event will Strictly Necessary Cookies or Analytics Cookies be retained for a period exceeding thirteen (13) months from the date of collection, after which the Company will seek to renew the User's consent (where required) before any further processing occurs through such cookies.

13.9 Third-Party Cookies

Certain pages of the fire.co website may display content provided by third parties, including embedded media, social media plug-ins, or links to third-party platforms. Interaction with such third-party content may require your acceptance of the third party's terms of service and privacy policy, and may result in the third party setting cookies on your device. The Company does not control, and is not responsible for, cookies set by third parties. You should review the privacy policies of any such third parties to understand their cookie practices, as further described in Section 7.

14. How to Contact Us

If you have any questions, concerns, requests, or complaints regarding this Policy, the manner in which the Company collects, uses, processes, discloses, or retains your Personal Information, or the exercise of any rights afforded to you under this Policy or applicable law, you may contact the Company using the methods set forth below.

Prometheus Solutions Inc. may be contacted at:

• Website: https://fire.co/contact/
• Email: hello@fire.co
• Attention: Data Protection Officer, Prometheus Solutions Inc.

All privacy-related inquiries, including requests to access, correct, update, or delete Personal Information; requests to opt out of marketing communications; requests submitted under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, or any other applicable data protection law; and notifications regarding suspected security incidents or unauthorized use of the Services, should be directed to hello@fire.co. To facilitate the timely handling of your request, please include in your communication: (i) your full name; (ii) the email address or wallet address associated with your use of the Services, if applicable; (iii) a description of the nature of your request; and (iv) any additional information reasonably necessary for the Company to verify your identity and respond to your inquiry.

The Company will use commercially reasonable efforts to respond to verifiable inquiries and rights requests within thirty (30) days of receipt, subject to the legal retention exceptions and verification procedures described elsewhere in this Policy. Communications submitted to the Company through the contact channels identified above may be retained by the Company for recordkeeping, compliance, and audit purposes consistent with Section 9 of this Policy.

For questions regarding the Prometheus Terms of Service or other matters unrelated to privacy, please refer to the contact information provided on the fire.co website.

15. Governing Law

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions. Any dispute arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in the State of Delaware.