This Privacy Policy (the “Policy”) explains how NDSE Cyber Ltd. and each of its affiliates and subsidiaries (collectively “Naoris Protocol,” “we,” “us,” or “our”) respect your privacy and are committed to protecting the personal information we hold about you. This includes information we collect through, or in association with, our TestNet version of the Protocol (the “TestNet”), our website whose home page is located at https://naorisprotocol.network/testnet (the “Website”), the Public Sale of the $NAORIS token facilitated through the Tokensoft Platform (the “Public Sale”), or otherwise through your interactions with us (the Website, TestNet, Public Sale, content, features, pages, or our applications collectively, the “Services”).

If you have questions, comments, or concerns about this Policy or our processing of personal information, please see the bottom of this Policy for information about how to contact us.

Data Controllers:

• For users accessing the Services from the Bahamas or globally (excluding the EU and UK): NDSE Cyber Ltd., whose registered address is at Suite 2 C, One Sandyport Plaza, West Bay Street Nassau, Bahamas, is the data controller of the personal information collected and is responsible for the processing of your personal information. Contact: legal@naoris.com.
• For users accessing the Services from the European Union (“EU”): DPR Group, located at 1-2 Marino Mart, Fairview, Dublin 3, Ireland, is the data controller of the personal information collected for all individuals located in the EU.
• For users accessing the Services from the United Kingdom (“UK”): DPR Group, located at 107-111 Fleet Street, London, EC4A 2AB, United Kingdom, is the data controller of all individuals located in the UK.

1. Changes to the Policy

This Policy replaces all previous disclosures we may have provided to you about our information practices with respect to the Services. We reserve the right, at any time, to modify or update this Policy. Any such modifications, alterations, or updates will be effective upon our posting of a revised version and updating the “Last Modified” date above. We may provide you with additional forms of notice as appropriate, such as email notices to the most recent email address we have on file for you. Your continued use of our Services after any modification to this Privacy Policy will constitute your acceptance of such modification.

We may also provide “just-in-time” disclosures or additional information about the data handling practices of specific parts of our Services, such as the TestNet or Public Sale. Such notices may supplement this Policy or provide you with additional choices about how we process your personal information.

2. Applicability of this Privacy Notice

This Policy is subject to the Terms of Service and any partner or affiliate agreements, as applicable, that govern your use of the Services. This Privacy Notice applies regardless of the means used to access or provide information through the Services, including the TestNet, Website, and Public Sale.

This Privacy Notice does not apply to information collected by third-party services, applications, or advertisements associated with, or websites linked from, the Services, except where explicitly stated in connection with the Public Sale facilitated by the Tokensoft Platform. The collection or receipt of your information by such third parties is subject to their own privacy policies, and we are not responsible or liable for their compliance therewith.

3. Personal Information We Collect

We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household (“personal information”). We also collect metadata, which is aggregated system data that does not personally identify you and does not comprise personal information unless combined with other data that enables identification. To the extent metadata is stored or associated with personal information, it will be treated as personal information; otherwise, it is not subject to this Policy.

The types of personal information and metadata we collect depend on your interactions with our Services, whether through the TestNet, Website, or Public Sale. Below are the categories of data we collect and their sources:

TestNet Data Collection

For users of the TestNet, we generally do not collect personal data unless you request support services, in which case we may collect your email address. We collect metadata that does not personally identify you, as follows:

Category	Type of Data	Collected From
Contact Information	Email address (only if you request support)	You
Transaction Information	Metadata from your use of TestNet, including Points awarded, $NAORIS token swaps, wallet address	Systems used for transactions
Website Information	Browser metadata (e.g., browser type/version, Chrome extensions active, system language, general browsing activity on our Website), mouse pointer location	Device used to access the Website, our Website
Technical Information	Operating system type/version, device specifications (e.g., CPU, screen resolution), browser details, IP address, geolocation data (from ISP), canvas information, cookies (see Cookie Notice at [LINK])	Device used to access the Website, our Website

We cannot communicate with you or administer the TestNet or Point swaps without collecting the above metadata. We do not collect any other data for TestNet users beyond what is listed.

Public Sale Data Collection

For users participating in the Public Sale through the Tokensoft Platform, we collect additional personal information to facilitate transactions, comply with legal obligations, and provide Services. The following categories align with those used by the Tokensoft Platform:

Category	Type of Data	Collected From
Identifiers	Name, username, email address, phone number, government ID (e.g., driver’s license, passport), date of birth, wallet address, IP address, device ID	You, device used, third-party verification services (e.g., Onfido)
Payment/Financial Information	Payment method details (e.g., credit/debit card number, billing address, CVC code), transaction details (e.g., amount, sender, receiver)	You, payment processors, Tokensoft Platform
Commercial Information	Purchasing and consumer histories or tendencies	Systems used for transactions
Internet or Other Electronic Network Activity Information	IP address, browser attributes/type, pages visited, content viewed, date/time of visits, clickstream data	Device used, Tokensoft Platform, analytics tools (e.g., Google Analytics)
Geolocation Information	Location data to verify eligibility and track usage	Device used, ISP, Tokensoft Platform
Visual Information	Images from government-issued IDs for verification	You, third-party verification services (e.g., Onfido)

We will not collect additional categories of personal information for the Public Sale beyond those listed above without providing you with a new notice at or before the time of collection.

Sources of Personal Information

We collect personal information and metadata from:

• Directly from you: When you provide contact information, request support, participate in the Public Sale, or submit transaction details.
• Automatically or indirectly from you: Through logging and analytics tools (e.g., Google Analytics), cookies, device information, and geolocation data.
• From third parties: For Public Sale participants, we may collect identity verification data from providers like Onfido to comply with anti-money laundering (AML) and know-your-customer (KYC) obligations.

If we require certain personal information and you elect not to provide it, we may not be able to serve you effectively or offer all Services, particularly for the Public Sale.

4. How We Use Your Personal Information

We process personal information and metadata for the following purposes:

TestNet Purposes

• Administering the TestNet: To manage your participation, Points awards, and $NAORIS token swaps.
• Providing Support Services: To respond to your inquiries via email.
• Optimizing Website Performance: Using metadata (e.g., canvas information, browser details) to enhance user experience.
• Protecting Privacy: Ensuring metadata is aggregated and not used to identify you unless combined with personal data.

Public Sale Purposes

• Providing Services: To process transactions, verify identities, and facilitate $NAORIS token purchases.
• Marketing: To send messages about our products and services, based on legitimate interests (no consent required unless shared with third parties, in which case consent is obtained).
• Compliance: For AML/KYC compliance, using payment/financial information.
• Security and Fraud Prevention: To detect and protect against malicious, deceptive, or illegal activity.
• Improving Services: To debug errors, maintain quality, and enhance functionality.
• Legal Obligations: To comply with applicable laws, regulations, or requests from law enforcement.
• Protecting Rights: To safeguard the rights, property, and safety of users, us, and third parties.

We will not use personal information for materially different, unrelated, or incompatible purposes without providing you with notice.

5. How We Share Your Personal Information

TestNet Sharing

We do not share TestNet metadata with third parties except as follows:

• Within the Group: We may collect your email address for support services and share metadata internally to manage the TestNet, Points, and transactions. Access is limited to a need-to-know basis.
• With Third Parties (Processors): We may engage third parties (e.g., IT support, server hosting providers) to process metadata on our behalf. These parties are bound by security standards to protect your metadata.
• With Third Parties (Controllers): In cases of business sales, transfers, or outsourcing, we may disclose metadata to prospective buyers or transferees.

Public Sale Sharing

For the Public Sale, we may share personal information with:

• Service Providers and Business Partners: Entities like the Tokensoft Platform, Onfido, or analytics providers (e.g., Google Analytics) that help us provide Services, under contractual obligations at least as protective as this Policy.
• Public Blockchain: Transaction information for $NAORIS token purchases is broadcast publicly to confirm transactions on the blockchain, which is not anonymous.
• Legal Compliance: We may share information with law enforcement, tax authorities, or regulatory bodies to comply with legal obligations or protect the integrity of the Services.

6. User Consent Mechanisms

TestNet

Where our processing of your metadata or email address is based on consent (e.g., for support communications), you may withdraw consent at any time by contacting support.tn@naoris.com. Withdrawal will stop processing for that purpose unless another lawful basis applies, in which case we will inform you.

Public Sale

• Consent for Marketing: We may process personal information for marketing based on legitimate interests without consent. If shared with third parties for marketing, we will obtain your specific consent, which you can withdraw at any time by following opt-out instructions in communications.
• Consent for Processing: For certain processing (e.g., identity verification), you provide consent by submitting information. You may withdraw consent by contacting privacy@naorisprotocol.com, but this may prevent us from providing Public Sale Services.
• Opt-Out Options: You can opt out of marketing communications by clicking “unsubscribe” in emails or adjusting settings in your account on the Tokensoft Platform. Service-related communications (e.g., transaction confirmations) cannot be opted out of due to contractual or regulatory requirements.

7. Your Choices

• TestNet: You may decline to provide an email address for support, but this may limit our ability to assist you. You can adjust browser settings to block cookies or metadata collection, though this may affect TestNet functionality.
• Public Sale: You may decline to provide personal information, but this may prevent you from participating in the Public Sale. You can:
• Opt out of marketing: Unsubscribe via links in communications.
• Limit geolocation: Deactivate location services on your device, though this may restrict access to certain features.
• Manage cookies: Adjust browser settings to block cookies or enable “Do Not Track” (note: we do not respond to Do Not Track signals).

8. Security Measures

We use commercially reasonable safeguards to protect your personal information and metadata, including:

• TestNet: Information security policies, procedures, and confidentiality agreements with staff and contractors to prevent unlawful or unauthorized processing and accidental loss, destruction, or damage.
• Public Sale: Encryption, access controls, and secure data storage, as implemented by the Tokensoft Platform. We require our service providers (e.g., Onfido, Tokensoft) to maintain equivalent safeguards. However, the internet is not 100% secure, and we cannot guarantee absolute safety.

9. Retention of Data

• TestNet: We retain metadata for the duration of the TestNet service. Support-related data (e.g., email addresses, support tickets) is deleted within 2 months of closing a support request, though it may persist in the support portal per the provider’s policies. Cookie retention is detailed in our Cookie Notice at [LINK].
• Public Sale: We retain personal information as necessary to carry out the purposes described (e.g., transaction processing, legal compliance), including compliance with applicable laws, regulations, or to protect our rights, property, or safety. Retention periods vary based on regulatory requirements or contractual obligations.

10. Your Privacy Rights

Depending on your location and applicable laws, you may have the following rights:

TestNet

• Right to Withdraw Consent: Withdraw consent for processing your email address or metadata by contacting legal@naoris.com.
• Right to Object: Object to processing based on legitimate interests, after which we will demonstrate a compelling reason or legal necessity to continue.

Public Sale (and General Rights for EU/UK Users)

• Right to Access: Request a copy of your personal information.
• Right to Rectification: Correct or update your information.
• Right to Erasure: Request deletion of unnecessary or withdrawn-consent data.
• Right to Restriction: Restrict processing under certain conditions (e.g., contested accuracy).
• Right to Object: Object to processing based on consent, contract, or legitimate interests.
• Right to Data Portability: Receive your data in a structured, machine-readable format or have it transferred to another controller.

To exercise these rights:

• Global Users: Contact privacy@naorisprotocol.com.
• EU Users: Contact DPR Group at datainquiry@dpr.eu.com, quoting “Naoris Protocol,” or via www.dpr.eu.com/datarequest.
• UK Users: Contact DPR Group at the above or mail to 107-111 Fleet Street, London, EC4A 2AB, UK.

We may need to verify your identity. If we cannot resolve a complaint, EU users can contact their local data protection regulator (edpb.europa.eu), and UK users can contact the Information Commissioner’s Office (ico.org.uk).

11. Other Important Information

• Children: The Services are not for individuals under 18. We do not knowingly collect data from children.
• Third-Party Services: Links to third-party websites (e.g., Tokensoft Platform) are subject to their privacy policies. We are not responsible for their practices.
• Business Transfer: Personal information may be transferred in the event of a merger, acquisition, or sale.
• International Use: Data may be processed in the Bahamas, US, or other jurisdictions, which may have less protective laws. We use standard contractual clauses for EU/UK data transfers outside approved jurisdictions.

12. Notice to Individuals in the European Economic Area, United Kingdom, and Switzerland

For users in the Designated Countries, we process personal information based on:

• Consent: For marketing or specific processing where explicitly agreed.
• Performance of a Contract: To fulfill TestNet or Public Sale obligations.
• Legal Obligations: For AML/KYC or regulatory compliance.
• Legitimate Interests: For business operations, fraud prevention, or service improvements, where these outweigh your rights.

Special categories of data (e.g., government ID images) are processed based on substantial public interest (e.g., fraud prevention) or explicit consent. International transfers outside Designated Countries use standard contractual clauses.

13. Contact Information

For questions or to exercise your rights:

• Email: legal@naorisprotocol.com
• Mail: NDSE Cyber Ltd., Suite 2 C, One Sandyport Plaza, West Bay Street Nassau, Bahamas
• Data Protection Contact: João Ferreira Santos, Head of Compliance, joaosantos@naorisprotocol.com