Legal

Privacy Policy

Last revised — 7 June 2026

Read first. This document is provided for general information and is not legal advice. This Policy explains how the TzAI Foundation (a foundation established under the laws of England & Wales) handles personal data when you use the informational website at mtf.exchange. The Foundation operates that website and the related materials (the “Services”) and is the data controller for the off-chain personal data described here. This Policy does not, and cannot, govern the public blockchain itself: the MetaFlux Protocol is autonomous, decentralised, non-custodial software that the Foundation does not operate or control, the data written to it is public and permanent, and that distinction runs through everything below.

01The short version

You do not create an account with us. The website at mtf.exchange (the “Website”, and together with the documentation and materials we publish, the “Services”) is an informational site. You connect a self-custodial wallet and interact directly with a public blockchain through your own keys. We take no custody of your assets, hold none of your keys, and execute none of your trades.

The honest summary is the reverse of most privacy policies. It is not that we have gathered a mountain of data about you and promise to guard it — we collect very little. It is that your on-chain activity is public, permanent, and immutable, and no one, including us, can delete or change it. Plan accordingly, and do not put anything you wish to keep private into a transaction.

Author’s note Most privacy policies are written by a company explaining what it does with everything it has gathered about you. This one is short on the gathering and long on a single, awkward truth: the public ledger remembers forever, and we cannot make it forget. We would rather say that plainly than bury it. Where we do hold personal data — your IP in a server log, an email you sent us, a screening result — the Foundation is the controller, and this Policy tells you exactly what we do with it.

02Who we are — controller identity

The controller of the personal data described in this Policy is:

TzAI Foundation — a foundation established under the laws of England & Wales (the “Foundation”, “we”, “us”, “our”).

You can reach the Foundation about any data-protection matter at hello@mtf.exchange, marked for the attention of the privacy contact.

The Foundation registers with the UK Information Commissioner’s Office (the “ICO”) and pays the data-protection fee where required for this processing. No statutory Data Protection Officer is required for this processing, but we name a single privacy contact for all data-protection matters and will update this section if a Data Protection Officer or UK representative is appointed.

03Scope of this Policy

This Policy covers the personal data the Foundation processes in connection with the Services — the informational Website and related materials.

It does not cover the Protocol: the independent Layer-1 blockchain, its validator set, its on-chain order book and clearing logic, and the related smart-contract and protocol code. The Protocol is autonomous, decentralised, non-custodial software run by independent validators and used directly by you through your own wallet. The Foundation does not operate, own or control the Protocol, takes no custody of any assets or keys, executes no trades, and operates no order book or clearing function. The Protocol is not part of the Services, and the Foundation is not the controller of the autonomous on-chain processing it performs. Section 12 explains what this means for your rights over on-chain data.

This framing is consistent with our Terms of Service, and the two documents are intended to be read together. Nothing in the Terms limits or excludes any right or remedy that cannot be limited or excluded under English law (see Section 18).

04The personal data we collect

We do not run identity verification (KYC) for access to the Website, and we take no custody. We therefore do not collect government identity documents, biometrics, or account-balance/custody data. We do not seek special-category data (Article 9 UK GDPR — data about health, race, religion, sexual orientation, political or philosophical beliefs, trade-union membership, genetics or biometrics), and we ask you not to send it to us. If you do send unsolicited special-category data, we will not treat the act of sending it as your consent; we will retain it only so far as necessary to handle your message or to establish, exercise or defend legal claims (Article 9(2)(f) UK GDPR), or where you have manifestly made it public yourself (Article 9(2)(e)), and we will otherwise delete it promptly.

Treating wallet and IP addresses as “not personal data” would be wrong: where they can be linked to an identifiable person, the ICO and EDPB treat them as personal data, and so do we. The categories we may process are:

1 — Technical / connection data: your IP address, approximate location derived from it, and your internet service provider.
2 — Wallet & on-chain addresses: a public wallet address you connect to the Website, or that interacts with the front-end. Pseudonymous, but treated as personal data where linkable to you.
3 — On-chain transaction history / activity: transactions, balances, orders, positions and transfers associated with a connected address, as visible on the public ledger.
4 — Device & usage data: browser type, operating system, device identifiers, language, referring URL, pages viewed, session/clickstream activity, and error logs.
5 — Cookies & storage identifiers: cookies, pixels, local storage, SDK and other storage-and-access identifiers, and the analytics data they generate. See Section 7.
6 — Communications data: any email, support request, or social / Discord / Telegram handle, and the content of messages you send us.
7 — Screening / compliance signals: results of sanctions and Prohibited-Person checks, geolocation / geo-block signals, and VPN-detection signals. See Section 6.

05How and why we use your data, and our lawful basis

Under UK GDPR we must have a lawful basis for each purpose, and where we rely on legitimate interests we must name the specific interest. Each of our legitimate-interests bases is supported by a documented Legitimate Interests Assessment (LIA), available in summary on request. The mapping is:

Operate, secure and improve the Website — serve pages; keep server / security logs; defend against fraud, abuse, DDoS and security threats; run basic analytics. Data: categories 1–5. Lawful basis: Article 6(1)(f) legitimate interests — running, securing and improving the Services (LIA on file).
Respond to your enquiries and support requests — perform the Website terms or take steps you request. Data: category 6. Lawful basis: Article 6(1)(b) contract / steps prior to contract.
Screen for Prohibited Persons, sanctioned persons and restricted jurisdictions — retain compliance records; respond to lawful requests from authorities, courts and regulators. Data: categories 1, 2, 7. Lawful basis: Article 6(1)(c) legal obligation where a UK statutory duty applies (for example financial sanctions); Article 6(1)(f) legitimate interests as a parallel / fallback for self-protective risk-management screening (LIA on file).
Set non-essential cookies; analytics; any marketing communications. Data: categories 4, 5, 6. Lawful basis: Article 6(1)(a) consent (aligned with PECR — see Section 7).
Establish, exercise or defend legal claims; enforce the Terms. Data: any of the above. Lawful basis: Article 6(1)(f) legitimate interests — protecting and enforcing our legal rights (LIA on file).

We use consent only for cookies, analytics and marketing. We never rely on consent for security logging, fraud prevention or screening — those sit on legitimate interests or legal obligation, because they must not stop simply because a consent is withdrawn.

06Prohibited Persons & sanctions screening

To comply with sanctions law and to keep the Services away from people who may not lawfully use them, we screen access. For this we may use your IP address and derived geolocation, your wallet address, VPN-detection signals, and sanctions-list matching against authoritative sources (including the UK Sanctions List maintained by the FCDO, and OFAC, EU and UN lists). The purpose is to prevent access by Prohibited Persons and users in restricted jurisdictions, and to meet our legal and risk-management obligations. As a result, we may deny or restrict your access to the Services. The categories of person excluded from the Services include sanctioned persons, residents of restricted jurisdictions, and — given the UK regulatory position on crypto-derivatives — UK retail consumers; eligibility is governed by our Terms of Service.

Automated decision-making. Geo-blocking and screening may operate automatically to restrict access. We treat Article 22 UK GDPR as engaged where automated screening denies or restricts your access, or flags you as sanctions-adjacent or as a Prohibited Person. Accordingly we provide the Article 22(3) safeguards: meaningful information about the logic involved (in summary, matching your connection and wallet signals against sanctions and jurisdiction lists), a route to contest a decision, the ability to express your point of view, and genuine human review. To request review, contact our privacy contact (Section 17) and a person will look at the decision and consider any information you provide. See Section 14. We maintain a Data Protection Impact Assessment (Article 35) for this systematic screening and chain-analysis monitoring.

07Cookies and similar technologies (PECR)

We use cookies and similar storage-and-access technologies (which, under PECR, include pixels, fingerprinting, local storage and SDKs). We group them as:

Strictly necessary — needed for the Website to function and to be secure. These do not require consent.
Functional — remember your preferences.
Analytics — help us understand and improve usage. These are not strictly necessary and require your consent.
Advertising / social — set by third parties; require your consent.

We ask for prior opt-in consent for all non-essential technologies through a banner that offers “Accept all” and “Reject all” with equal prominence, with no pre-ticked boxes, granular control by category, and an easy way to withdraw consent at any time. Non-essential cookies and tags do not fire before you consent. We will keep this written to the consent-required default and update it as the ICO finalises guidance on which low-risk purposes (such as audience measurement) may become exemptible. Full detail is in our standalone Cookie Policy [link to be inserted].

08Third-party wallets, services, and links

Transactions require a compatible third-party wallet, which we neither maintain nor control; your use of it is governed by that provider’s own terms and privacy policy. The Website may also link to or load third-party resources (for example X, GitHub, block explorers, bridges, RPC / node providers, or web fonts). We do not control those services; review their own policies. Following a link to a social platform may let that platform associate the visit with your account there — log out first if you wish to avoid this.

09Who we share data with

There is no central profile of you to sell, and we never sell personal data. To the limited extent we hold personal data, we may share it with the following categories of recipient, each only as needed. We distinguish recipients who act as our processors (on our instructions) from those who are independent controllers (determining their own purposes), because the correct contracts differ.

Processors — process personal data only on our documented instructions, under written data-processing agreements compliant with Article 28 UK GDPR:

Hosting and infrastructure providers that serve the Website (including content-delivery / static-hosting providers);
Analytics providers (subject to your consent);
RPC / node providers that route front-end requests.

Independent (or joint) controllers — determine their own purposes and are responsible under their own privacy notices; where we share with them we put controller-to-controller or, where applicable, Article 26 joint-controller terms in place:

Anti-abuse, screening and chain-analysis vendors used for the purposes in Section 6;
Professional advisers (lawyers, auditors, insurers), who act as independent controllers;
Authorities, regulators and courts, where required by law or valid legal process, who are controllers in their own right;
Acquirers or successors, in connection with any merger, reorganisation, or transfer of the Foundation’s activities.

10International transfers

Some recipients above are located outside the UK. Where they are, we rely on:

UK adequacy regulations where the destination is covered (for example the EEA, and the UK Extension to the EU–US Data Privacy Framework for US importers actively certified for the relevant data categories); or, failing that,
the ICO’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment and any supplementary measures needed.

We will provide a copy of the relevant safeguards on request to our privacy contact. We confirm and keep current the actual mechanism for each importer before any transfer takes place; we do not rely on your use of the Services as consent to transfer your data abroad.

A note on the public ledger. This is separate. Data written to the Protocol is replicated globally across independent validator nodes that the Foundation does not control. This is an inherent feature of an autonomous public blockchain — it is not a transfer that the Foundation arranges or could arrange, and we cannot impose Article 46 safeguards on it. See Sections 03 and 12.

11How long we keep data

We keep personal data only as long as needed for the purpose it was collected, applying these criteria:

Server / security logs and IP — a short period (typically up to 12 months) for security and abuse prevention.
Cookie / analytics data — for the lifetime of the relevant cookie, then expiry.
Support communications — for as long as needed to handle your matter, plus a limitation-period buffer.
Compliance / screening records — for as long as needed to evidence compliance and to bring or defend legal claims. The upper bound for claims-related retention reflects the English-law limitation periods (generally up to 6 years for contract and tort under the Limitation Act 1980).

On-chain data is retained permanently by the network and is outside the Foundation’s control — we cannot shorten or end its retention. See Section 12.

12On-chain data: public, permanent, and immutable (the crux)

This is the most important section, and the most honest. The Protocol is an autonomous, decentralised, non-custodial public blockchain run by independent validators. Transactions and wallet addresses written to it are public, permanent, and immutable by design, and are replicated across nodes the Foundation does not control.

As a direct consequence:

The Foundation cannot erase, rectify, restrict, or port on-chain data. The rights under Articles 16–18 and 20 UK GDPR cannot be technically fulfilled against the ledger — not because we decline, but because it is not possible.
The Foundation is not the controller of the autonomous on-chain processing; the Protocol is not part of the Services.
Do not place personal data into on-chain transactions, memos, or messages. Once written, it is effectively permanent and visible to anyone, including chain-analysis firms that may be able to link an address to a real identity.

Where the Foundation does hold an off-chain copy of personal data (for example, a server log that links an IP address to a connected wallet, a screening result, or email content), the Foundation is the controller of that copy, and we will act on valid rights requests in respect of those off-chain copies. Making this distinction plainly is itself a transparency and fairness measure under Article 5(1)(a) UK GDPR.

13Security

We apply appropriate technical and organisational measures under Articles 5(1)(f) and 32 UK GDPR, in honest, non-over-promising terms: encryption in transit (TLS); access controls on a least-privilege basis; logging and monitoring; vendor due-diligence; and Article 28 data-processing agreements with our processors. No method of transmission over the internet, and no method of storage, is perfectly secure. While we cannot guarantee absolute security, we remain responsible for the technical and organisational measures we are required by law to take, and nothing here shifts that responsibility onto you.

If a personal data breach occurs, we will assess it and, without undue delay and, where feasible, within 72 hours of becoming aware, notify the ICO where the breach is likely to result in a risk to the rights and freedoms of individuals (Article 33), and notify affected individuals where there is a high risk to their rights and freedoms (Article 34).

14Automated decision-making & profiling

The principal automated processing we carry out is the access-screening described in Section 6. We treat Article 22 UK GDPR as engaged where that screening denies or restricts your access or records you as sanctions-adjacent or a Prohibited Person, and we do not assert that such an effect is insignificant. Where automated screening restricts access, the safeguards in Article 22(3) apply: you may obtain meaningful information about the logic involved, express your point of view, contest the decision, and obtain human review. To use them, contact our privacy contact (Section 17) and a person will review the decision and consider any information you provide.

15Your rights

Under UK GDPR you have the following rights, which we will honour in respect of the personal data we control:

Access — a copy of your personal data (a subject access request).
Rectification — correction of inaccurate or incomplete data.
Erasure — deletion in certain circumstances.
Restriction — to limit our processing in certain circumstances.
Objection — to processing based on legitimate interests, and to direct marketing (for direct marketing this objection is absolute).
Portability — for data processed by automated means on the basis of consent or contract.
Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
Rights relating to solely automated decision-making and profiling (see Section 14).

How to exercise them. Email our privacy contact (Sections 02 and 17). We will respond within one month, extendable by up to two further months for complex or numerous requests (we will tell you if so). It is free, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline it. We may need to verify your identity first.

The limits on these rights — stated honestly. These rights are not absolute. They may be limited where we need the data to comply with a legal obligation, or to establish, exercise or defend legal claims. Crucially, they cannot be applied to on-chain data, which is immutable, public, and outside any controller’s power to alter (see Section 12). They apply to the off-chain personal data the Foundation actually controls.

Complaints. You may complain to the ICO, and you may bring a claim in the courts under Articles 79 and 82 UK GDPR; we ask that you contact us first so we can try to resolve it. Nothing requires you to arbitrate a data-protection claim or to give up your right to the ICO or the courts. See Section 17 for the ICO’s contact details.

16Children

The Services are not directed to anyone under 18, and you must be 18 or over to use them. We do not knowingly collect personal data from children. The operative rule is simple: under-18s are prohibited from using the Services. (For context only: under section 9 of the Data Protection Act 2018, the UK age at which a child can consent to processing by an information society service is 13; that age threshold does not relax our outright 18-and-over rule.) If we discover that we hold data belonging to a person under 18, we will take reasonable steps to delete it. If you believe a child has provided us data, contact us.

17Changes, governing law, and contact

Changes. We may update this Policy from time to time. The “Last revised” date at the top will change, and we will signal material changes on the Website where reasonably practicable. Updates apply to processing carried out after they take effect.

Governing law and jurisdiction. This Policy, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it, are governed by the law of England and Wales, and are subject to the jurisdiction of the courts of England and Wales, aligned with our Terms of Service. If you are a consumer resident outside England and Wales, this choice of law does not deprive you of the mandatory protections of the law of your place of residence. Nothing in this Policy waives or limits any statutory data-protection right you have, or any power of the ICO; those cannot be excluded by agreement.

Contact us first: hello@mtf.exchange (for the attention of the privacy contact).

Then, if needed, the ICO: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk — helpline 0303 123 1113.

18Non-excludable rights — what this Policy and our Terms cannot take away

We say this plainly because over-broad exclusions are void and we would rather be enforceable than aspirational. NOTHING IN THIS POLICY OR OUR TERMS OF SERVICE LIMITS OR EXCLUDES: (A) YOUR RIGHT TO COMPENSATION UNDER ARTICLE 82 UK GDPR, INCLUDING FOR MATERIAL AND NON-MATERIAL DAMAGE; (B) ANY OF YOUR STATUTORY DATA-PROTECTION RIGHTS, OR THE POWERS OF THE ICO; (C) LIABILITY FOR DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE, OR FOR FRAUD OR FRAUDULENT MISREPRESENTATION; OR (D) ANY OTHER RIGHT OR REMEDY THAT CANNOT BE EXCLUDED OR LIMITED UNDER THE CONSUMER RIGHTS ACT 2015 OR OTHER APPLICABLE CONSUMER-PROTECTION OR DATA-PROTECTION LAW.

In particular, any liability cap, “as is” disclaimer or indemnity in our Terms does not reach, reduce or restrict your data-protection compensation under Article 82 or your non-excludable consumer rights. If you are a consumer, you have legal rights under the Consumer Rights Act 2015 and other consumer-protection law that this Policy does not affect, and any term that would be unfair under section 62 of that Act is not binding on you. The binding-arbitration and class-action-waiver provisions in our Terms do not apply to any claim you bring under data-protection law, to any claim where a pre-dispute arbitration agreement would be unfair under the Consumer Rights Act 2015 or unenforceable under section 91 of the Arbitration Act 1996 (including, for consumers, claims up to GBP 5,000), or to your right to complain to the ICO or to bring a claim under Articles 79 and 82 UK GDPR in the courts of your place of domicile.