UmbraUmbraVisit Umbra
Phoenix DAO LLC

Privacy Policy

This Privacy Policy describes how Phoenix DAO LLC, a limited liability company organized under the laws of the Republic of the Marshall Islands (“Company,” “Umbra,” “we,” “us,” or “our”), collects, uses, stores, discloses, and otherwise processes information in connection with access to and use of the Umbra protocol, dashboard related interfaces, documentation, and services.

Last updated: 16th February, 2026Download PDF

This Policy is derived from, and implements, Umbra's internal privacy and data-handling standards, which are designed to reflect privacy-by-design, data minimisation, and security-by-default principles appropriate to a decentralised and non-custodial system. It does not create any fiduciary, custodial, advisory, or monitoring obligations, nor does it imply that the Company possesses technical capabilities or access beyond what is expressly described in this Policy.

1

Purpose and Scope of This Policy

1.1. Umbra is designed and operated as a non-custodial, privacy-preserving software protocol deployed on the Solana blockchain. The Company develops and maintains reference implementations, interfaces, and tooling that allow users to interact directly with autonomous on-chain smart contracts.

Accordingly:

  • Umbra does not operate or maintain user accounts;
  • Umbra does not custody, control, or access user funds, private keys, viewing keys, encrypted balances, or cryptographic secrets;
  • Umbra does not initiate transactions on behalf of users. Where users voluntarily enable features such as private mode, the Platform may facilitate transaction preparation or relayer routing; however, all transactions are authorised by the user through their self-custodied wallet and executed via independent third-party relayers; and
  • Umbra does not maintain centralized records linking blockchain activity to real-world identities.

Any privacy properties associated with the Protocol arise from cryptographic design and user-controlled key management, not from trust placed in the Company.

For the avoidance of doubt, any execution coordination, routing logic, or cryptographic participation introduced at the interface or infrastructure layer (including through relayers or MPC or threshold mechanisms) does not grant the Company access to user assets, private keys, viewing keys, decrypted balances, transaction contents, or protocol state, and does not alter the non-custodial nature of the Platform.

1.2. This Policy applies solely to information processed by the Company in connection with inclusion but not limited to: (a) the Umbra website and web-based interfaces; (b) application programming interfaces (APIs); (c) software development kits (SDKs); (d) documentation and technical resources; (e) communications initiated by users with the Company; (f) application on iOS, Android and Seeker Systems and (g) any future products built by the Company.

1.3. This Policy does not apply to public blockchain networks (including Solana); transactions broadcast or settled on-chain; third-party wallets, relayers, RPC providers, validators, or MPC node operators; decentralized applications or services not operated by the Company; or information processed entirely under a user's sole control.

Users interact with such third parties at their own risk and subject to those parties' respective privacy practices.

1.4. While Umbra is engineered to enhance transactional privacy through cryptographic techniques, the Company makes no representation or warranty that use of the Platform will:

  • ensure anonymity, secrecy, or untraceability;
  • prevent lawful access, analysis, or inference by third parties;
  • exempt users from legal, regulatory, tax, or reporting obligations; or
  • shield users from enforcement actions or compulsory disclosure orders.

Users remain solely responsible for understanding and complying with applicable data protection, financial, and other laws in their jurisdictions.

1.5. Umbra is developed in accordance with privacy-by-design and data-minimization principles, meaning the Platform is architected to avoid collecting personal data wherever technically feasible. However, nothing in this Policy shall be interpreted as an undertaking to eliminate all privacy risks; a commitment to maintain specific cryptographic standards indefinitely; or an assumption of obligations beyond those imposed by applicable law.

2

Core Privacy Position and Regulatory Baseline

2.1. Data Minimization and Architectural Constraints— Umbra is architected to minimise the collection, processing, and retention of information and to avoid processing information that could reasonably be used to identify users wherever technically feasible. The Protocol is designed such that the majority of user interactions occur on-chain or locally within the user's environment, without reliance on Company-operated accounts, centralised databases, or identity-linked records.

2.2. Absence of User Accounts and Identity Mapping — The Company does not create, maintain, or administer user accounts. Access to the Platform occurs through user-controlled blockchain wallets and does not require off-chain registration or Company-managed account creation, or the provision of usernames, passwords, email addresses, or other persistent identifiers to the Company.

2.3. The Company does not:

  • request or collect government-issued identifiers;
  • request or collect biometric information;
  • require identity verification, onboarding procedures, or compliance screening;
  • maintain records linking wallet addresses to real-world identities; or
  • perform user identification, profiling, classification, or scoring.

2.4. Controller / Processor Positioning — To the extent that privacy or data protection principles may be deemed applicable, the Company determines the limited purposes and means of processing solely in relation to technical, operational, and administrative information processed in connection with the Website, Platform interfaces, documentation, and user-initiated communications.

2.5. Public Blockchain Data Disclaimer — Public blockchain networks, including Solana, are transparent, immutable, and globally accessible by design. The Company does not control, curate, modify, delete, or restrict access to blockchain data.

2.6. No Custody, No Surveillance, No Profiling — Umbra does not monitor user behaviour for the purpose of profiling, behavioural analysis, compliance surveillance, targeted advertising, or commercial exploitation.

2.7. Purposes and Justification for Processing — Where the Company processes limited categories of information, such processing is undertaken solely for defined, proportionate, and legitimate purposes, including:

  • operation, maintenance, and security of the Platform interfaces;
  • prevention of abuse, misuse, or malicious activity targeting the Website or interfaces;
  • response to user-initiated communications and support requests; and
  • protection of the integrity, availability, and legitimate interests of the Company.

2.8. No Expansion of Obligations — Nothing in this Section shall be construed as an admission that the Company processes information beyond what is expressly described herein.

3

Information Processed

Guiding Principle: Minimal and Incidental Processing

The Company adheres to a principle of strict data minimisation. Information is processed only to the limited extent necessary to operate and maintain the Platform interfaces, ensure technical security and integrity, and respond to user-initiated communications.

3.1. Information Processed by the Company

3.1.1. Technical and Usage Information. When users access the Website or Platform interfaces, the Company may incidentally process limited technical and usage-related information necessary to ensure functionality, security, and availability. Such information may include network metadata (such as IP addresses or truncated IP addresses), browser type, operating system, device characteristics, timestamps, referring URLs, session duration, and basic error or access logs.

3.1.2. User-Initiated Communications. Where users voluntarily contact the Company, including through email, support channels, vulnerability disclosure submissions, governance-related communications, or similar correspondence, the Company may process the information provided by the user.

3.1.3. Compliance and Security-Related Records. The Company may process limited information relating to security incidents, abuse prevention, vulnerability disclosures, or misuse of the Platform interfaces, where reasonably necessary to protect the availability, integrity, and security of the Website and interfaces.

3.2. Information Not Collected or Controlled by the Company

3.2.1. Identity and KYC Information. The Company does not collect or process identity verification or know-your-customer information.

3.2.2. Wallet Credentials and Cryptographic Secrets. The Company does not collect, store, access, or control any wallet credentials or cryptographic secrets.

3.2.3. On-Chain Transaction Data. The Company does not process blockchain transaction data as personal data.

3.2.4. Public Blockchain Data and Third-Party Indexing. Use of the Protocol necessarily involves interaction with public blockchain infrastructure. The Company may operate limited, non-authoritative indexing infrastructure solely to derive or mirror publicly available on-chain state.

3.2.5. Cookies and Similar Technologies. The Website may use limited cookies or similar technologies that are strictly necessary to support core functionality, security, and basic performance monitoring.

3.2.6. Sensitive Information and Children's Data. The Company does not intentionally collect or process sensitive personal information or information relating to children.

3.2.7. Data Accuracy and User Responsibility. To the extent users voluntarily provide information to the Company, users are responsible for ensuring that such information is accurate and appropriate.

5

Data Sharing and Disclosure

5.1. No Sale or Commercial Disclosure — The Company does not sell, rent, license, trade, monetise, or otherwise commercially disclose information processed in connection with the Platform.

5.2. Disclosure to Service Providers Acting as Data Processors — The Company may disclose limited categories of information to carefully selected third-party service providers that support operation of the Website and Platform interfaces. All such service providers are engaged under contractual arrangements that require them to:

  • process information solely on the Company's instructions and only for the specified purpose;
  • maintain appropriate confidentiality and security safeguards;
  • refrain from using information for independent or commercial purposes; and
  • delete or return information once the relevant services are complete.

5.3. Disclosure for Security, Abuse Prevention, and Platform Integrity — The Company may disclose limited information where reasonably necessary to investigate, prevent, or respond to security incidents, abuse, misuse of the Platform interfaces, or violations of the Terms.

5.4. Disclosure to Protect Rights and Interests — The Company may disclose limited information where reasonably necessary to establish, exercise, or defend its rights or interests.

5.5. No Disclosure of Wallet or Cryptographic Data — The Company does not disclose, and does not possess the technical capability to unilaterally access or disclose, private keys, seed phrases, viewing keys, master viewing keys, derived keys, encryption keys, cryptographic secrets, decrypted balances, zero-knowledge proofs, nullifiers, or any data enabling unilateral tracing or deanonymisation of protocol activity.

5.6. Decentralised Infrastructure and Independent Third Parties — The Umbra Protocol operates on decentralised blockchain infrastructure and relies on independent third parties, including blockchain validators, relayer operators, MPC node operators, RPC providers, wallet providers, and other network participants.

5.7. Corporate Transactions — In the event of a merger, acquisition, restructuring, financing, insolvency, or similar corporate transaction, limited information may be disclosed to professional advisers, counterparties, or potential acquirers solely to the extent reasonably necessary.

5.8. Cross-Border Data Handling — The Platform is globally accessible, and limited categories of information processed by the Company may be accessed or handled across jurisdictions as part of normal operation of the Website and interfaces.

5.9. No Public Disclosure by the Company — The Company does not publicly disclose information processed in connection with the Platform.

6

Cookies and Similar Technologies

6.1. The Website may use cookies or similar technical mechanisms that are strictly necessary to support core functionality, security, and basic performance of the Website and Platform interfaces.

6.2. The Company limits its use of cookies and similar technologies to the following categories only:

  • Strictly Necessary Cookies, which are required for the operation, security, and basic functionality of the Website and interfaces; and
  • Performance and Error-Monitoring Technologies, used solely to detect technical issues, diagnose errors, and maintain operational stability.

6.3. The Company does not deploy cookies or similar technologies for advertising, behavioural tracking, cross-site tracking, fingerprinting, profiling, or marketing purposes.

6.4. Information derived from cookies or similar technologies is not linked, correlated, or associated with wallet addresses, blockchain transactions, cryptographic commitments, balances, proofs, or any on-chain or protocol-level state.

6.5. Users may configure their browser settings to refuse or limit cookies. However, disabling strictly necessary cookies may affect the functionality, security, or availability of certain Website features.

6.6. The Company does not permit third-party advertising networks, data brokers, or marketing analytics providers to place cookies or similar tracking technologies on the Website.

7

Frontend Diagnostics and Platform Performance Data

7.1. To ensure the availability, stability, and security of the Website and Platform interfaces, the Company may process limited technical and diagnostic information generated through user interactions with the frontend.

7.2. Frontend diagnostic and performance information may include:

  • error logs and crash reports;
  • failed or incomplete interface loads;
  • transaction broadcast or submission failures at the interface level;
  • connectivity or latency issues related to RPC or network access;
  • basic performance metrics relating to interface responsiveness or availability.

7.3. Frontend diagnostic information is:

  • processed only at the interface or infrastructure level;
  • not used to identify individual users;
  • not correlated with wallet addresses, blockchain transactions, or protocol activity; and
  • not used for profiling, behavioural analysis, analytics, or tracking.

7.4. Frontend diagnostic information is retained only for the period reasonably necessary to investigate and resolve the relevant technical issue.

8

Wallet Connection Metadata

8.1. When a user connects a self-custodied blockchain wallet to the Platform interface, the Company may incidentally process limited connection-related metadata strictly necessary to enable the connection and facilitate interface functionality.

8.2. The Company does not collect, store, access, or process:

  • private keys, seed phrases, signing material, or authentication credentials;
  • wallet addresses as persistent personal identifiers;
  • transaction payloads, message contents, or execution parameters;
  • balances, encrypted balances, commitments, nullifiers, or cryptographic proofs; or
  • protocol-level state or on-chain activity.

8.3. Wallet connection metadata is:

  • processed on an ephemeral basis;
  • not retained as a persistent identifier;
  • not used to track users across sessions or visits;
  • not correlated with protocol activity, transaction outcomes, or blockchain data; and
  • not used for profiling, behavioural analysis, analytics, or marketing.

8.4. Wallet connection functionality does not grant the Company custody, control, or access to user assets or cryptographic material.

8.5. Wallet software and wallet providers are independent third parties. The Company does not control their operations, security practices, or data handling.

9

Abuse Prevention and Platform Integrity

9.1. The Company may implement proportionate technical measures at the Website or interface level to protect the Platform from abuse, misuse, or malicious activity, including rate limiting, automated traffic controls, denial-of-service mitigation, and similar safeguards.

9.2. Abuse-prevention measures:

  • operate at the interface or infrastructure access layer only;
  • rely on limited technical indicators necessary to detect abnormal or malicious traffic patterns;
  • do not involve persistent tracking of users or devices; and
  • are not used for profiling, behavioural analysis, surveillance, or compliance monitoring.

9.3. Any measures implemented under this Section affect only access to Company-operated interfaces and do not alter, restrict, or interfere with the autonomous operation of decentralised smart contracts.

9.4. Users may continue to interact directly with the Umbra Protocol through other means independent of the Company's interfaces.

10

SDKs, Developer Tools, and Third-Party Implementations

10.1. The Umbra Protocol may be accessed or integrated through software development kits (SDKs), reference implementations, or tooling made available by the Company. Third-party developers who integrate the Protocol or SDK into their own applications operate independently and are solely responsible for any information processing conducted within their applications or services.

10.2. The SDKs and reference implementations provided by the Company do not transmit personal information, telemetry, analytics, or usage data to the Company by default.

10.3. The Company does not control, audit, or monitor third-party applications built using the Umbra Protocol or SDKs.

10.4. The decentralised and open nature of the Umbra Protocol permits independent implementations and integrations beyond the Company's control.

11

Browser Based Preference

11.1. Certain user interface preferences, such as language selection, display settings, or interface configuration options, may be stored locally within the user's browser or device environment to improve usability and functionality.

11.2. Such preferences:

  • are stored locally and remain under the user's control;
  • are not transmitted to the Company unless technically necessary for Website functionality;
  • are not linked to wallet addresses, protocol activity, or on-chain data; and
  • are not used to identify users, track behaviour, or infer identities.

The Company does not use browser-based preferences to create user profiles or persistent identifiers.

12

Data Retention and Storage Limitation

12.1. Principles of Data Minimisation and Storage Limitation — The Company adheres to strict data minimisation and storage limitation principles. Information is retained only for as long as is reasonably necessary to fulfil the specific, explicit, and legitimate purposes for which it is processed.

12.2. Categories of Information Subject to Retention — To the limited extent that information is processed, retention applies only to:

  • Technical and Security Information, including limited network or device metadata, truncated IP address fragments, timestamps, and error or access logs;
  • User-Initiated Communications, including correspondence voluntarily submitted by users through support, disclosure, governance, or contact channels; and
  • Security, Abuse, or Integrity Records, where retention is reasonably necessary to investigate incidents, prevent misuse of the Platform interfaces, or protect the Company's legitimate interests.

12.3. Determination of Retention Periods — Retention periods are determined on a category-specific basis and are proportionate to the purpose for which the information is processed.

12.4. On-Chain and Decentralised Data— Blockchain data is recorded on public or permissionless blockchain infrastructure outside the Company's control. Such data is not stored by the Company in off-chain databases, cannot be modified, deleted, or selectively retained by the Company.

12.5. Storage Location and Access Controls — Where information is retained, it is stored on systems subject to access controls proportionate to the sensitivity and nature of the information.

12.6. Deletion and Anonymisation — The Company implements procedures designed to ensure that information is deleted without undue delay once it is no longer necessary.

12.9. For the avoidance of doubt, the Company does not:

  • conduct behavioural analytics or user profiling;
  • perform wallet clustering, transaction surveillance, or deanonymisation;
  • deploy fingerprinting or cross-device tracking technologies;
  • monitor protocol activity for compliance or enforcement purposes;
  • sell, rent, monetise, or commercially exploit information;
  • enrich blockchain data with off-chain identifiers; or
  • use automated tools to score, classify, or rank users.
13

Data Security and Safeguards

13.1. Security-by-Design and Proportionality — The Company implements security measures designed to protect information processed in connection with the Platform against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

13.2. Technical Safeguards — The Company employs technical safeguards appropriate to the nature and scope of its operations, which may include:

  • secure hosting and infrastructure environments;
  • encryption of data in transit where appropriate;
  • access controls, authentication mechanisms, and role-based permissions;
  • system hardening, patch management, and environment segregation;
  • logging and monitoring for security and integrity purposes; and
  • reasonable measures to prevent unauthorised access or misuse.

13.3. Organisational Measures — The Company implements organisational safeguards proportionate to its operational scope.

13.4. Decentralised and Cryptographic Security Boundary — The Umbra Protocol relies on cryptographic primitives, decentralised blockchain infrastructure, independent validator networks, relayer operators, MPC node operators, and other third-party systems.

13.5. No Absolute Security Guarantee — No system is completely secure. The Company does not warrant or guarantee that information, cryptographic mechanisms, decentralised infrastructure, or third-party services will be immune from unauthorised access, compromise, failure, or attack.

13.6. User Security Responsibilities — Users are solely responsible for safeguarding their private keys, seed phrases, viewing keys, credentials, devices, wallet software, and any other tools used to access the Platform.

13.7. Incident Response — The Company maintains internal procedures designed to identify, assess, and respond to security incidents affecting information processed in connection with the Platform interfaces.

14

User Rights

14.1. To the extent the Company processes limited categories of information in connection with the Platform, users may request reasonable access to, correction of, or deletion of such information, subject to the technical and operational constraints described in this Privacy Policy.

14.2. Access to Information — Users may request confirmation as to whether the Company processes information relating to them and, where applicable, request access to such information.

14.3. Correction of Information — Where information processed by the Company is demonstrably inaccurate or incomplete, users may request correction.

14.4. Deletion of Information — Users may request deletion of information processed by the Company where such information is no longer necessary for the purpose for which it was processed.

14.5. Limitation of Processing — Where appropriate, users may request that processing of certain information be limited.

14.6. Exercising Requests — Requests relating to this Section may be submitted to:

legal@umbraprivacy.com

15

Children's Data

15.1. The Platform and Umbra Protocol are not intended for use by children. The Company does not knowingly collect or process information relating to individuals below the age at which they may lawfully provide information without parental consent.

15.2. The Company does not implement age-verification mechanisms or identity checks, as the Platform operates on a permissionless, non-custodial, and pseudonymous basis.

15.3. If the Company becomes aware that it has inadvertently processed information relating to a child, it will take reasonable steps to delete such information where technically feasible and appropriate.

16

Cross Border Data Handling

16.1. The Platform is globally accessible, and limited categories of information processed by the Company may be handled across jurisdictions as part of operating the Website and interfaces.

16.2. Where information is handled across borders, the Company applies reasonable technical, organisational, and contractual safeguards proportionate to the limited nature of the information involved.

16.3. Decentralised infrastructure participants, including validators, relayer operators, MPC node operators, RPC providers, and wallet providers, operate independently and may process information in jurisdictions of their choosing.

17

Policy Updates, Contact Details, and Governance

17.1. Updates to This Privacy Policy — The Company may amend or update this Privacy Policy from time to time to reflect changes in Platform functionality, technical architecture, operational practices, or organisational structure. Updates will be effective as of the date indicated at the top of the Policy. Continued use of the Platform following an update constitutes acknowledgement of the revised Policy.

17.2. Relationship to Terms and Protocol Architecture — This Privacy Policy must be read together with the Terms and Conditions governing access to and use of the Platform. Nothing in this Policy modifies the non-custodial or decentralised nature of the Umbra Protocol.

17.3. Contact Information — For questions, requests, or concerns relating to this Privacy Policy, users may contact:

legal@umbraprivacy.com

The Company does not maintain user accounts or identity databases. Accordingly, responses may be limited by technical feasibility and privacy-preserving constraints.