Skip to main content

1. Introduction

1st (“Company,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data while operating our decentralized exchange platform and related services (the “Platform”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform at https://www.1st.app and associated smart contracts. IMPORTANT NOTICE: By using our Platform, you acknowledge that blockchain transactions are public and permanent. While we implement privacy-preserving measures where possible, the inherent transparency of blockchain technology means certain transaction data will always be publicly visible.

2. Scope and Application

This Privacy Policy applies to:
  • Our website at https://www.1st.app.
  • Our decentralized exchange interface.
  • Embedded wallet services provided through Privy.io.
  • MirrorToken and Token Delivery Commitment systems.
  • Associated smart contracts we deploy or operate.
This Privacy Policy does NOT apply to:
  • Third-party protocols or smart contracts.
  • External wallets you may connect.
  • Blockchain networks themselves.
  • Services provided by other parties.

3. Information We Collect

3.1 Information You Provide Directly
  • Email address (if provided for notifications).
  • Username or ENS name (if provided).
  • Wallet addresses (both embedded and external).
  • Authentication credentials via Privy (social logins, email).
  • Trading history and preferencese.
  • Order types and parameters.
  • Token balances and positions.
  • Withdrawal and deposit records.
  • Support tickets and inquiries.
  • Feedback and suggestions.
  • Community forum posts (if applicable).
3.2 Information Collected Automatically
  • IP address and approximate geolocation.
  • Browser type and version.
  • Device information and operating system.
  • Access times and referring URLs.
  • Session duration and page interactions.
  • On-chain transaction history.
  • Smart contract interactions.
  • Token holdings and transfers.
  • Gas fees and transaction hashes.
  • Platform usage patterns.
  • Feature engagement metrics.
  • Error logs and performance data.
  • A/B testing results.
3.3 Information from Third Parties
  • Authentication provider information.
  • Wallet creation and recovery data.
  • Session management information.
  • Key shard status (but NOT private keys).
  • Price feeds and market data.
  • Token metadata.
  • Network status information.
  • ENS and domain resolutions.
  • Sanctions screening results.
  • Blockchain analytics data.
  • Risk scoring information.
3.4 Data Controller vs. Processor Roles We act as either a data controller or data processor depending on the context:
ScenarioOur RoleExample
Website usage and analyticsControllerIP addresses, page visits
Account creation and embedded wallet setupProcessorSession tokens, key shard routing
Smart contract interactionsN/A (on-chain)We are not controllers of blockchain data
Where we act as a processor, we rely on service providers such as Privy.io to fulfill specific functions under their own privacy and security frameworks.

4. How We Use Your Information

4.1 Primary Uses
  • Execute trades and manage orders.
  • Provide embedded wallet functionality.
  • Process deposits and withdrawals.
  • Display account balances and history.
  • Detect and prevent malicious activity.
  • Implement rate limiting and access controls.
  • Monitor for unusual trading patterns.
  • Enforce sanctions compliance.
  • Analyze usage patterns and optimize UI/UX.
  • Debug technical issues.
  • Develop new features.
  • Conduct A/B testing.
4.2 Legal Bases for Processing We process your data based on:
  • Consent: When you explicitly agree (e.g., marketing communications).
  • Contract: To provide services you’ve requested.
  • Legitimate Interests: For security, fraud prevention, and improvements.
  • Legal Obligations: To comply with applicable laws and regulations.
Note on Blockchain Data: To the extent that personal data appears on the public blockchain (e.g., wallet addresses, transaction metadata), we are not the data controller of that data under applicable privacy laws. Such data is not processed by us, nor can it be altered or erased by us. It exists independently of our systems on decentralized infrastructure.

5. Data Sharing and Disclosure

5.1 Service Providers We share data with trusted service providers:
  • Privy.io: Embedded wallet infrastructure.
  • Cloud Providers: AWS/Google Cloud for hosting.
  • Analytics Services: For platform optimization.
  • Security Providers: For threat detection.
5.2 Blockchain Transparency By design, the following data is PUBLIC on blockchain:
  • Wallet addresses.
  • Transaction amounts and tokens.
  • Trading history.
  • Smart contract interactions.
  • Token balances.
We CANNOT make blockchain data private. 5.3 Legal Disclosures We may disclose information to:
  • Comply with legal obligations.
  • Respond to valid legal requests.
  • Protect rights and safety.
  • Investigate violations of our Terms.
5.4 Business Transfers In case of merger, acquisition, or sale:
  • User data may be transferred.
  • We will notify you of changes.
  • You may close your account if you object.
5.5 Aggregated Data We may share anonymized, aggregated data:
  • Market statistics.
  • Usage trends.
  • Performance metrics.
  • Research insights.

6. Data Retention

Data TypeRetention PeriodJustification
Account DataDuration of account + 7 yearsLegal/tax requirements
Transaction RecordsIndefinite (blockchain)Immutable by design
Support Communications3 yearsService improvement
Analytics Data2 yearsPlatform optimization
Security Logs1 yearIncident investigation

7. Data Security

7.1 Technical Measures
  • Encryption: TLS 1.3 for data in transit.
  • Access Controls: Role-based permissions.
  • Infrastructure: Secure cloud environments.
  • Monitoring: 24/7 security monitoring.
  • Incident Response: Documented procedures.
7.2 Embedded Wallet Security Via Privy’s infrastructure:
  • Private key sharding.
  • Secure enclaves (TEE).
  • Multi-factor authentication.
  • Session management.
  • Recovery mechanisms.
Important Disclaimer: While we partner with secure wallet infrastructure providers such as Privy, you are solely responsible for safeguarding your device, login credentials, and recovery methods. We never store or have access to your private keys. If you lose access to your recovery mechanism, we may be unable to help you regain control of your wallet. Always use strong, unique authentication credentials and keep backups of recovery materials in a safe location. 7.3 Smart Contract Security
  • Audited contracts.
  • Immutable deployments.
  • Time-locks where appropriate.
  • Multi-signature controls.
  • Bug bounty program

8. Your Privacy Rights

8.1 Universal Rights Regardless of location, you can:
  • Access: Request your personal data.
  • Portability: Export your data.
  • Correction: Update inaccurate data.
  • Deletion: Request data removal (where technically possible).
  • Objection: Opt-out of certain processing.
8.2 Jurisdiction-Specific Rights
  • Right to restriction of processing.
  • Right to object to automated decisions.
  • Right to lodge complaints with supervisory authorities.
  • Right to withdraw consent.
  • Right to know categories of data collected.
  • Right to non-discrimination.
  • Right to opt-out of “sales” (we don’t sell data).
  • Right to limit use of sensitive data.
Other Jurisdictions We respect privacy rights under:
  • UK GDPR.
  • Canadian PIPEDA.
  • Australian Privacy Act.
  • Other applicable laws.

9. Special Considerations

9.1 Blockchain Immutability
  • Blockchain transactions CANNOT be deleted.
  • Wallet addresses are permanently public.
  • Trading history is forever visible.
  • We cannot comply with “right to be forgotten” for on-chain data.
9.2 Embedded Wallet Privacy
  • We never see your private keys.
  • Authentication data is minimized.
  • Recovery shares are distributed.
  • Export capabilities maintained.
9.3 MirrorToken System
  • Token Delivery Commitments are public.
  • Obligor identities may be visible.
  • Distribution events are transparent.
  • Claims are recorded on-chain.

10. International Data Transfers

Our servers are located in:
  • United States (primary).
  • European Union (CDN/backup).
We implement appropriate safeguards:
  • Standard Contractual Clauses.
  • Encryption in transit.
  • Access controls.
  • Privacy Shield principles (where applicable).

11. Children’s Privacy

Our Platform is NOT intended for anyone under 18. We do not knowingly collect data from children. If we discover such collection, we will promptly delete the data.

12. Third-Party Services

12.1 Privy.io Integration Please review Privy’s Privacy Policy: https://privy.io/privacy-policy Key points:
  • Privy processes authentication data.
  • Provides embedded wallet infrastructure.
  • Has its own privacy practices.
  • We don’t control their data handling.
12.2 External Links We are not responsible for privacy practices of:
  • External websites.
  • Third-party dApps.
  • Blockchain explorers.
  • Wallet providers.

13. Cookies and Tracking

13.1 Essential Cookies Required for:
  • Session management.
  • Security tokens.
  • Load balancing.
  • Feature preferences.
13.2 Analytics Cookies With your consent:
  • Google Analytics and PostHog (anonymized).
  • Performance monitoring.
  • Feature usage tracking.
  • Error reporting.
13.3 Managing Cookies You can:
  • Adjust browser settings.
  • Use our cookie banner.
  • Clear cookies anytime.
  • Use incognito/private mode.

14. Marketing and Communications

14.1 Types of Communications Transactional (always sent):
  • Security alerts.
  • Account updates.
  • Service changes.
  • Legal notices.
Marketing (with consent):
  • Feature announcements.
  • Educational content.
  • Community updates.
  • Partner offerings.
14.2 Unsubscribing Every marketing email includes:
  • Unsubscribe link.
  • Preference center.
  • Clear opt-out instructions.

15. Changes to Privacy Policy

We may update this policy:
  • Notice provided 30 days in advance.
  • Material changes highlighted.
  • Continued use constitutes acceptance.
  • Version history maintained.

16. Regulatory Complaints

16.1 You may contact
  • Your local data protection authority.
  • Marshall Islands authorities.
  • Relevant international bodies.
16.2 Arbitration Disputes subject to arbitration per our Terms of Service.

17. Definitions

  • Personal Data: Information that identifies or relates to you.
  • Processing: Any operation performed on personal data.
  • Controller: Entity determining purposes of processing.
  • Blockchain Data: Information recorded on public ledgers.
  • Embedded Wallet: Wallet created via Privy infrastructure.

18. Privacy Policy Acceptance

By using our Platform, you acknowledge:
  • You have read this Privacy Policy.
  • You understand blockchain transparency.
  • You accept our data practices.
  • You are 18 or older.