PerfolioPerfolio
    Perfolio| Privacy Policy
    Legal

    Privacy Policy

    A product of Billion Impact, Inc.

    Effective: February 17, 2026Last Updated: March 17, 2026
    1

    Introduction

    Billion Impact, Inc. ("we," "us," or "our"), a Delaware corporation, operates Perfolio, a non-custodial platform that enables users to manage tokenized gold positions, including borrowing stablecoins against gold collateral, executing token swaps, managing lending positions, rebalancing portfolios, and bridging assets between supported blockchain networks. Perfolio is not a lending protocol itself; it integrates with established, audited decentralized protocols and automatically maintains an active session to execute authorized operations on your behalf (see our Terms of Service, Section 6.7).

    This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Perfolio mobile application (the "App") and related services (collectively, the "Services"). This policy applies to all users of the App regardless of location.

    By accessing or using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

    Important Clarifications

    • Perfolio is a non-custodial platform that integrates with decentralized protocols, not a bank, financial institution, or custodian.
    • We do not hold, control, or have custody of your digital assets at any time. Your assets remain under your control through self-custody. Perfolio automatically maintains an active session to execute authorized operations on your behalf within on-chain policy constraints (see Section 5.3), but this does not constitute custody or control of your assets.
    • Perfolio integrates with third-party decentralized protocols. All transactions (borrowing, swaps, trading, bridging) are executed through self-executing smart contracts on public blockchains.
    • We do not provide financial, investment, or legal advice.
    2

    Information We Collect

    We collect the minimum information necessary to provide and improve the Services. We categorize the information we collect as follows:

    2.1 Information You Provide Directly

    • Email address: Used for account authentication through our third-party authentication provider
    • Communication preferences and notification settings
    • Customer support correspondence, feedback, and inquiries
    • Age confirmation (you must confirm you are 18 years or older to use the App)
    • Any other information you voluntarily provide to us

    2.2 Information Collected Automatically

    When you use the App, certain information is collected automatically to help us operate and improve the Services:

    • Device information (device type, model, operating system and version, unique device identifiers)
    • App usage data (session duration, screens viewed, features used, interaction patterns, tabs selected)
    • Performance data (app launch time, screen load times, transaction success rates, crash reports and error logs)
    • IP address and approximate geographic location derived from IP address
    • App version and build configuration
    • Currency and display preferences
    • When you have an active session (see Section 5.3), transaction execution data including operation type, amounts, contract addresses interacted with, transaction hashes, timestamps, gas costs, and success or failure status

    2.3 Blockchain Information (Publicly Available)

    When you connect your wallet to Perfolio, we read the following information that is already publicly available on the blockchain. We do not create or store this data; it exists on the public ledger:

    • Your public wallet address(es)
    • Token balances (such as PAXG, XAUT, USDC, USDT)
    • Transaction history related to Perfolio-integrated smart contracts
    • Borrowing position data (collateral amounts, debt amounts, health factors, loan-to-value ratios)

    We never collect, store, or have access to your wallet private keys, seed phrases, recovery phrases, or wallet passwords. Your private keys are managed entirely by your wallet provider or through secure Multi-Party Computation (MPC) technology provided by our authentication partner. Private keys are never transmitted to or stored on our servers. When you create an account, a separate, constrained agent key is automatically generated and stored securely on our servers to execute authorized operations on your behalf. This agent key cannot access your wallet directly, cannot transfer funds to external addresses, and operates only within pre-defined on-chain policy constraints. You may rotate this key at any time, which immediately invalidates the previous key and generates a new one.

    2.4 Information from Third-Party Services

    If you use fiat on-ramp or off-ramp features within the App, a licensed fiat service provider handles the conversion between traditional currency and digital assets. This provider may collect information directly from you, including identity verification documents, selfie photographs, proof of address, payment card details, and bank account information as required for Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance under applicable regulations.

    Perfolio stores basic profile information (such as name, date of birth, nationality, and address) and KYC verification metadata (such as verification status and risk level) received from the fiat service provider. However, actual identity documents (ID scans, selfie photos, proof of address documents) are collected and stored exclusively by the licensed fiat service provider under its own regulatory framework.

    In the UAE: Fiat services are provided by a VARA-licensed broker-dealer partner, which independently handles all KYC/AML/CTF compliance under the Virtual Assets Regulatory Authority (VARA) framework. Identity verification data collected by this partner is processed under VARA's data protection requirements.

    3

    How We Use Your Information

    We use the information we collect for the following purposes:

    PurposeDetails
    Provide the ServicesFacilitate wallet connections, display borrowing positions and portfolio data, enable interaction with integrated decentralized protocols (borrowing, trading, bridging), and deliver core App functionality
    Authentication & SecurityVerify your identity during sign-in, manage your session, detect and prevent fraud, unauthorized access, and other illegal activities
    Improve the AppAnalyze usage patterns to optimize App performance, identify and fix bugs, and develop new features based on how users interact with the platform
    CommunicationsSend transaction confirmations, borrowing position alerts (such as health factor warnings), security notifications, service updates, and respond to your support requests
    Legal ComplianceMeet legal and regulatory obligations, enforce our Terms of Service, respond to lawful requests from authorities, and protect the rights and safety of our users
    Automated Transaction ExecutionExecute authorized operations on your behalf (swaps, lending, rebalancing, bridging) through your active session, and maintain audit logs of all operations performed
    4

    Data Sharing and Disclosure

    We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

    4.1 Third-Party Service Providers

    We may work with trusted third-party service providers who assist us in operating the App. These providers are contractually obligated to use your information only for the purposes we specify:

    CategoryPurposeData Shared
    Authentication ProviderUser sign-in, session management, and secure wallet key management via MPCEmail address, session tokens
    Licensed Fiat Service Provider (VARA-licensed in UAE)KYC/AML verification, fiat on-ramp and off-ramp services, sanctions screeningBasic profile data and KYC status synced to Perfolio. Identity documents collected and stored exclusively by provider.
    Price Oracle ProviderReal-time gold and asset price feedsNo personal data shared. Price data only.
    Analytics & Crash ReportingApp performance monitoring, usage analytics, and crash reportingAnonymized usage data, crash logs, device identifiers
    Decentralized Protocol ExecutionExecution of authorized operations via session keys (swaps, lending, bridging, rebalancing)Public wallet address and transaction parameters. Submitted to whitelisted smart contracts on public blockchains. No personal data beyond your public wallet address.
    Decentralized Perpetual ExchangeLeveraged perpetual futures trading (opening, managing, and closing positions)Public wallet address, position parameters (size, leverage, direction), and trade execution data. Submitted to the exchange's on-chain infrastructure.

    An up-to-date list of our third-party service providers is available within the App or upon request at [email protected].

    4.2 Blockchain Transparency

    When transactions are executed through the App, whether initiated by you directly or executed on your behalf via your active session, your public wallet address and transaction details are recorded on the public blockchain by the decentralized protocols we integrate with. This information is inherently public and immutable by the nature of blockchain technology. Billion Impact, Inc. does not control and cannot modify or delete information stored on the blockchain.

    4.3 Legal Requirements

    We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

    4.4 Business Transfers

    In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of the assets of Billion Impact, Inc., your information may be transferred as part of that transaction. We will notify you via the App or email before your information becomes subject to a different privacy policy.

    5

    Data Storage and Security

    5.1 Where Your Data Lives

    • Authentication tokens and wallet session data: Stored securely in your device's Keychain (hardware-backed encrypted storage)
    • User preferences: Stored locally on your device using secure local storage
    • Borrowing positions, collateral balances, and transaction history: Stored on the public blockchain, not on our servers. Queried in real-time when you open the App.
    • Analytics and crash data: Processed by our third-party analytics and crash reporting providers
    • Email and account data: Stored by our third-party authentication provider

    5.2 Security Measures

    We implement industry-standard technical and organizational security measures to protect your information:

    • HTTPS/TLS encryption for all network communications
    • Certificate pinning for API connections to prevent man-in-the-middle attacks
    • Encryption at rest for all locally stored sensitive data
    • Automatic session timeout after 30 minutes of inactivity
    • Multi-Party Computation (MPC) for secure wallet key management: no single party ever holds the complete key
    • Integration only with audited, established decentralized protocols
    • API keys and secrets stored securely and never included in application logs

    No method of transmission over the Internet or method of electronic storage is 100% secure. While we use commercially reasonable efforts to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the security of your wallet, private keys, and device.

    5.3 Session Key Data

    When you create an account, a session is automatically established for automated transaction execution. We store the following data:

    • A constrained agent key (generated automatically at account creation, stored encrypted on our servers)
    • Session permissions (which operations are authorized, which contracts can be called)
    • Session metadata (creation time, status, usage count)
    • On-chain grant reference (links your session to the blockchain-enforced policy)

    Session keys remain active for the lifetime of your account. When you rotate your session key, the previous key is immediately deactivated and replaced with a new one. Upon account deletion, the agent key is permanently deactivated. Session audit logs (which operations were executed, when, and their on-chain results) are retained for up to 24 months for security and compliance purposes.

    6

    Your Rights and Choices

    You have the following rights regarding your personal information. Depending on your jurisdiction, additional rights may apply (see Section 12):

    6.1 Access and Portability

    You may request a copy of the personal information we hold about you. Note that much of your financial data (wallet balances, transaction history, borrowing positions) is already publicly accessible on the blockchain.

    6.2 Correction

    You can update your email address and preferences directly within the App's settings at any time.

    6.3 Account Deletion

    You may request deletion of your account and associated personal data at any time by contacting us at [email protected] or through the account deletion option in the App settings. Upon receiving a verified deletion request, we will:

    • Delete your email address and authentication credentials from our systems
    • Remove your locally cached preferences and data
    • Delete or anonymize analytics data associated with your account
    • Permanently deactivate your session agent key (the key can no longer execute any operations)
    • Process the deletion within 30 days of the verified request

    Session audit logs (records of operations executed via your session key) are retained for up to 24 months after account deletion for security and compliance purposes, as described in Section 5.3.

    What we cannot delete: Information stored on the public blockchain (wallet addresses, transaction history, smart contract interactions) is immutable and cannot be modified or deleted by anyone, including us. This is a fundamental characteristic of blockchain technology.

    6.4 Analytics Opt-Out

    You can opt out of analytics data collection through the App's settings. Disabling analytics will not affect the core functionality of the App.

    6.5 Push Notifications

    You can manage or disable push notifications at any time through your device settings or within the App. We recommend keeping borrowing position alerts enabled, as these notify you of important changes to your loan health factor.

    7

    Third-Party Services and Integrations

    Perfolio integrates with and links to various third-party services to provide you with a complete experience. These include:

    • Decentralized protocols (the smart contracts that execute your borrowing, trading, and bridging transactions)
    • Fiat on-ramp and off-ramp providers for converting between traditional currency and digital assets
    • Wallet providers and wallet connection services for securely connecting your self-custody wallet
    • Blockchain explorers for transaction verification
    • Price oracle services for real-time gold and asset valuations

    Each of these services operates independently and has its own privacy policy. We are not responsible for the privacy practices of any third-party service. We encourage you to read the privacy policy of every third-party service you interact with through the App.

    The App displays contextual disclosures within each screen where a financial operation occurs, identifying the specific service provider or protocol responsible for that operation. This transparency ensures you always know who is handling each part of your transaction.

    Fiat on-ramp and off-ramp services: When you use fiat conversion features, you interact directly with the third-party provider. Any personal information you provide to them, including identity documents, selfies, payment details, and banking information, is collected and processed by them, not by Billion Impact, Inc.

    8

    AI-Powered Features

    Perfolio includes an AI-powered assistant designed to help you navigate the App, understand borrowing concepts, and answer your questions. When you interact with the AI assistant:

    • Your conversation content is processed in real-time to generate relevant, helpful responses
    • We do not use your AI conversations to train or fine-tune machine learning models
    • Conversation data may be temporarily retained for service quality and improvement purposes
    • The AI assistant provides informational guidance only; it does not provide personalized financial, investment, or legal advice
    9

    Children's Privacy

    The App is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. Users must confirm they are 18 years or older during onboarding. If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete that information. If you believe a minor has provided us with personal information, please contact us at [email protected].

    10

    International Data Transfers

    Billion Impact, Inc. is based in the United States. Your information may be transferred to and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

    By using the App, you consent to the transfer of your information to the United States and other countries as described in this Privacy Policy. Where required by law, we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses approved by the European Commission.

    11

    Data Retention

    We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by applicable law:

    Data TypeRetention PeriodNotes
    Account data (email, preferences)Duration of active accountDeleted within 30 days of verified deletion request
    Analytics dataUp to 24 monthsRetained in anonymized / aggregated form
    Crash reports and logsUp to 12 monthsUsed for debugging and stability improvements
    Support correspondenceUp to 36 monthsFor quality assurance and dispute resolution
    Session agent keysLifetime of accountDeactivated immediately on key rotation or account deletion
    Session audit logsUp to 24 monthsRecords of operations executed via session keys, including transaction details and on-chain results
    Blockchain dataPermanent (immutable)Outside our control; stored on public blockchain
    Legal / compliance recordsAs required by lawMinimum retention periods per applicable regulation
    12

    Your Regional Privacy Rights

    12.1 European Economic Area (GDPR)

    If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under the GDPR, including:

    • Right of access: Request a copy of data we hold about you
    • Right to rectification: Correct inaccurate personal data
    • Right to erasure: Request deletion of your personal data (subject to blockchain limitations)
    • Right to restrict processing: Limit how we use your data in certain circumstances
    • Right to data portability: Receive your data in a structured, machine-readable format
    • Right to object: Object to processing based on legitimate interests
    • Right to withdraw consent: Where processing is based on consent, withdraw at any time

    Our legal bases for processing include: performance of a contract (providing the Services, executing transactions via session keys, maintaining your account), legitimate interests (improving the App, fraud prevention, security monitoring), compliance with legal obligations (regulatory reporting, sanctions screening, session audit log retention), and your consent (analytics data collection, marketing communications where applicable). To exercise your GDPR rights, contact [email protected].

    12.2 California (CCPA / CPRA)

    If you are a California resident, you have rights under the CCPA and CPRA, including:

    • Right to know: What personal information we collect, use, and disclose
    • Right to delete: Request deletion of your personal information
    • Right to opt out of sale: We do not sell your personal information
    • Right to non-discrimination: We will not treat you differently for exercising your rights
    • Right to correct: Request correction of inaccurate personal information
    • Right to limit use of sensitive personal information: Where applicable

    12.3 United Arab Emirates

    We comply with applicable data protection regulations in the UAE, including requirements under the Virtual Assets Regulatory Authority (VARA) framework relating to the handling of personal information in connection with virtual asset services.

    For users in the UAE, fiat on-ramp/off-ramp services and KYC/AML compliance are handled by a VARA-licensed broker-dealer partner. This partner processes identity verification data under VARA's regulatory requirements, including customer due diligence, enhanced due diligence for high-risk clients, ongoing transaction monitoring, and sanctions screening against OFAC, UN, EU, and UAE sanctions lists.

    Perfolio receives basic profile data and KYC verification status from this partner to maintain your account. Users in the UAE have the right to access, correct, and request deletion of their personal data held by both Perfolio and our VARA-licensed partner.

    12.4 Other Jurisdictions

    If you are located in another jurisdiction with applicable data protection laws, you may have similar rights. Please contact us at [email protected] to exercise any rights available to you under your local law.

    13

    Cookies and Tracking Technologies

    The Perfolio mobile App does not use browser cookies. However, we may use the following technologies:

    • Device identifiers: To recognize your device across sessions for authentication and analytics purposes
    • Local storage: To save your preferences, cached data, and session information on your device
    • Analytics SDKs: Third-party analytics tools may use device-level identifiers to collect anonymized usage data

    You can limit the use of device identifiers through your device's privacy settings (such as "Limit Ad Tracking" or "App Tracking Transparency" settings on iOS).

    14

    Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make changes:

    • We will update the "Last Updated" date at the top of this Privacy Policy
    • For material changes, we will provide prominent notice through the App (such as an in-app notification or banner) and, where we have your email address, via email
    • We will provide reasonable advance notice before material changes take effect
    • Your continued use of the App after the updated Privacy Policy becomes effective constitutes your acceptance of the changes
    15

    Contact Us

    If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

    Billion Impact, Inc.

    169 Madison Ave, STE 38574
    New York, NY 10016, United States

    Privacy inquiries: [email protected]

    General inquiries: [email protected]

    perfolio.ai

    For data protection inquiries or to exercise your privacy rights, please email [email protected] with the subject line "Privacy Request" and include a description of your request along with sufficient information for us to verify your identity.

    We will respond to all verified privacy requests within 30 days of receipt.