Privacy Policy

1. Who We Are
2. The Permissionless Nature of Shadow
3. What Data We Collect and Why
4. Blockchain Data and Public Ledgers
5. Cookies and Analytics
6. How We Use Your Data
7. Legal Bases for Processing
8. Data Sharing and Third Parties
9. International Data Transfers
10. Data Retention
11. Security
12. Your Rights
13. Children's Privacy
14. Changes to This Policy
15. Complaints

Shadow operates the decentralised marketplace available at shadow.fi (the “Platform”), through which users can access and interact with the Shadow Protocol, a set of open-source smart contracts governing the issuance and trading of Shadow Tokens.

References in this Privacy Policy to “Shadow”, “we”, “us”, or “our” refer to the Shadow development team responsible for operating shadow.fi and associated platform services. For data protection enquiries, contact details are published at shadow.fi as required by applicable data protection law.

Shadow is designed around a minimal-data philosophy consistent with the values of decentralised finance. The core Protocol operates without user accounts, without identity verification, and without requiring any personal information to access marketplace functionality.

You can connect a Wallet, purchase and sell Shadow Tokens, and participate in governance without providing your name, email address, or any other personal identifier to Shadow. This is intentional and reflects a fundamental design commitment to participant privacy.

Certain ancillary services, including the shadow.fi website, may involve limited data collection as described in this Policy.

3.1 Data You Provide Voluntarily

Shadow does not require you to create an account or provide personal information to use the Platform. If you contact us voluntarily, we will receive and retain the information contained in your communication. This data is used solely to respond to your enquiry and is not used for any other purpose.

3.2 Wallet Addresses

When you connect a Wallet to the Platform, your public Wallet address becomes visible to the Platform interface. A Wallet address is a pseudonymous identifier. It does not, by itself, constitute personal data under most privacy frameworks; however, in some circumstances it may be possible to associate a Wallet address with an identifiable individual. We treat Wallet addresses with the same care as personal data.

We use Wallet address data solely to facilitate your interaction with the Shadow Protocol and to display your token balances and transaction history on the Platform interface.

3.3 Technical and Usage Data

When you access shadow.fi, our web infrastructure may automatically collect certain technical data, including:

• IP address (typically truncated or anonymised where technically feasible)
• Browser type and version
• Operating system
• Pages visited and time spent on each page
• Referring URL
• Date and time of access

This data is collected to maintain the security and performance of the Platform, to diagnose technical issues, and to understand aggregate usage patterns. It is not used to identify individual users.

3.4 Data We Do Not Collect

Shadow does not collect:

• Your name, date of birth, or government-issued identity documents
• Your financial account details or payment card information
• Your physical address or telephone number
• Biometric data of any kind
• Any information about your off-platform financial holdings or trading activity

All transactions executed through the Shadow Protocol are recorded on a public blockchain. This means that your Wallet address, transaction amounts, timestamps, and token holdings are permanently and publicly visible to anyone who queries the blockchain. This is an inherent and irrevocable characteristic of public blockchain technology.

Shadow has no control over blockchain data. Once a transaction is confirmed on-chain, it cannot be deleted, modified, or made private by Shadow or by you. If you require privacy in your financial transactions, you should understand the public nature of blockchain records before using the Platform.

Shadow does not sell, aggregate, or commercially exploit blockchain data associated with your Wallet address. We may use aggregated, anonymised on-chain data for the purpose of understanding platform usage and improving the Protocol.

5.1 Cookies

Shadow.fi may use a limited number of technically necessary cookies to support Platform functionality, including session management and Wallet connection state. We do not use advertising cookies, tracking pixels, or third-party behavioural analytics cookies.

Where applicable law requires, we will request your consent before placing non-essential cookies. You can configure your browser to refuse cookies; however, this may limit certain Platform functionality.

5.2 Analytics

If we use web analytics tools on shadow.fi, we will configure them to anonymise IP addresses and will not permit analytics providers to use your data for their own purposes. We will disclose the specific analytics tools in use on our Cookie Notice page at shadow.fi.

We use the limited data we collect for the following purposes:

• Operating and maintaining the shadow.fi website and Platform interface.
• Facilitating your interaction with the Shadow Protocol, including displaying your Wallet balance and transaction history.
• Responding to communications you initiate with us.
• Monitoring and improving Platform security and performance.
• Detecting, investigating, and preventing fraudulent, abusive, or unlawful activity.
• Complying with applicable legal obligations, including responding to lawful requests from regulatory or law enforcement authorities.
• Understanding aggregate Platform usage to inform Protocol development decisions.

We do not use your data for targeted advertising. We do not sell your data to any third party. We do not use your data to build profiles for any purpose other than those listed above.

Where data protection law requires us to identify a legal basis for processing personal data, we rely on the following:

• Contractual necessity: processing your Wallet address and transaction data to provide the Platform services you have requested.
• Legitimate interests: collecting technical usage data to maintain and improve the security and performance of the Platform, where these interests are not overridden by your privacy rights.
• Legal obligation: processing data as required to comply with applicable law, regulatory requirements, or lawful authority requests.
• Consent: where we use non-essential cookies or similar technologies, we will rely on your consent, which you may withdraw at any time.

8.1 Service Providers

We may share limited data with third-party service providers who assist us in operating the Platform, including web hosting providers, content delivery networks, and security monitoring services. These providers are contractually required to process data only on our instructions and to maintain appropriate security standards.

8.2 Blockchain Infrastructure

Interactions with the Shadow Protocol involve broadcasting transactions to public blockchain networks. Blockchain node operators, validators, and anyone with access to the public ledger will be able to see transaction data as described in Section 4.

8.3 Legal and Regulatory Disclosure

We may disclose data to government authorities, regulators, or law enforcement agencies where required to do so by applicable law, court order, or in connection with the investigation of suspected unlawful activity. Where legally permitted, we will notify you of such disclosure.

8.4 No Sale of Data

Shadow does not sell, rent, or trade personal data to any third party for commercial purposes. This is an absolute policy.

8.5 Business Transfers

In the event of a merger, acquisition, or transfer of all or part of Shadow's assets, user data may be transferred to the successor entity, subject to the same privacy protections described in this Policy. We will notify users of any such transfer through our Official Channels.

Shadow operates globally and your data may be processed in countries other than the country in which you reside. These countries may have different data protection laws than your home jurisdiction. Where we transfer personal data internationally, we take steps to ensure that appropriate safeguards are in place, including standard contractual clauses approved by relevant data protection authorities where applicable.

Given the permissionless and decentralised architecture of the Shadow Protocol, certain data, including public blockchain transaction data, is inherently global and cannot be geographically restricted.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:

• Communications data: retained for up to 36 months from the date of communication, or longer if required by law.
• Technical and usage data: retained in identifiable form for up to 12 months, after which it is aggregated and anonymised.
• Wallet address data displayed in the Platform interface: retained for the duration of your use of the Platform and for a reasonable period thereafter for security and audit purposes.

Blockchain transaction data is permanently recorded on the public ledger and cannot be deleted by Shadow or by you.

We implement appropriate technical and organisational measures to protect the data we hold against unauthorised access, disclosure, alteration, or destruction. These measures include encryption in transit, access controls, and regular security reviews.

No security system is impenetrable. We cannot guarantee the absolute security of any data transmitted to or stored on the Platform. You are responsible for maintaining the security of your own Wallet and private keys. Shadow has no ability to recover funds or access lost Wallets under any circumstances.

In the event of a data breach that is likely to result in a risk to your rights or freedoms, we will notify you and relevant supervisory authorities as required by applicable law.

Depending on your jurisdiction, you may have the following rights in relation to personal data we hold about you:

• Right of access: to request a copy of the personal data we hold about you.
• Right to rectification: to request correction of inaccurate personal data.
• Right to erasure: to request deletion of your personal data, subject to our legal retention obligations and the inherent limitations of public blockchain records.
• Right to restriction of processing: to request that we limit how we use your data in certain circumstances.
• Right to data portability: to receive your personal data in a structured, machine-readable format.
• Right to object: to object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact details are published at shadow.fi as required by applicable data protection law. We will respond within the timeframe required by applicable law. Please note that we cannot delete data that exists on a public blockchain, and we may be required to retain certain data to comply with legal obligations.

The Platform is not directed at individuals under the age of 18, or the age of legal majority in their jurisdiction if higher. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please use the contact details published at shadow.fi and we will take prompt steps to delete it.

We may update this Privacy Policy from time to time. Material changes will be announced through our Official Channels and a notice will be posted at shadow.fi. The updated Policy will be effective upon publication. We encourage you to review this Policy periodically.

Your continued use of the Platform following the publication of an updated Privacy Policy constitutes your acceptance of those changes.

If you are located in a jurisdiction with a data protection supervisory authority and you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with that authority.

Contact details for submitting a privacy complaint or data rights request to Shadow are published at shadow.fi. This information is maintained as required by applicable data protection law. We would appreciate the opportunity to address your concerns directly before any formal proceedings are initiated.

Data protection law requires us to make available a means by which individuals can exercise their rights and submit complaints. Accordingly, contact details for all data protection matters are published and maintained at shadow.fi.