1. Who we are

Goldsand is a product operated by Camelcorn Inc. ("Camelcorn," "Goldsand," "we," or "us"), a non-custodial software provider that facilitates access to decentralized finance protocols protocol. We are committed to protecting your privacy while meeting applicable laws, including U.S. anti-money laundering (AML) and know-your-customer (KYC) requirements through our partners.

For privacy inquiries, contact us at [email protected]

2. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or a prominent notice on our website or mobile app and update the date above. Non-material changes may take effect immediately. Material changes generally take effect 30 days after notice unless a shorter period is required by law.

3. Who this applies to; age; geography

This policy applies to personal information we process in connection with the Services, including our website and mobile apps distributed through app stores.

The Services are not intended for anyone under 18. We do not knowingly collect personal information from children under 13, and our Services are not directed at children under 13. If you believe we have collected information from a child under 13 in violation of applicable law, contact us at [email protected].

For U.S. users, certain features are offered only in jurisdictions we support. The Services are not offered to residents of New York or Alaska. Do not use the Services if you are a resident of, or domiciled in, New York or Alaska, in addition to any eligibility rules in our Terms of Service.

4. Information we collect

4.1 Account registration

When you create an account, we collect and store your first name, last name, and email address. These fields are encrypted in our database, encrypted at rest in storage, and encrypted in transit when transmitted between your device and our systems.

4.2 Information we collect and store when you complete KYC

Know Your Customer (KYC) verification is performed by a third-party provider (Bridge) that requests additional personal information from you as part of its verification process. Our Services collect the information below for the purpose of facilitating that KYC process with Bridge—for example, so you can complete the steps Bridge requires inside our app or on our website. We do not collect mailing address or phone number when you only create an account and do not proceed with KYC.

When you complete KYC, we collect and store the following additional fields in our systems:

• Address (address lines, city, state or subdivision, postal code, country)

• Phone number

• Date of birth

These KYC fields are subject to the same encryption practices as in section 4.1: encrypted in our database, encrypted at rest in storage, and encrypted in transit.

4.3 Information collected during KYC but not stored by Goldsand

During KYC you may provide:

• A photograph of your government-issued ID (such as a driver's license)

• Your Social Security number (SSN)

These items are transmitted using encryption in transit directly to our KYC provider, Bridge. Goldsand does not store, log, or retain your SSN or ID image on our servers. Bridge processes that information under its own privacy policy and applicable law, in addition to the practices described here.

4.4 Linked bank accounts (metadata only)

Connecting a bank account to the Services, funding your Goldsand account from a linked bank account, and withdrawing balances to a connected bank account are carried out using third-party providers—specifically Plaid (for linking your bank and related financial data) and Astra (for ACH and fiat transfers)—not by Goldsand directly. Those providers process bank account and routing information and move funds subject to their own terms and privacy policies.

Goldsand stores only metadata for each linked account so you can see which account you connected and choose it for deposits or withdrawals. After a successful connection, we retain only:

• Bank name (e.g., institution name)

• Account mask (typically the last four digits of the account number)

• Account type (e.g., checking or savings)

Full bank account numbers and bank routing numbers are not visible to Goldsand and are not stored by us; Plaid and Astra (and their partner financial institutions, as applicable) handle that information when you connect an account or initiate funding or withdrawals.

4.5 Automatically collected information

We may collect usage and device-related information when you use the Services, such as how you navigate the app or site, IP address, device type, operating system, and similar technical data needed to operate, secure, and improve the Services and to prevent fraud. We may also process limited transaction or activity information needed to provide wallet- or protocol-related features you request.

4.6 Camera or photo library (ID upload)

If you use your device camera or photo library, it may be solely to capture or upload identity documents for KYC as described in section 4.3. We do not use such access for unrelated photo collection.

4.7 Cookies and similar technologies (website)

Our website may use cookies or similar technologies to remember preferences, maintain sessions, and understand aggregate traffic patterns. You can control cookies through your browser settings.

5. How we use your information

We use personal information to:

• Provide, operate, and improve the Services

• Create and maintain your account and provide support

• Verify identity and meet AML/KYC and other legal obligations

• Facilitate bank linking and money movement through our partners

• Detect, prevent, and address fraud, abuse, and security issues

• Send service-related notices, updates, and administrative messages

• Communicate about our Services and, where permitted, product updates

• Comply with law, regulation, and lawful requests from authorities

6. Tracking and advertising

We do not use your personal information for "tracking" as commonly understood for cross-context behavioral advertising—that is, we do not link your personal data from our app with third-party data from other companies' apps or websites for advertising or advertising measurement. We do not sell your personal information.

If our practices change in a way that requires app tracking disclosures or consent frameworks (such as Apple's App Tracking Transparency), we will update this policy and our product experience to match.

7. How we share information

We may share information with:

• Bridge, for KYC and compliance processing (including receipt of ID images and SSN during verification as described above)

• Plaid and Astra, together with Bridge where applicable, for bank linking, ACH, and related payment operations

• Service providers who assist us (e.g., hosting, security, communications)

• Professional advisors where required for audits or legal compliance

• Authorities when required by law or to protect rights and safety

• Affiliates or successors in connection with a business transaction

We require service providers to use information only as directed by us and subject to appropriate confidentiality and security obligations, except where they must comply with their own legal duties.

8. Third-party privacy policies

Bridge, Plaid, and Astra maintain their own privacy policies governing data they collect and process. We encourage you to read their policies. We do not control their practices but select partners we believe meet strong security and compliance standards.

9. Retention

We retain personal information for as long as your account is active and as needed to provide the Services, plus a period afterward as required by law. In many cases we retain certain records for at least six (6) years after the end of our relationship to meet AML, tax, and regulatory obligations. Some information may be retained longer where law requires or where necessary to resolve disputes or enforce our agreements.

Information recorded on public blockchains cannot be deleted or altered by us.

10. Security

We implement administrative, technical, and organizational measures designed to protect personal information, including encryption for stored account and KYC fields and for data in transit as described in sections 4.1 and 4.2. As a non-custodial wallet provider, we do not store your private keys. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

11. Account deletion

You may request deletion of your account and associated personal information by:

• Emailing [email protected] from the email associated with your account, or

• Using the in-app delete account functionality in our mobile application

We will verify your request and process deletion within a reasonable time, typically within thirty (30) days, unless a shorter or longer period is required by law. We may retain certain information where required for legal, regulatory, tax, or anti-fraud purposes, including AML/KYC records, as described in the Retention section. Deletion may not remove data held by our partners; you may need to contact them separately where applicable.

12. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or restrict processing of your personal information, to object to certain processing, to data portability, or to withdraw consent where processing is based on consent.

To exercise these rights, contact [email protected]. We may need to verify your identity before responding. You may also have the right to lodge a complaint with a data protection authority in your region, where applicable.

13. California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may provide you with additional rights regarding personal information.

Categories we collect

We collect categories of personal information including identifiers (such as name and email when you create an account; phone number, date of birth, and address when you complete KYC), sensitive personal information (such as government ID and SSN when you submit them for KYC—transmitted to Bridge as described above), financial information (such as bank name and account mask), commercial information related to your use of the Services, internet or network activity, and geolocation derived from address or technical data, as applicable.

Purposes

We use this information for the purposes described in sections 5 and 7, including operating the Services, security, fraud prevention, and legal compliance.

Sources

We collect personal information directly from you, automatically when you use the Services, and from our service providers (such as Bridge, Plaid, and Astra) as needed to provide features you request.

Sale or sharing

We do not sell your personal information as defined under the CCPA. We do not share personal information for cross-context behavioral advertising as "sharing" is defined under California law.

Your California rights

You may have the right to:

• Know what personal information we collect, use, and disclose

• Request deletion of personal information we collected from you

• Correct inaccurate personal information

• Limit use of certain sensitive personal information, where applicable

• Not receive discriminatory treatment for exercising these rights

To submit a request, email [email protected] and describe the right you wish to exercise. We will confirm receipt within ten (10) business days where required and respond within forty-five (45) days (or as permitted by law, including a one-time extension). We may verify your identity before fulfilling a request. You may designate an authorized agent to submit a request; we may require proof of authorization and may still verify your identity directly.

California's "Shine the Light" law (Civil Code § 1798.83) permits California residents to request certain information about disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes as described in that law. If our practices change, we will provide the required opt-out or disclosure.

14. International transfers

We are based in the United States and may process and store information in the U.S. and other countries where we or our service providers operate. Those countries may have data protection laws that differ from those in your country. Where required, we use appropriate safeguards for cross-border transfers.

15. Complaints

If you have a concern about our privacy practices, contact us at [email protected] and we will work with you to address it.

16. Contact

Questions about this Privacy Policy, Goldsand, or Camelcorn Inc. should be directed to [email protected]