GRATEFUL WALLET

PRIVACY POLICY

Effective Date: November 14, 2025

Last Reviewed and Updated: November 14, 2025

The Grateful self-custodial wallet and related services (the "Grateful Wallet") is made available by Exodus Movement, Inc., acting as data controller, and its affiliates (collectively, for the purposes of this Privacy Policy, "Grateful," "we," "our," and/or "us"). We value the privacy of individuals who use the Grateful Wallet (our "Services"). This privacy policy (the "Privacy Policy") explains how we collect, use, and disclose Personal Data from users of our Services. For the purposes of this Privacy Policy, "Personal Data" means information that relates to an identified or identifiable natural person.

By using our Services, you agree to the collection, use, and disclosure of your Personal Data as described in this Privacy Policy. Beyond this Privacy Policy, your use of our Services is also subject to our Terms of Service.

INDEX

INFORMATION WE COLLECT
HOW WE USE THE PERSONAL DATA WE COLLECT
HOW WE SHARE THE PERSONAL DATA WE COLLECT
INTERNATIONAL DATA TRANSFERS
SECURITY
RETENTION
THIRD-PARTIES
CHILDREN
YOUR RIGHTS AND CHOICES
OUR LEGAL BASES FOR PROCESSING
CONTACT INFORMATION
CHANGES TO THIS PRIVACY POLICY

INFORMATION WE COLLECT

Information You Provide to Us Through the Service. When you create an account and/or non-custodial wallet in the Service, contact us, sign up for advanced customer service, use our Service, or participate in certain beta programs and services, we collect any Personal Data you provide to us, including

Contact data, such as your first and last name, email address, and phone number.
Verification data used in conjunction with Contact Data for compliance with Know Your Customer and similar compliance obligations, such as a photo ID and video for verification purposes.
Transactions data, that is, the amounts, currencies, and destination accounts or recipient information.
Communications data based on our exchanges with you, including when you contact us through the Service, communicate with us via chat features, social media, or otherwise, which may include your social media username.
User-generated content data, such as any details regarding the payment (e.g., products purchased) or other communications you send to other users through the Service.
Other data not specifically listed here that you choose to provide to us (e.g., business name), which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Data about others. We may offer features that help users import their contacts to use in the Service, and we may collect contact details about these contacts so we can deliver the Services and/or invitations to the Service. Please ensure that you have the appropriate permissions to provide this information to the Service.

Information We Collect Automatically Through the Service. We may automatically collect information about you and your devices when you use our Services, including data corresponding to your interactions with our Services, such as event data and Service feature usage and analytics data, which we use for security purposes, to verify the functionality of features in the Services, and to improve our Services. For example, when you use our Service, we collect your internet protocol (IP) address, app version, operating system type, a pseudonymous internal user ID for our internal use in improving its products and services, the pages you view, the length of time you spend on a page, the dates and times of your visits, the hyperlinks you click on, and other information about your use of our Services. When performing transactions, we may log information such as the wallet addresses and the transaction IDs involved.

Cookies. We may collect information through our Services using cookies, pixel tags, or similar technologies. Cookies are small text files containing a string of alphanumeric characters. A pixel tag is a single pixel, transparent GIF image with a unique identifier that can recognize certain types of data on your device (similar to how cookies do). When we refer to "cookies" in the remainder of this Privacy Policy, such reference includes cookies, pixel tags, or similar technologies deployed on our Services.

We may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to our Site.

Our Services use the following types of cookies for the purposes described below:

Functional Cookies. We use functional cookies to recognize you when you return to our Services.
Analytics and Performance Cookies. We use analytics and performance cookies for website analytics purposes to operate, maintain, and improve the Services. We also use analytics cookies for attribution purposes to understand how you learned of the Services. The information gathered by these cookies is aggregated and anonymized and does not identify any specific individual visitor.

Further information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.

You can block cookies by setting your internet browser to block some or all of the cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our Services. You can change your browser settings to block or notify you when you receive a cookie, delete cookies or browse our Services using your browser's anonymous usage setting. Please refer to your browser instructions or help screen to learn more about how to adjust or modify your browser settings. If you do not agree to our use of cookies or similar technologies which store information on your device, you should change your browser settings accordingly. You should understand that some features of our Services may not function properly if you do not accept cookies or these technologies. Where required by applicable law, you will be asked to consent to certain cookies and similar technologies before we use or install them on your computer or other device.

Information We Collect from Other Sources. We may receive Personal Data about you from third parties, such as individuals who provide your information (e.g., phone number or email address) as a recipient of cryptocurrency using our Service, or we may collect public blockchain data that can be tied to crypto wallets. We may combine this data with other Personal Data we have about you and otherwise use it as described in this Privacy Policy.

HOW WE USE THE PERSONAL DATA WE COLLECT

We use the Personal Data we collect for the following purposes:

To establish the account and/or non-custodial wallet.
To provide, maintain, debug, improve, and enhance our Services.
To understand and analyze how you use our Services and develop new products, services, features, and functionality.
To communicate with you, provide you with updates and other information relating to our Services, provide information that you request, provide you with our newsletter, respond to comments and questions, and otherwise provide customer support.
For marketing purposes, such as developing and providing promotional and advertising materials that may be useful, relevant, valuable, or otherwise of interest to you.
To personalize your experience on our Services such as identifying you as a repeat visitor.
To facilitate the connection of third-party services or applications.
To create pseudonymous, de-identified and/or aggregated data to improve for our business purposes, including to improve our Services.
To find and prevent fraud, detect security incidents, and respond to trust and safety issues that may arise.
For compliance purposes, including complying with Know Your Customer requirements, enforcing our Terms of Service or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
For other purposes for which we provide specific notice at the time the Personal Data is collected.

We do not share or otherwise disclose Personal Data we collect from or about you except as described below or otherwise disclosed to you at the time of collection.

Affiliates. We may share any information we receive with our affiliates and subsidiaries for any of the purposes described in this Privacy Policy, including Exodus Movement, Inc.
Advertising Partners. We may share your Personal Data with third-party advertising companies for the interest-based advertising purposes described above.
Partners. We may share your Personal Data with third parties with whom we partner, including social media platforms, parties with whom we co-sponsor events or promotions, with whom we jointly offer products or services, or to carry out other related activities that allow our Services to interact with services our partners provide.
Authorities and Others. We may disclose your Personal Data to law enforcement, government authorities, and private parties if we believe doing so is required or appropriate to: (i) comply with applicable laws; (ii) respond to law enforcement requests and legal process, such as a court order or subpoena; or (iii) protect the rights, property, and safety of Grateful, our employees, agents, customers, and others, including to enforce our agreements, policies, and Terms of Service.
Business Transferees. We may transfer your Personal Data to service providers, advisors, potential third-party API providers, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company, or we sell, liquidate, or transfer all or a portion of our assets.
Professional Advisors. We may share your Personal Data with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
Vendors and Service Providers. We may share your Personal Data with third parties that provide services on our behalf or help us operate the Services or our business, such as "know your customer" verification, compliance screening, hosting, information technology, customer support, email delivery, marketing, research and analytics.
Third Parties Designated by You. In addition to transactions being visible on the public blockchain, we also may disclose your Personal Data with third parties where you have instructed us or provided your consent to do so.

INTERNATIONAL DATA TRANSFERS

Your information, including the Personal Data that you provide to us, may be transferred to, stored at and processed by us outside the country in which you reside, including, but not limited to the United States, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world. By engaging with the Services, you understand and, to the extent required under applicable law, consent to the transfer of your Personal Data to the U.S. and other jurisdictions. We will take steps that we believe to be reasonably necessary to treat your Personal Data securely and in accordance with this Policy.

SECURITY

We employ organizational, technical, and administrative measures designed to protect Personal Data within our organization. However, as no electronic transmission or storage of Personal Data can be entirely secure, we can make no guarantees as to the security or privacy of your Personal Data. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us of the problem by contacting us via the "Contact Information" section below.

RETENTION

We retain Personal Data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for compliance and protection purposes.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require the Personal Data, we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible. If we anonymize your Personal Data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

THIRD-PARTIES

Our Services may contain links or API connections to other websites, products, or services that we do not own or operate. We are not responsible for the privacy and advertising practices of these third parties. Please be aware that this Privacy Policy does not apply to your activities on these third-party API providers or any Personal Data you disclose to these third parties. We encourage you to read their privacy policies before providing any Personal Data to them.

CHILDREN

The Service is not intended for use by anyone under 18 years of age. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us as provided. If we learn that we have collected personal information through the Service from a child without the consent of the child's parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.

YOUR RIGHTS AND CHOICES

General. Your jurisdiction's data protection laws may give you certain rights regarding your Personal Data, which may include one or more of the rights below. To the extent such rights are applicable, we will comply with your requests to exercise such rights in accordance with applicable law. If you are located in Europe, you may ask us to take the following actions in relation to your Personal Data that we hold:

Access. Provide you with information about our processing of your Personal Data and give you access to your Personal Data.
Correct. Update or correct inaccuracies in your Personal Data.
Delete. Delete your Personal Data where there is no good reason for us continuing to process it - you also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
Portability. Port a machine-readable copy of your Personal Data to you or a third party of your choice.
Restrict. Restrict the processing of your Personal Data, for example if you want us to establish its accuracy or the reason for processing it.
Object. Object to our processing of your Personal Data where we are relying on Legitimate Interests – you also have the right to object where we are processing your Personal Data for direct marketing or targeted advertising purposes.
Withdraw Consent. When we use your Personal Data based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by contacting us as provided in the Contact Information section below. We may request specific information from you to help us confirm your identity, your jurisdiction of residence, and process your request. Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your Personal Data and the applicable law in your jurisdiction), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.

Your Right to Lodge a Complaint with your Supervisory Authority. In addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your Personal Data, you can make a complaint to the data protection regulator in your jurisdiction of residence.

Declining to provide information. We need to collect Personal Data to provide certain services. For example, if you do not provide the information necessary for us to meet our compliance obligations, for example related to Know Your Customer requirements, we will not be able to establish an account and/or non-custodial wallet for you. If you do not provide the information we identify as required or mandatory, we may not be able to provide those services.

Delete your content or close your account. You can choose to close or delete your account please navigate to that option under your Account Settings or contact us as provided below.

No Automated Decision-Making and Profiling. As part of the Services, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.

Advertising choices. You may be able to limit use of your Personal Data for interest-based advertising through the following settings/options/tools:

Browser settings. Changing your internet web browser settings to block third-party cookies.
Privacy browsers/plug-ins. Using privacy browsers and/or ad-blocking browser plug-ins that let you block tracking technologies.
Platform settings. Certain platforms offer opt-out features that let you opt-out of use of your information for interest-based advertising. For example, the following platforms provide details about how users can exercise their choice to opt-out of interest-based advertising as follows:
Ad industry tools. Opting out of interest-based ads from companies that participate in the following industry opt-out programs:
- Advertising Initiative: http://www.networkadvertising.org/managing/opt_out.asp
- Digital Advertising Alliance: optout.aboutads.info.
- AppChoices mobile app, available at https://www.youradchoices.com/appchoices, which will allow you to opt-out of interest-based ads in mobile apps served by participating members of the Digital Advertising Alliance.
Mobile settings. Using your mobile device settings to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.

You will need to apply these opt-out settings on each device and browser from which you wish to limit the use of your information for interest-based advertising purposes. We cannot offer any assurances as to whether the companies we work with participate in the opt- out programs described above.

OUR LEGAL BASES FOR PROCESSING

To the extent required to be provided under applicable law, our legal bases for processing your Personal Data described in this Privacy Policy are listed below.

Where we need to perform a contract, we are about to enter into or have entered into with you ("Contractual Necessity").
Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests ("Legitimate Interests"). More detail about the specific legitimate interests pursued in respect of each Purpose we use your Personal Data for is set out in the table below.
Where we need to comply with a legal or regulatory obligation ("Compliance with Law").
Where we have your specific consent to carry out the processing for the Purpose in question ("Consent").

We have set out below, in a table format, the legal bases we rely on in respect of the relevant purposes for which we use your Personal Data – for more information on these Purposes and the data types involved, see 'How We Use The Personal Data We Collect' above. Note that, for those jurisdictions in which consent is the only legal basis available, we rely on consent for the processing of Personal Data pursuant to this Privacy Policy.

Purpose	Categories of Personal Data involved	Legal basis
Service delivery, analytics, and operations (incl. service enhancement, personalization, and improvement)	Any and all data types described in the 'Information We Collect' section above as relevant in the circumstances	Compliance with Law, if we are legally obliged to respond to your request. Consent, in respect to any optional cookies we may use. Legitimate Interest, in all other cases – our legitimate interests to develop, improve and communicate about our organization.
Marketing	Any and all data types described in the 'Information We Collect' section above as relevant in the circumstances	Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organization and sending marketing communications for that purpose. Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications.
To facilitate connections and engagements with third-party services or applications (incl. third-party API providers)	Any and all data types described in the 'Information We Collect' section above as relevant in the circumstances	Legitimate Interests – we have a legitimate interest in providing these services for our business and operations. Consent – in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given promotional communications.
Compliance and protection	Any and all data types described in the 'Information We Collect' section above as relevant in the circumstances	Compliance with Law. Legitimate interest. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We and any relevant third parties may also have a legitimate interest of ensuring the protection, maintenance, and enforcement of our and their rights, property, and/or safety.
To create pseudonymous, aggregated, de-identified and/or anonymized data	Any and all data types described in the 'Information We Collect' section above as relevant in the circumstances	Legitimate interest. We have legitimate interest in understanding what may be of interest to our customers, improving customer relationships and experiences, delivering relevant content to our customers, measuring and understanding the effectiveness of the content we serve to our customers.
Further uses	Any and all data types described in the 'Information We Collect' section above as relevant in the circumstances	The original legal basis relied upon, if the relevant further use is compatible with the initial purpose for which the Personal Data was collected. Consent, if the relevant further use is not compatible with the initial purpose for which the Personal Data was collected.

CONTACT INFORMATION

We welcome your comments or questions regarding our privacy practices. If you have questions about your privacy related to the Services or this Privacy Policy, you may contact us at:

Mail: Exodus Movement, Inc. 15418 Weir Street, No. 333, Omaha, NE 68137

Email: [email protected]

CHANGES TO THIS PRIVACY POLICY

We will post any updates to the Privacy Policy on this page, and the revised version will be effective when it is posted. If we materially change the ways in which we process Personal Data previously collected from you through our Services, we will notify you by email or other means.