Privacy policy

VELVET PRIVACY POLICY

Last Updated: May 13, 2026

Stronghold Fund One Inc., a corporation organized under the laws of the Republic of Panama (Law 32 of 1927) and domiciled in Panama City, Republic of Panama ("Velvet", the "Company", "we", "us", or "our"), is the controller of personal information processed in connection with the Services described below. This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, transfer, and protect information when you access or use Velvet's websites, web applications, mobile applications, application programming interfaces, smart contract interfaces, browser extensions, messaging bots (including Telegram, Discord, and similar interfaces), dashboards, artificial intelligence tools, assistive trading and portfolio tools, trading interfaces, vault interfaces, analytics, communications, and related services (collectively, the "Services").

The Services are primarily accessed through our websites, including velvet.capital, app.velvet.capital, dapp.velvet.capital, and any related subdomains, successor websites, applications, bots, or interfaces operated by or on behalf of Velvet (collectively, the "Platform").

This Policy applies to information we collect through the Platform and Services. It should be read together with our Terms of Service, which govern your access to and use of the Platform.

By accessing or using the Platform or Services, you acknowledge that you have read and understood this Policy. If you do not agree, do not access or use the Platform or Services.

Plain-Language Summary

This summary is provided for convenience only and is not part of the binding Policy. The detailed Policy below controls in case of any conflict.

Velvet is non-custodial. We do not take custody of, or control over, your assets, wallets, private keys, or seed phrases. You hold and control your own assets at all times.
Velvet does not execute trades autonomously. AI Features respond to instructions you provide and prepare transactions for you to review. You sign and authorize every on-chain action from your own wallet.
We collect wallet addresses, public blockchain activity, AI Feature inputs and outputs, technical and device data, communications, and (where applicable) compliance information.
We use that information to operate the Platform, respond to your instructions, provide AI Features and tools, prevent fraud and abuse, comply with law, and improve the Services.
We do not sell personal information and we do not share it for cross-context behavioral advertising, as those terms are defined under California law.
Wallet addresses and on-chain activity are personal information when they can be linked to you.
Public blockchain data is permanent and outside our control. We cannot delete it.
The Services are not directed at residents of the United States, the European Economic Area, or the United Kingdom.
We will never ask you for your seed phrase, private key, or password. Anyone who does is attempting fraud.

1 DEFINITIONS

For purposes of this Policy:

"AI Features" means AI-powered tools, copilots, natural-language interfaces, assistive trading and portfolio tools, signal generators, alerts, and similar functionality offered by Velvet, including the feature marketed as Velvet Unicorn. AI Features respond to user instructions and do not execute on-chain transactions without your authorization.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
"Panama Personal Data Law" means Panama Law No. 81 of March 26, 2019, on personal data protection, and its implementing regulations.
"Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, and includes wallet addresses, transaction histories, IP addresses, device identifiers, and similar information where linkable to an identifiable individual.
"Processing" means any operation or set of operations performed on Personal Information.
"Sensitive Personal Information" has the meaning given in applicable law, including the CCPA.
"You" means the individual accessing or using the Platform or Services.

2 NON-CUSTODIAL NATURE OF THE SERVICES AND GEOGRAPHIC SCOPE

2.1 Non-Custodial Services

The Services are non-custodial. Velvet does not take custody of, hold, control, manage, or have access to your cryptoassets, tokens, wallets, private keys, seed phrases, recovery information, or other credentials at any time. You are solely responsible for the security of your wallet and the management of your own assets.

When you use the Services, transactions are initiated, signed, and broadcast from your own wallet. The Platform provides an interface to public blockchain networks and smart contracts. Velvet does not move, transfer, hold, lend, stake, or otherwise direct your assets, and cannot do so. AI Features and other Services prepare information and proposed transactions for your review; nothing executes on-chain until you sign and authorize the transaction from your wallet.

2.2 Geographic Scope

The Services are not directed at, marketed to, or intended for residents of the United States of America (including Puerto Rico, the U.S. Virgin Islands, and any other U.S. territory), the European Economic Area, or the United Kingdom. Velvet does not solicit users in those jurisdictions and does not envisage offering the Services to data subjects in those jurisdictions. If you reside in any of those jurisdictions and choose to access the Services, you do so on your own initiative and are responsible for compliance with local law.

The Services are also not available to persons located in the restricted jurisdictions listed in Section 13.

3 INFORMATION WE COLLECT

We collect information in five categories: (a) information you provide to us, (b) wallet and blockchain information, (c) information you generate through AI Features, (d) information collected automatically, and (e) information received from third parties.

3.1 Information You Provide to Us

Contact information: name, email address, Telegram handle, Discord handle, social media handle, phone number (where provided).
Account information: username, authentication details, preferences, profile settings, notification settings, and account identifiers.
Communications: messages, support requests, feedback, survey responses, bug reports, business or partnership inquiries.
Referral and incentive information: referral codes, campaign participation, reward preferences, eligibility information.
Compliance information (where collected): identity verification information, government identification, proof of address, source-of-funds information, source-of-wealth information, sanctions screening information, tax information, business information, and beneficial ownership information.
Any other information you choose to provide.

Some Services are not available without certain information. Where collection is required by law, we will indicate this at the point of collection.

3.2 Wallet and Blockchain Information

When you connect a wallet or interact with the Services, we collect or process the following, all of which we treat as Personal Information where linkable to an identifiable individual:

Wallet addresses and public keys.
Public blockchain transaction history.
Token balances and positions visible on public blockchains.
Vault deposits, withdrawals, rebalances, shares, allocations, and related on-chain activity.
Transaction hashes, timestamps, network identifiers, gas data, slippage settings, approvals, permissions, and smart contract interactions.
Wallet connection metadata, including wallet provider, chain ID, connected network, signature requests, and session status.
DeFi protocol interactions, including swaps, bridges, staking, lending, borrowing, liquidity provision, and yield strategies.
Risk, compliance, fraud, sanctions, and security signals derived from wallet or blockchain analytics, including scores produced by third-party providers.

We do not collect, hold, or have access to your private keys or seed phrases.

Public blockchain information is permanent and outside Velvet's control. Velvet cannot delete, modify, or reverse information recorded on public blockchains, including in response to a deletion request.

3.3 AI Features Data

If you use AI Features, we collect and process:

Prompts, commands, instructions, questions, and other inputs you provide.
AI-generated outputs, recommendations, explanations, strategy drafts, routes, simulations, and alerts.
Settings, parameters, and preferences you configure.
Transaction previews and simulations you request.
Your feedback, ratings, corrections, confirmations, cancellations, and edits.
System logs, error reports, performance metrics, and safety signals associated with AI Features.
Contextual information necessary to operate AI Features, such as wallet positions, selected networks, selected tokens, historical activity, and configured settings.

How AI Features work. AI Features respond to instructions you provide in natural language. They may prepare transactions, draft strategies, propose routes, summarize information, or generate recommendations for your review. AI Features do not sign, send, or execute on-chain transactions on their own. Every on-chain action requires your authorization and signature from your wallet.

Third-party AI providers. To generate responses, we transmit your inputs and certain contextual information to third-party AI providers, including OpenAI and similar providers. Those providers process inputs under their own terms and policies. The enterprise and API terms under which we engage these providers generally restrict the use of customer inputs to train their general-purpose models, but you should review the providers' own terms for the most accurate information about their practices.

No training by Velvet. Velvet does not use your AI Feature prompts or outputs to train any AI models. We may use your inputs and outputs, in de-identified or aggregated form, to monitor, evaluate, debug, and improve the safety and quality of our Services.

Do not submit private keys, seed phrases, passwords, government identifiers, or other highly sensitive information through AI Features.

3.4 Information Collected Automatically

When you access or use the Platform, we and our service providers automatically collect:

IP address and approximate location derived from IP address.
Browser type and version, device type, operating system, hardware model, screen resolution, language, and time zone.
Referring and exit pages, pages viewed, features used, clicks, scrolling, session duration, and navigation paths.
Date and time of access.
Crash reports, diagnostics, latency, performance data, and error logs.
Identifiers placed by cookies, pixels, local storage, session storage, software development kits, and similar technologies.
Security, fraud, and abuse signals, including device identifiers, rate-limit data, bot-detection signals, and access patterns.

3.5 Information from Third Parties

We may receive information from:

Wallet providers and authentication providers.
Analytics providers (including Microsoft Clarity, Google Analytics, and similar).
Blockchain data and indexing providers.
Compliance, sanctions screening, fraud prevention, and blockchain monitoring providers, including chain analytics vendors.
Infrastructure providers, including RPC, node, hosting, and cloud providers.
AI model providers and AI infrastructure providers.
Marketing, attribution, referral, and campaign providers.
Customer support, communication, and CRM providers.
Payment processors and fiat on-ramp providers, where applicable.
Public sources, including public blockchains, websites, social media, forums, and public databases.
Business partners, affiliates, and other users (for example, where you are named in a referral).

We may combine information from third parties with other information we collect.

4 HOW WE USE INFORMATION AND LAWFUL BASIS

We use information for the following purposes:

4.1 To Provide and Operate the Services

To enable wallet connections, display balances and positions, prepare transactions for your review, provide AI Features in response to your instructions, operate vault interfaces, administer user accounts and preferences, respond to support requests, and send service-related communications.

4.2 To Improve, Develop, and Secure the Services

To monitor performance, debug errors, develop new features and AI Features, evaluate model and product quality, detect and prevent fraud, abuse, security incidents, market manipulation, and prohibited conduct, and maintain operational integrity.

4.3 To Communicate with You

To respond to inquiries, send administrative and security notices, send service updates, and send marketing communications where permitted and where you have opted in.

4.4 For Compliance, Legal, and Risk Management

To comply with applicable laws and regulations; to conduct know-your-customer, anti-money laundering, counter-terrorist financing, sanctions screening, and source-of-funds checks where applicable; to enforce our Terms of Service; to respond to legal process; to investigate misuse; and to maintain records required by law.

4.5 For Referrals, Rewards, and Incentive Programs

To determine eligibility, calculate and distribute rewards, attribute referrals, prevent abuse and sybil activity, and meet tax and reporting obligations.

4.6 Lawful Basis for Processing

For residents of Panama, our processing of Personal Information is conducted under the lawful bases set out in Article 8 of the Panama Personal Data Law, including processing necessary to (a) perform a contract to which you are a party (including these Services), (b) comply with our legal and regulatory obligations, (c) protect our legitimate interests in operating and securing the Services, and (d) any other basis expressly permitted by Law 81 of 2019. Where consent is required, we will obtain it before processing.

For residents of other jurisdictions, our processing is conducted under the lawful bases provided by applicable local law. Where we rely on consent (for example, for marketing in some jurisdictions), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5 AUTOMATED PROCESSING

Some Services involve automated processing.

5.1 What Is Automated

Sanctions and compliance screening. Automated tools screen wallets and identities against sanctions lists and other restricted-party lists. A positive screen may result in denial of access to the Services.
Risk and fraud signals. Automated tools assess wallet, transaction, device, and session risk. These tools may trigger additional verification requirements, restrict access to features, or block transactions.

5.2 What Is Not Automated

AI Features and trading-related Services do not execute transactions autonomously. AI Features prepare information and proposed transactions in response to your instructions. You sign and authorize every on-chain action from your own wallet. Velvet does not have authority to move, trade, or otherwise direct your assets.

5.3 Human Review

If you believe an automated screening decision is incorrect — for example, if your wallet has been flagged in error — you may contact us at [email protected] to request human review. We will respond as soon as reasonably practicable and within any timeframe required by applicable law.

6 HOW WE SHARE INFORMATION

6.1 Service Providers and Processors

We share information with vendors and processors performing services on our behalf, including hosting, cloud infrastructure, analytics, customer support, communications, security, fraud prevention, compliance, sanctions screening, blockchain analytics, AI model and infrastructure providers, database management, product analytics, marketing, legal, accounting, and other operational services. Service providers are bound by contractual obligations consistent with applicable law.

6.2 Blockchain Networks and Public Ledgers

When you interact with blockchain networks, smart contracts, or DeFi protocols, information about your wallet address and transactions is published to public blockchains. Public blockchain data is visible to anyone and is generally permanent. Velvet does not control public blockchains and cannot delete or restrict access to information recorded on them.

6.3 Third-Party Protocols and Integrations

We may make information available to third-party protocols, decentralized applications, wallet providers, bridges, decentralized exchanges, data providers, fiat on-ramp providers, and other integrations as necessary to provide the Services or as directed by your interactions. Your use of third-party services is subject to their privacy policies and terms.

6.4 AI and Infrastructure Providers

We share AI Feature inputs and contextual information with AI model providers (including OpenAI and similar providers) and AI infrastructure providers to generate responses to your instructions. These providers process inputs under their own terms.

6.5 Affiliates and Corporate Transactions

We may share information with current and future parents, subsidiaries, affiliates, and joint venture partners. We may also disclose or transfer information in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, due diligence process, or similar event. Any successor entity may continue to use information as described in this Policy or as you are notified.

6.6 Legal, Compliance, Safety, and Enforcement

We may disclose information where we believe disclosure is necessary or appropriate to: comply with law, regulation, legal process, court order, subpoena, or regulatory request; enforce our Terms of Service; detect, prevent, or address fraud, security issues, market abuse, sanctions risk, money laundering, or other illegal or prohibited activity; protect the rights, property, safety, or security of Velvet, users, third parties, or the public; or establish, exercise, or defend legal claims.

6.7 With Your Consent or Direction

We may share information with your consent, at your direction, or as otherwise disclosed at the time of collection or sharing.

6.8 No Sale of Personal Information

We do not sell Personal Information, and we do not share Personal Information for cross-context behavioral advertising, as those terms are defined under California law. We have not sold or shared (as so defined) Personal Information in the preceding twelve (12) months.

7 INTERNATIONAL TRANSFERS

Velvet and its service providers may process information in jurisdictions other than where you reside, including the Republic of Panama, the United States, the United Arab Emirates, Singapore, and other jurisdictions. These jurisdictions may have data protection laws that differ from those in your home jurisdiction. By using the Services, you acknowledge that your information may be processed in such jurisdictions.

Where Personal Information is transferred from a jurisdiction whose law requires specific transfer safeguards, we rely on lawful transfer mechanisms available under that law, including contractual safeguards.

8 DATA RETENTION

We retain Personal Information only for as long as reasonably necessary for the purposes described in this Policy. Specific retention periods include:

Category	Retention Period
Account and profile information	For the life of the account, plus up to 7 years after closure for legal, tax, and audit purposes
Wallet connection and session metadata	Up to 24 months from collection, unless required longer for fraud or compliance investigation
Compliance information (KYC/AML, sanctions screening)	5 to 7 years following the end of the relationship, as required by applicable law
Off-chain transaction-related records held by Velvet	5 to 7 years, as required by applicable financial recordkeeping laws
AI Feature inputs and outputs (associated with a user)	Up to 12 months, unless required longer for safety, security, or legal purposes
AI Feature inputs and outputs (de-identified or aggregated)	Indefinitely, subject to applicable law
Marketing preferences and unsubscribe records	Indefinitely, to honor your preferences
Support communications	Up to 3 years from resolution
Security and fraud logs	Up to 24 months, unless required longer for investigation
Backups, archives, and disaster recovery copies	Up to 90 days following deletion from primary systems

Public blockchain data is permanent and cannot be deleted by Velvet.

Where we are unable to delete information for legal, technical, or legitimate business reasons, we will isolate, restrict, or de-identify the information to the extent reasonably feasible.

9 INFORMATION SECURITY

We use administrative, technical, and organizational measures designed to protect Personal Information against unauthorized access, loss, misuse, disclosure, alteration, and destruction. These measures include encryption in transit, access controls, monitoring, logging, role-based permissions, incident response procedures, and vendor security reviews.

No system, website, blockchain network, wallet, smart contract, transmission method, or storage system is completely secure, and we cannot guarantee absolute security.

You are responsible for securing your wallet, devices, credentials, private keys, seed phrases, passwords, authentication methods, browser environment, and communications. Because the Services are non-custodial, the security of your assets depends primarily on the security of your wallet and your own practices.

Velvet will never ask you for your seed phrase, private key, or password. Anyone who does is attempting fraud.

10 DATA BREACH NOTIFICATION

In the event of a personal data breach that we are required to report under applicable law, we will notify the relevant supervisory authority within the timeframe required by that law. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay, by the means we reasonably determine appropriate (including email, in-product notice, or public notice where direct notice is not practicable).

11 COOKIES AND SIMILAR TECHNOLOGIES

We use cookies, pixels, local storage, session storage, software development kits, and similar technologies in the following categories:

Strictly necessary cookies and storage to operate the Platform, maintain sessions, secure access, and enable wallet connections. These cannot be disabled through our consent tools.
Performance and analytics cookies to measure usage, debug errors, and improve the Platform.
Preference cookies to remember your settings.
Marketing and attribution cookies to measure the effectiveness of marketing and referral campaigns.

You can manage cookies through your browser settings and, where applicable, through our consent management tool. Disabling some cookies will impair Platform functionality.

We respond to recognized opt-out preference signals (such as Global Privacy Control) for users in jurisdictions where required by law.

12 MARKETING COMMUNICATIONS

If you opt in, we may send newsletters, product updates, event invitations, and promotional materials. You may opt out of marketing emails by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. Even after you opt out of marketing, we may send you transactional, security, legal, and service-related communications.

13 RESTRICTED JURISDICTIONS AND USERS

The Services are not offered, and may not be accessed, by persons located in, ordinarily resident in, or organized under the laws of comprehensively sanctioned jurisdictions, currently including Cuba, Iran, North Korea, Syria, the Crimea region of Ukraine, and the so-called Donetsk and Luhansk People's Republics. The Services are also not offered to persons listed on sanctions, restricted-party, denied-persons, or blocked-persons lists maintained by Panama's Unidad de Análisis Financiero, the U.S. Office of Foreign Assets Control, the United Nations, the European Union, the United Kingdom's HM Treasury, or any other relevant authority.

The Services are also not directed at residents of the United States, the European Economic Area, or the United Kingdom, as described in Section 2.2.

We may use Personal Information to screen for and enforce these restrictions, including by blocking wallet addresses, accounts, IP addresses, and transactions.

14 CHILDREN'S PRIVACY

The Platform and Services are not directed to, and are not intended for, individuals under the age of eighteen (18) or the age of majority in their jurisdiction, whichever is older. We do not knowingly collect Personal Information from children. If you believe we have collected information from a child, contact us at [email protected] and we will take appropriate steps to delete it.

15 YOUR RIGHTS AND CHOICES

The rights available to you depend on where you live and the law that applies to you.

15.1 General Rights

Regardless of where you live, you may contact us at [email protected] to:

Ask what Personal Information we hold about you.
Ask us to correct inaccurate information.
Ask us to delete Personal Information, subject to legal exceptions.
Object to processing or withdraw consent (where applicable).
Opt out of marketing communications.

We may need to verify your identity before responding. We may decline or limit a request where permitted by law (for example, where information is required for legal, compliance, security, or dispute purposes). We cannot delete information recorded on public blockchains.

15.2 Residents of California (CCPA / CPRA)

To the extent California residents access the Services notwithstanding the geographic restrictions in our Terms of Service, the following applies.

Categories of Personal Information we collect. In the preceding twelve months, we have collected the following categories of Personal Information as defined under the CCPA: identifiers (including wallet addresses); internet or other electronic network activity; geolocation data (approximate, derived from IP); commercial information (including transaction history); professional or employment-related information (where provided); and inferences drawn from the above. For compliance purposes, where collected, we also process government identifiers, which the CCPA classifies as Sensitive Personal Information.

Sources, purposes, and recipients. The sources, purposes for processing, and categories of recipients are described in Sections 3, 4, and 6 respectively.

Sale and sharing. We do not sell Personal Information and do not share Personal Information for cross-context behavioral advertising. We have not done so in the preceding twelve months and do not have actual knowledge of selling or sharing the Personal Information of consumers under sixteen years of age.

Use of Sensitive Personal Information. We use Sensitive Personal Information only for the purposes permitted under Cal. Civ. Code § 1798.121, including to perform Services, prevent fraud, ensure security, and comply with law. We do not use Sensitive Personal Information for purposes that would trigger a right to limit its use.

Your California rights. You have the right to: (a) know what Personal Information we collect, use, disclose, and sell or share; (b) delete Personal Information, subject to exceptions; (c) correct inaccurate Personal Information; (d) opt out of the sale or sharing of Personal Information (not applicable here, as we do not sell or share); (e) limit the use of Sensitive Personal Information (not applicable here, as we use it only for permitted purposes); and (f) be free from discrimination for exercising these rights.

How to exercise. Submit requests to [email protected]. We will verify your identity using information reasonably necessary to do so. You may use an authorized agent; we may require written authorization and verification.

15.3 Residents of Panama

To the extent the Panama Personal Data Law applies to our processing, you have the rights granted under that law, including the rights of access, rectification, cancellation, opposition, and portability, as well as the right to lodge a complaint with the National Authority for Transparency and Access to Information (ANTAI).

15.4 Residents of the United Arab Emirates

If the UAE Personal Data Protection Law applies to our processing of your Personal Information, you have the rights granted under that law, including rights to: receive information about processing; request access, correction, deletion, restriction, and portability; object to certain processing; and lodge a complaint with the UAE Data Office.

15.5 Residents of Other Jurisdictions

You may have rights under your local law, including under Brazil's LGPD, Singapore's PDPA, Canada's PIPEDA, Australia's Privacy Act, and similar laws. To exercise rights, contact us at [email protected].

16 THIRD-PARTY WEBSITES AND SERVICES

The Platform may contain links to, integrations with, or references to third-party websites, applications, protocols, wallets, exchanges, bridges, analytics tools, fiat on-ramps, social media platforms (including LinkedIn, X/Twitter, Telegram, Discord, YouTube, Medium, and GitHub), and other services. This Policy does not apply to those third parties. Review their privacy policies separately.

17 AGGREGATED AND DE-IDENTIFIED INFORMATION

We may create aggregated, anonymized, or de-identified information that does not reasonably identify you. We may use and share such information for analytics, research, product development, benchmarking, security, marketing, and other lawful purposes. We maintain de-identified information in de-identified form and do not attempt to re-identify it, except as permitted by law.

18 DO NOT TRACK AND OPT-OUT PREFERENCE SIGNALS

Because no uniform standard exists for "Do Not Track" signals, we do not respond to them. We do respond to recognized opt-out preference signals (such as Global Privacy Control) for users in jurisdictions where required.

19 CHANGES TO THIS PRIVACY POLICY

We may update this Policy from time to time. When we do, we will update the "Last Updated" date above and, where the change is material, provide additional notice through the Platform or by email. Your continued use of the Platform after the updated Policy takes effect constitutes your acknowledgement of the updated Policy.

20 CONTACT INFORMATION

For questions, requests, or complaints regarding this Policy or our privacy practices, please contact us at [email protected]. Stronghold Fund One Inc. is domiciled in Panama City, Republic of Panama.

21 SEVERABILITY AND GOVERNING PROVISIONS

If any provision of this Policy is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The English language version of this Policy is the controlling version; any translation is provided for convenience only.

End of Policy.