Privacy Policy

EXODUS MOVEMENT, INC.

California Notice at Collection/State Law Privacy Rights: See the State Privacy Rights Notice section below for important information about your rights under applicable state privacy laws.

Exodus Movement, Inc. and its subsidiary, Proper Trust AG (collectively, “Exodus,” “we,” “our,” and/or “us”), values the privacy of individuals who use our websites (including https://exodus.com (opens in a new tab) and https://passkeys.foundation/ (opens in a new tab) (the “Sites”)), applications, or services, including the blockchain currency management software that is downloadable from the Sites, and any services that link to this Privacy Policy (collectively, our “Services”). This privacy policy (the “Privacy Policy”) explains how we collect, use, and disclose Personal Data from users of our Services. For the purposes of this Privacy Policy, “Personal Data” means information that relates to an identified or identifiable natural person.

Notice to European Users: Please see the Notice to European Users section below for additional information for individuals located in the European Economic Area or United Kingdom (which we refer to as “Europe”, and “European” should be understood accordingly).

By using our Services, you agree to the collection, use, and disclosure of your Personal Data as described in this Privacy Policy. Beyond this Privacy Policy, your use of our Services is also subject to our Terms of Service.

As the Exodus Wallet is a non-custodial crypto asset software wallet, we do not have customer accounts. We do not require you to provide your Personal Data to us to use the Exodus Wallet. If you sign up for our newsletter, certain beta programs and services, or provide your Personal Data in a customer service ticket or in connection with an advanced customer service program, that information will be collected by us. However, certain third- party API providers may require you to provide them with Personal Data, in order to use their services through the Exodus Wallet.

Information We Collect

Exodus aims to collect as little Personal Data from users as possible to ensure a completely private and anonymous user experience when using our Services. However, we may collect limited Personal Data from or about you or your devices from various sources, as described below.

Information You Provide to Us Through the Sites. When you contact us, sign up for our newsletter, sign up for advanced customer service, or participate in certain beta programs and services, we collect any Personal Data you provide to us, such as your name, email address, and country of residence.

Information We Collect Automatically Through the Sites. We may automatically collect information about you and your devices when you use our Sites. For example, when you visit our Sites, we collect your internet protocol (IP) address, web browser type, web browser language, operating system type, the website you visited before browsing to our Sites, a pseudonymous User ID that is unique to Exodus for Exodus’s internal use in improving its products and services, the pages you view, the length of time you spend on a page, the dates and times of your visits, the hyperlinks you click on, and other information about your use of our Sites. When performing an exchange through a third-party API provider, we log information such as the wallet addresses and the transaction IDs involved.

Service Interaction Data. We may automatically collect pseudonymous data corresponding to your interactions with our blockchain currency management software, such as event data and software feature usage and analytics data, which we use for security purposes, to verify the functionality of features in the Services, and to improve our Services.

Cookies. We and the third-party API providers may collect information through our Sites using cookies, pixel tags, or similar technologies. Our third-party partners, such as analytics or advertising partners, may use these technologies to collect information about your online activities over time and across different websites. Cookies are small text files containing a string of alphanumeric characters. We may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to our Site.

Our Sites use the following types of cookies for the purposes described below:

Functional Cookies. We use functional cookies to recognize you when you return to our Sites.
Analytics and Performance Cookies. We use analytics and performance cookies for website analytics purposes to operate, maintain, and improve the Sites. We also use analytics cookies for attribution purposes to understand how you learned of the Services. The information gathered by these cookies is aggregated and anonymized and does not identify any specific individual visitor. We use Google Analytics to collect and process certain analytics data on our behalf. Google Analytics uses its own cookies that help us understand how you engage with the Sites and may also collect information about your use of other websites, apps, and online resources. The links below provide additional information and resources for Google Analytics:
- Google Analytics (opens in a new tab)
- Prevent the Use of Google Analytics in connection with your use of our Services (opens in a new tab)
Advertising Cookies. We may allow third-party advertising partners to use cookies on the Sites to collect information about your browsing activities over time and across websites.

Further information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org (opens in a new tab).

You can block cookies by setting your internet browser to block some or all of the cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our Sites. You can change your browser settings to block or notify you when you receive a cookie, delete cookies or browse our Sites using your browser’s anonymous usage setting. Please refer to your browser instructions or help screen to learn more about how to adjust or modify your browser settings. If you do not agree to our use of cookies or similar technologies which store information on your device, you should change your browser settings accordingly. You should understand that some features of our Sites may not function properly if you do not accept cookies or these technologies. Where required by applicable law, you will be asked to consent to certain cookies and similar technologies before we use or install them on your computer or other device.

Information We Collect from Other Sources. We may receive Personal Data about you from third parties, such as data or marketing partners, or we may collect public blockchain data that can be tied to crypto wallets. We may combine this data with other Personal Data we have about you and otherwise use it as described in this Privacy Policy.

How We Use the Personal Data We Collect

We do not share or otherwise disclose Personal Data we collect from or about you except as described below or otherwise disclosed to you at the time of collection.

Affiliates. We may share any information we receive with our affiliates and subsidiaries for any of the purposes described in this Privacy Policy.
Advertising Partners. We may share your Personal Data with third-party advertising companies for the interest-based advertising purposes described above.
Authorities and Others. We may disclose your Personal Data to law enforcement, government authorities, and private parties if we believe doing so is required or appropriate to: (i) comply with applicable laws; (ii) respond to law enforcement requests and legal process, such as a court order or subpoena; or (iii) protect the rights, property, and safety of Exodus, our employees, agents, customers, and others, including to enforce our agreements, policies, and Terms of Service.
Business Transferees. We may transfer your Personal Data to service providers, advisors, potential third-party API providers, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company, or we sell, liquidate, or transfer all or a portion of our assets.
Partners. We may share your Personal Data with third parties with whom we partner, including parties with whom we co-sponsor events or promotions, with whom we jointly offer products or services, or to carry out other related activities that allow our Services to interact with services our partners provide.
Professional Advisors. We may share your Personal Data with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
Vendors and Service Providers. We may share your Personal Data with third parties that provide services on our behalf or help us operate the Services or our business, such as hosting, information technology, customer support, email delivery, marketing, research and analytics.
Third Parties Designated by You. We also may disclose your Personal Data with third parties where you have instructed us or provided your consent to do so.

International Data Transfers

Your information, including the Personal Data that you provide to us, may be transferred to, stored at and processed by us outside the country in which you reside, including, but not limited to the United States, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world. By providing any information, including Personal Data, on our Site, you consent to such transfer, storage, and processing. We may also transfer Personal Data from the European Economic Area or the United Kingdom to the United States, as needed, to perform the Services that you have requested from us. We will take steps that we believe to be reasonably necessary to treat your Personal Data securely and in accordance with this Policy.

Security

We employ organizational, technical, and administrative measures designed to protect Personal Data within our organization. However, as no electronic transmission or storage of Personal Data can be entirely secure, we can make no guarantees as to the security or privacy of your Personal Data. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us of the problem by contacting us via the “Contact Information” section below.

Retention

We will only retain your Personal Data as long as reasonably required for the purposes for which we collected it. In the context of customer support, we retain information sufficient to connect subsequent requests from the same user in order to provide efficient service, unless a longer retention period is required or permitted by law (for example for regulatory purposes).

Third-Parties

Our Services may contain links or API connections to other websites, products, or services that we do not own or operate. We are not responsible for the privacy and advertising practices of these third parties. Please be aware that this Privacy Policy does not apply to your activities on these third-party API providers or any Personal Data you disclose to these third parties. We encourage you to read their privacy policies before providing any Personal Data to them.

Do Not Track Signals

Some Internet browsers may be configured to send “Do Not Track” signals to the online sites that you visit. We currently do not respond to “Do Not Track” signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com (opens in a new tab).

Your Rights and Choices

In this section, we describe the rights and choices available to all users. Users who are located in certain U.S. states, and Europe can find additional information about their rights below.

Opt-out of Marketing Communications. You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails.

Advertising choices. You may be able to limit use of your Personal Data for interest-based advertising through the following settings/options/tools:

Browser settings. Changing your internet web browser settings to block third-party cookies.
Privacy browsers/plug-ins. Using privacy browsers and/or ad-blocking browser plug-ins that let you block tracking technologies.
Platform settings. Certain platforms offer opt-out features that let you opt-out of use of your information for interest-based advertising. For example, you may be able to exercise that option for Google at the following websites: https://adssettings.google.com (opens in a new tab).
Ad industry tools. Opting out of interest-based ads from companies that participate in the following industry opt-out programs:
- Network Advertising Initiative: http://www.networkadvertising.org/managing/opt_out.asp (opens in a new tab)
- Digital Advertising Alliance: https://optout.aboutads.info (opens in a new tab).
- AppChoices mobile app, available at https://www.youradchoices.com/appchoices (opens in a new tab), which will allow you to opt-out of interest-based ads in mobile apps served by participating members of the Digital Advertising Alliance.
Mobile settings. Using your mobile device settings to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.

You will need to apply these opt-out settings on each device and browser from which you wish to limit the use of your information for interest-based advertising purposes.

We cannot offer any assurances as to whether the companies we work with participate in the opt- out programs described above.

Declining to provide information. We need to collect Personal Data to provide certain services. If you do not provide the information we identify as required or mandatory, we may not be able to provide those services.

Contact Information

We welcome your comments or questions regarding our privacy practices. If you have questions about your privacy related to the Services or this Privacy Policy, you may contact us at:

Mail: Exodus Movement, Inc. 15418 Weir Street, No. 333 Omaha, NE 68137

Email: [email protected]

Changes to this Privacy Policy

We will post any updates to the Privacy Policy on this page, and the revised version will be effective when it is posted. If we materially change the ways in which we process Personal Data previously collected from you through our Services, we will notify you by email or other means.

State Privacy Rights Notice

Except as otherwise provided, this section applies to residents of California, Colorado, Connecticut, Utah, Virginia and other states to the extent they have privacy laws applicable to us that grant their residents the rights described below (collectively, the “State Privacy Laws”)

This section describes how we collect, use, and share Personal Information (defined below) of residents of these states and the rights these users may have with respect to their Personal Information. Please note that not all rights listed below may be afforded to all users and that if you are not a resident of one of these states listed above, you may not be able to exercise these rights. In addition, we may not be able to process your request if you do not provide us with sufficient detail to allow us to confirm your identity or understand and respond to it.

For the purposes of this Section, Personal Information has the meaning given to “personal data”, “personal information” or other similar terms, and “Sensitive Personal Information” has the meaning given to “sensitive personal information,” “sensitive data”, or other similar terms in the State Privacy Laws, except that in neither case does such term include information exempted from the scope of the State Privacy Laws. In some cases, we may provide a different privacy notice to certain categories of residents of these states, such as job applicants, in which case that notice will apply instead of this section.

Personal Information does not include information that is:

Lawfully made available from government records.
Deidentified or aggregated.
Otherwise excluded from the scope of the State Privacy Laws.

Your State Law Privacy Rights

State Privacy Laws may provide residents with some or all of the following rights. However, these rights are not absolute, and some State Privacy Laws do not provide these rights to their residents. Therefore, we may decline your request in certain cases as permitted by law.

Right to Know and Access. You may submit a verifiable request for information about how we have collected and use your Personal Information during the past 12 months: (i) categories of Personal Information collected; (ii) business or commercial purposes for which categories of Personal Information are collected or sold by us; (iii) categories of sources from which we collect Personal Information; (iv) categories of third parties with whom we share Personal Information; (v) the categories of Personal Information disclosed or sold for a business purpose; and (vi) of the categories of third parties to whom the Personal Information was disclosed or sold for a business purpose. You can also request a copy of the Personal Information that we have collected about you.

Right to Appeal. You can appeal our denial of any request validly submitted.

Right to Correction. You can ask us to correct inaccurate Personal Information that we have collected about you.

Right to Deletion. Subject to certain exceptions, you may submit a verifiable request that we delete Personal Information about you that we have collected from you.

Right to Opt-Out. In some circumstances, you may have opt-out rights with respect to your Personal Information:

Opt-out of certain processing for targeted advertising purposes. You can opt-out of certain processing of personal information for targeted advertising purposes.
Opt-out of profiling/automated decision making. You can opt-out of automated processing or profiling performed on personal information to evaluate, analyze, or predict personal aspects related to a person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Opt-out of other sales of personal data. You can opt-out of other sales of your Personal Information.

Nondiscrimination. You have the right not to receive discriminatory treatment for the exercise of your privacy rights, subject to certain limitations.

Consumers under 16. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Sensitive Personal Information. We do not process Sensitive Personal Information for the purpose of inferring characteristics about consumers under the California Consumer Privacy Act (“CCPA”).

Shine the Light. We do not rent, sell, or share Personal Information with non-affiliated companies for their direct marketing uses as contemplated by California’s “Shine the Light” law (Civil Code § 1798.83), unless we have your permission.

Submit Requests to Exercise Your Right to Know/Access, Appeal, Correction, or Deletion. To submit requests to exercise your right to know/access, appeal, correction, or deletion, please email us via our Contact Information section.

Submit Requests to Exercise Your Right to Opt-out of the “Sale” or “Sharing” of Your Personal Information. While we do not sell Personal Information for money, like many companies, we use services that help deliver interest-based ads to you as described above. The State Privacy Laws may classify our use of some of these services as “selling” or “sharing” your Personal Information with the advertising partners that provide the services. You can by submit requests to opt-out of tracking for targeted advertising purposes or other sales of Personal Information by emailing us via the Contact Information section.

Verification of Identity; Authorizing an Agent. We may need to verify your identity to process your know/access, appeal, correction, or deletion requests and we reserve the right to confirm your residency. To verify your identity, we may require government identification, a declaration under penalty of perjury, or other information, where permitted by law.

Under some State Privacy Laws, you many enable an authorized agent to make a request on your behalf. However, we may need to verify your authorized agent’s identity and authority to act on your behalf. To authorize an agent to make a rights request on your behalf, please send us a written authorization signed by you and the authorized agent to us via the Contact Information section. We may require a copy of a valid power of attorney given to your authorized agent pursuant to applicable law.

Personal information that we collect, use and disclose. We have summarized the Personal Information we collect and may disclose to third parties by reference below to both the categories defined in the “Information We Collect” section of this Policy above and the categories of Personal Information specified in the CCPA (Cal. Civ. Code §1798.140) and the below describes our practices currently and during the 12 months preceding the effective date of this Privacy Policy. Information you voluntarily provide to us, such as in free-form webforms, may contain other categories of personal information not described below.

Personal Information (“PI”) we collect	CCPA statutory category	Categories of third parties to whom we “disclose” PI for a business purpose	Categories of third parties to whom we “sell” or “share” PI
Information You Provide to Us (Sites only)	Identifiers Commercial information California customer records	Affiliates Advertising partners Authorities and others Business transferees Partners Professional advisors Vendors and Service providers Third parties designated by you	Advertising partners (to facilitate online advertising)
Information We Collect Automatically (Sites only)	Identifiers Online Identifiers Commercial information Internet or Network Information	Affiliates Advertising partners Authorities and others Business transferees Partners Professional advisors Vendors and Service providers Third parties designated by you	Advertising partners (to facilitate online advertising)
Service Interaction Data (Blockchain currency management software only)	Identifiers Online Identifiers Commercial information Internet or Network Information	Affiliates Third parties designated by you Professional advisors Authorities and others Business transferees	Advertising partners (to facilitate online advertising)
Information We Collect from Other Sources	Identifiers Online Identifiers Commercial information Internet or Network Information	Affiliates Third parties designated by you Professional advisors Authorities and others Business transferees	Advertising partners (to facilitate online advertising)

Notice to European Users

General

Where this Notice to European users applies. The information provided in this “Notice to European users” section applies only to individuals in the United Kingdom, Switzerland and the European Economic Area (i.e., “Europe” as defined at the top of this Privacy Policy).

Personal information. References to “Personal Information” in this Privacy Policy should be understood to include a reference to “personal data” (as defined in the GDPR) – i.e., information about individuals from which they are either directly identified or can be identified.

Special Categories of Personal Data. References to “special categories of personal data” in this European section of this Privacy Policy should be understood to mean special categories of personal data as defined in the GDPR – i.e. personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Controller. Exodus is the controller in respect of the processing of your personal information covered by this Privacy Policy for purposes of European data protection legislation (i.e., the EU GDPR (opens in a new tab) and the so-called ‘UK GDPR (opens in a new tab)’ (as and where applicable, the “GDPR” and Swiss Federal Act on Data Protection (“FADP”))). See the ‘Contact Information’ section above for our contact details.

Our legal bases for processing

In respect of each of the purposes for which we use your personal information, the GDPR requires us to ensure that we have a “legal basis” for that use.

Our legal bases for processing your personal information described in this Privacy Policy are listed below.

Where we need to perform a contract, we are about to enter into or have entered into with you (“Contractual Necessity”).
Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each Purpose we use your personal information for is set out in the table below.
Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
Where we have your specific consent to carry out the processing for the Purpose in question (“Consent”).

We have set out below, in a table format, the legal bases we rely on in respect of the relevant purposes for which we use your personal information – for more information on these Purposes and the data types involved, see ‘How We Use The Personal Data We Collect’ above.

Purpose	Categories of personal information involved	Legal basis
Service delivery, analytics, and operations (incl. service enhancement, personalization, and improvement)	Any and all data types described in the ‘Information We Collect’ section above as relevant in the circumstances	Compliance with Law, if we are legally obliged to respond to your request. Consent, in respect to any special categories of personal data we may be processing or optional cookies we may use. Legitimate Interest, in all other cases – our legitimate interests to develop, improve and communicate about our organization.
Marketing	Any and all data types described in the ‘Information We Collect’ section above as relevant in the circumstances	Legitimate Interests. We have a legitimate interest in promoting our operations and goals as an organisation and sending marketing communications for that purpose. Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications.
To facilitate connections and engagements with third-party services or applications (incl. third-party API providers)	Any and all data types described in the ‘Information We Collect’ section above as relevant in the circumstances	Legitimate Interests – we have a legitimate interest in promoting these promotions and contests, including associated publicising of our business and operations. Consent – in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given promotional communications.
Compliance and protection	Any and all data types described in the ‘Information We Collect’ section above as relevant in the circumstances	Compliance with Law. Legitimate interest. Where Compliance with Law is not applicable, we and any relevant third parties have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We and any relevant third parties may also have a legitimate interest of ensuring the protection, maintenance, and enforcement of our and their rights, property, and/or safety.
To create pseudonymous, aggregated, de- identified and/or anonymized data	Any and all data types described in the ‘Information We Collect’ section above as relevant in the circumstances	Legitimate interest. We have legitimate interest in understanding what may be of interest to our customers, improving customer relationships and experiences, delivering relevant content to our customers, measuring and understanding the effectiveness of the content we serve to our customers.
Further uses	Any and all data types described in the ‘Information We Collect’ section above as relevant in the circumstances	The original legal basis relied upon, if the relevant further use is compatible with the initial purpose for which the Personal Information was collected. Consent, if the relevant further use is not compatible with the initial purpose for which the personal information was collected.

Retention

We retain personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for Compliance and protection purposes.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require the personal information, we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

Other info

No Automated Decision-Making and Profiling. As part of the Services, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects.

Your rights

General. European data protection laws give you certain rights regarding your personal information. If you are located in Europe, you may ask us to take the following actions in relation to your personal information that we hold:

Access. Provide you with information about our processing of your personal information and give you access to your personal information.
Correct. Update or correct inaccuracies in your personal information.
Delete. Delete your personal information where there is no good reason for us continuing to process it - you also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Portability. Port a machine-readable copy of your personal information to you or a third party of your choice.
Restrict. Restrict the processing of your personal information, for example if you want us to establish its accuracy or the reason for processing it.
Object. Object to our processing of your personal information where we are relying on Legitimate Interests – you also have the right to object where we are processing your personal information for direct marketing purposes.
Withdraw Consent. When we use your personal information based on your consent, you have the right to withdraw that consent at any time.

Exercising These Rights. You may submit these requests by email to [email protected] or our postal address provided above. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal information), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.

Your Right to Lodge a Complaint with your Supervisory Authority. In addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your personal information, you can make a complaint to the data protection regulator in your habitual place of residence.

For users in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en (opens in a new tab)
For users in the UK – the contact information for the UK data protection regulator is below: The Information Commissioner’s Office

Water Lane, Wycliffe House

Wilmslow - Cheshire SK9 5AF

Tel. +44 303 123 1113

Website: https://ico.org.uk/make-a-complaint/ (opens in a new tab)
For users in Switzerland – the contact information for the Swiss data protection regulator is below:

Federal Data Protection and Information Commissioner Feldeggweg 1

CH – 3003 Bern

Switzerland

Tel. +41 058 462 43 95

Website: https://www.edoeb.admin.ch/edoeb/en/home/meldeportale.html (opens in a new tab)

Data Processing outside Europe

We are a U.S.-based company and many of our service providers, advisers, partners or other recipients of data are also based in the U.S. This means that, if you use the Service, your personal information will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe.

Where we share your personal information with third parties who are based outside Europe, we try to ensure a similar degree of protection is afforded to it by making sure one of the following mechanisms is implemented:

You may contact us if you want further information on the specific mechanism used by us when transferring your personal information out of Europe. You may have the right to receive a copy of the appropriate safeguards under which your personal information is transferred by contacting us at [email protected].