DECOY WALLET
PRIVACY POLICY
Effective Date: May 8, 2026

The Decoy Wallet mobile application and its associated services, software, and content (the "App" or "Services") are owned and operated by Decoy Wallet LLC, a Michigan limited liability company ("Decoy Wallet," "our," "us," "we"). Decoy Wallet has adopted this Privacy Policy ("Privacy Policy") to inform you of the Personal Information it collects when you use the App and to explain how such information is used, shared, and protected. This Privacy Policy applies to all online and mobile interactions with Decoy Wallet owned or operated applications and services. You should contact Decoy Wallet directly with any questions or concerns at support@decoywalletapp.com.

DECOY WALLET MAY CHANGE, MODIFY, AMEND, SUSPEND, TERMINATE, OR REPLACE THIS PRIVACY POLICY FROM TIME TO TIME AND WITHIN ITS SOLE AND ABSOLUTE DISCRETION. YOUR CONTINUED USE OF THE APP AFTER A CHANGE IN THE EFFECTIVE DATE OF THIS PRIVACY POLICY CONSTITUTES YOUR MANIFESTATION OF ASSENT TO THE CHANGE, MODIFICATION, AMENDMENT, OR REPLACEMENT CONTAINED WITHIN.

DEFINITIONS
The following terms apply to this Privacy Policy. Capitalized terms used but not defined herein have the meanings given in the Decoy Wallet Terms of Service Agreement.

California Consumer Privacy Act ("CCPA") means the California statute intended to enhance privacy rights and consumer protection for residents of California, United States.
General Data Protection Regulation ("GDPR") means the European Union law on data protection and privacy applicable to individuals within the EU.
Personal Data means any information relating to an identified or identifiable natural person.
Personal Information under the CCPA means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
"Alert Data" means information generated in connection with the triggering of a Duress PIN or other alert feature, including the time, trigger type, and any location data transmitted in connection with an alert.
"Emergency Contact Data" means the name and phone number (or other contact information) of individuals designated by a Registered User as Emergency Contacts.
"Geolocation Data" means precise, real-time or near-real-time geographic location information of a User, collected through the App.
"Wallet Metadata" means observable blockchain activity data associated with a Wallet Address provided by the User for monitoring purposes, such as transaction activity indicators. Wallet Metadata does not include and Decoy Wallet does not collect private keys, seed phrases, or cryptographic credentials.
"Account" means a Registered User's account with the App.
"Registered User(s)" means Users who have created an Account.
"User(s)" means all individuals that download, install, or access the App, including Registered Users.
"You / Your" refers to the individual User.

TYPES OF PERSONAL INFORMATION WE COLLECT
Decoy Wallet collects the following categories of Personal Information. WE DO NOT COLLECT CRYPTOCURRENCY PRIVATE KEYS, SEED PHRASES, OR WALLET ACCESS CREDENTIALS.

Information Collected from All Users
First and last name;
Email address;
Phone number; and
Any other information you voluntarily submit to the App.

Information Collected from Registered Users
First and last name;
Email address;
Phone number;
Wallet Address (public blockchain address only, used for monitoring purposes; see Wallet Metadata definition);
Payment information, if applicable to subscription or premium features (processed by third-party payment processors);
Duress PIN configuration data (the PIN itself is not stored in recoverable form; only system configuration metadata is retained);
Emergency Contact Data (names and phone numbers of designated Emergency Contacts);
Alert Data, including time, trigger type, and associated location data at time of alert trigger; and
Any other information that you upload or submit to the App directly or indirectly.

Geolocation Data
Decoy Wallet collects precise Geolocation Data when the alert features are active or when an alert is triggered. Specifically:
WHY COLLECTED: Geolocation Data is collected to enable the transmission of your location to designated Emergency Contacts in connection with an alert trigger.
WHEN TRIGGERED: Geolocation collection is triggered upon activation of the Duress PIN feature or other alert trigger, and may be collected on a continuous basis while alert mode is active.
RETENTION: Decoy Wallet does not store Geolocation Data on its backend servers. Location information transmitted in connection with an alert is processed in real time and delivered directly to designated Emergency Contacts as an instantaneous payload. No Geolocation Data is retained in Decoy Wallet's systems following delivery. Any transient processing of Geolocation Data that occurs in connection with alert delivery does not persist beyond the time technically necessary for transmission, which in no event exceeds 30 minutes. Geolocation Data is not retained for marketing purposes.
DELETION: Because Geolocation Data is not stored on Decoy Wallet's backend, there is no Geolocation Data to delete following an alert event. If you believe Geolocation Data has been retained in error, please contact us at support@decoywalletapp.com.
MINIMIZATION: Decoy Wallet limits the collection of Geolocation Data to what is reasonably necessary for the alert and safety features described in this Privacy Policy.

Device and Technical Information
Decoy Wallet collects the following information automatically from all Users:
IP address;
Device type, operating system version, and device identifiers;
App version and usage data;
Push notification tokens (used for delivery of alert notifications and subscription payment confirmations and reminders);
App usage analytics, including features accessed, session duration, and alert trigger frequency; and
Crash logs and error reports used for debugging and service improvement.

PURPOSE OF COLLECTION
Decoy Wallet collects Personal Information for the following specific purposes:
To create and maintain your Account;
To detect potential duress scenarios and trigger the appropriate alert flow based on your configuration;
To transmit alerts, including location data, to your designated Emergency Contacts when an alert is triggered;
To monitor Wallet Address activity and generate alerts based on wallet activity triggers you configure;
To facilitate the Emergency Contact consent and invitation flow, including sending opt-in messages to designated Emergency Contacts;
To deliver SMS and push notifications in connection with the Services;
To send subscription payment confirmations and upcoming payment reminders;
To communicate with you about your Account, including transactional and service-related messages;
To maintain the security and integrity of the App and Services;
To comply with applicable legal obligations; and
To improve the App and Services through analytics and performance monitoring.

Decoy Wallet does NOT use your Personal Information, including Geolocation Data or Alert Data, for advertising, behavioral profiling, or marketing purposes without your separate consent.

NO CUSTODY; NO ACCESS TO WALLET CREDENTIALS
Decoy Wallet does not collect, store, access, transmit, or have any knowledge of your cryptocurrency private keys, seed phrases, wallet passwords, or any cryptographic credentials. The collection of a Wallet Address for monitoring purposes does not give Decoy Wallet any control over, access to, or custody of any digital assets associated with that address. Wallet Metadata collected by Decoy Wallet is limited to observable blockchain activity data and does not constitute financial account information.

EMERGENCY CONTACT DATA; THIRD-PARTY CONSENT
When you designate Emergency Contacts, Decoy Wallet collects and stores the names and phone numbers (or other contact information) that you provide. This information is used solely to:
Facilitate the Emergency Contact consent and invitation process;
Deliver alert messages to designated Emergency Contacts when an alert is triggered; and
Maintain records of consent status for each Emergency Contact.

Emergency Contact Data is not used for marketing, profiling, or any purpose other than the delivery of alerts and consent management.

EMERGENCY CONTACTS MUST INDEPENDENTLY CONSENT TO RECEIVE AUTOMATED MESSAGES BEFORE ANY DATA IS USED TO CONTACT THEM. Until an Emergency Contact has completed the consent process, their contact information is retained only for the purpose of facilitating consent and no messages will be sent.

Emergency Contacts may withdraw consent at any time. Upon withdrawal, Decoy Wallet will cease transmitting alerts to that individual and will delete their contact information upon request.

SOURCES OF PERSONAL INFORMATION COLLECTION
Decoy Wallet collects Personal Information from you through the following channels: through your voluntary submission of information when creating an Account or configuring the App; through automated collection in connection with your use of the App (device data, usage analytics); through alert trigger events (Alert Data, Geolocation Data); and through the Emergency Contact consent flow.

COOKIES AND SIMILAR TECHNOLOGIES
As a mobile application, the App does not use browser-based cookies. The App may use similar technologies, including device identifiers, push notification tokens, and local storage, for the following purposes:
To maintain your session and Account authentication;
To deliver push notifications related to alert events and subscription reminders; and
To collect analytics data about App usage.

You may manage device-level permissions and notification settings through your mobile device's operating system settings.

Decoy Wallet also operates a website at www.decoywalletapp.com (the "Website"). The Website uses cookies and similar tracking technologies separately from the App. The collection, use, and management of cookies on the Website is governed exclusively by the Decoy Wallet Cookie Policy, which is incorporated herein by reference and available at www.decoywalletapp.com/cookie-policy. The Cookie Policy describes the categories of cookies used on the Website, the specific third-party tools deployed, your opt-out rights and mechanisms, and how to manage your cookie preferences through your browser settings. By using the Website, you acknowledge that your use of the Website is subject to both this Privacy Policy and the Cookie Policy.

For the avoidance of doubt, this Privacy Policy governs the collection and use of Personal Information through the App. The Cookie Policy governs tracking technologies deployed through the Website. To the extent any conflict exists between the two documents with respect to Website cookie practices, the Cookie Policy controls.

SHARING OF YOUR PERSONAL INFORMATION
Decoy Wallet shares your Personal Information with third parties in the following circumstances:
Where Decoy Wallet has obtained your consent;
With your designated Emergency Contacts, as necessary to deliver alerts pursuant to the App's alert features, including transmission of Alert Data and Geolocation Data;
With SMS carriers, messaging platforms, and related service providers as necessary to deliver alert messages to Emergency Contacts;
With emergency services intermediaries, if and when such integration is implemented, solely for the purpose of facilitating emergency services contact;
Where sharing is necessary to provide you with the App and associated Services, with trusted third-party providers who assist in operating the App;
Where sharing is required to respond to requests by government authorities, court orders, or subpoenas;
Where sharing is needed to protect the rights, property, or safety of Decoy Wallet, its users, or others; and
Where Decoy Wallet is otherwise legally obligated to share your Personal Information.

Third-Party Service Providers
Decoy Wallet shares Personal Information with the following categories of third-party service providers:
SMS and wireless messaging providers (for alert delivery);
Cloud hosting and infrastructure providers;
Payment processors (if applicable for subscription features);
Analytics providers; and
Emergency services integration providers (if and when implemented).

A current list of third-party service providers is available upon request at support@decoywalletapp.com.

SENSITIVE DATA HANDLING; GEOLOCATION
Geolocation Data and Emergency Contact Data are treated as sensitive categories of Personal Information. In addition to the disclosures above, Decoy Wallet commits to the following:
Geolocation Data will not be shared with any third party other than designated Emergency Contacts and, where implemented, emergency services intermediaries;
Geolocation Data will not be used for advertising, behavioral targeting, or marketing purposes; and
Decoy Wallet will implement reasonable technical and organizational measures to protect Geolocation Data and Emergency Contact Data from unauthorized access or disclosure.

PUSH NOTIFICATIONS
We may send push notifications to Users for the following purposes:
To deliver alert notifications related to Duress PIN triggers or wallet activity alerts;
To notify Users of Emergency Contact consent status changes;
To send subscription payment confirmations and upcoming payment reminders; and
To communicate transactional information related to your Account.

Users may manage push notification settings through their device settings. PLEASE NOTE: Disabling push notifications for the App may prevent delivery of critical alert notifications, which is a core safety feature of the Services. You should carefully consider the implications of disabling alerts before doing so.

DATA MINIMIZATION AND RETENTION
Decoy Wallet is committed to data minimization. We collect only the categories of Personal Information that are reasonably necessary to provide the Services. Specifically:
Geolocation Data: Decoy Wallet does not store Geolocation Data on its backend servers. Location information is transmitted as an instantaneous real-time payload to designated Emergency Contacts and is not retained following delivery. Any transient processing buffer associated with alert transmission does not persist beyond 30 minutes and is purged upon completion of delivery.
Emergency Contact Data is retained only for the duration of the Emergency Contact relationship and is deleted upon request following removal or consent withdrawal.
Alert Data (trigger logs) is retained for security, compliance, and dispute resolution purposes for a period not to exceed 24 months.
Wallet Metadata is retained only for the period during which active monitoring is configured and for a reasonable period thereafter.
Account data is retained for the duration of the Account relationship and for any period required by applicable law.

PERSONAL INFORMATION SECURITY
Decoy Wallet implements reasonable administrative, technical, and organizational safeguards designed to protect your Personal Information from unauthorized access, use, disclosure, alteration, or destruction. These measures include, without limitation, encryption of data in transit and at rest, access controls, and security monitoring.

NO SECURITY SYSTEM IS COMPLETELY SECURE. DECOY WALLET DOES NOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR PERSONAL INFORMATION. YOU PROVIDE ALL INFORMATION AT YOUR OWN RISK.

PERSONAL INFORMATION TRANSFER AND STORAGE
Your Personal Information is stored and processed on computers and servers in the United States. Decoy Wallet applies the same protections described in this Privacy Policy regardless of where your information is stored and processed. Through your use of the App, you consent to the processing and storage of your Personal Information in the United States.

Decoy Wallet retains Personal Information in accordance with the data minimization and retention schedule described above. Upon Account deletion, Decoy Wallet will delete your Personal Information consistent with applicable law, subject to retention of information required for compliance, legal, or dispute resolution purposes.

EU USERS' RIGHTS UNDER THE GDPR
The GDPR provides Users located in the EU with certain rights with respect to their Personal Data. Decoy Wallet recognizes and will comply with the GDPR and those rights, except as limited by applicable law. The rights under the GDPR include:
Right of Access: The right to obtain your Personal Data and information about how it is processed.
Right of Rectification: The right to correct inaccurate Personal Data.
Right of Erasure ("Right to be Forgotten"): The right to have your Personal Data deleted.
Right to Restriction of Processing: The right to request restriction of how your Personal Data is used.
Right to Data Portability: The right to receive your Personal Data in a structured, readable format.
Right to Object: The right to object to processing of your Personal Data.
Right to not be Subject to Automated Decision-Making.

CALIFORNIA USERS' RIGHTS
Under the CCPA, California Users have the following rights:
Right to Know About Personal Information Collected, Disclosed, or Sold.
Right to Have Personal Information Deleted.
Right to Know About Sensitive Personal Information (including Geolocation Data): You have the right to know how Decoy Wallet collects, uses, and shares your Geolocation Data and other sensitive categories of Personal Information.
Right to Limit Use of Sensitive Personal Information: To the extent applicable under California law, you have the right to request that Decoy Wallet limit the use of your sensitive Personal Information, including Geolocation Data, to uses necessary to perform the requested services.
Right to Opt-Out of the Sale of Personal Information: Decoy Wallet does not sell Personal Information.
Right to Non-Discrimination.
Right to Correction.

To exercise your rights under the CCPA, please contact Decoy Wallet at support@decoywalletapp.com. Decoy Wallet will verify requests by ensuring they are associated with a Registered User account.

SUPPLEMENTAL NOTICE FOR RESIDENTS OF OTHER US STATES
Residents of Colorado, Virginia, Connecticut, and other states with applicable privacy laws may have rights regarding their Personal Information, including rights to access, correct, delete, and port their Personal Information, and to opt out of profiling. Decoy Wallet does not engage in profiling that produces legal or similarly significant effects.

Given the sensitive nature of Geolocation Data collected by Decoy Wallet, residents of states that specifically regulate precise geolocation data (including California, Colorado, Virginia, Washington, and others) are encouraged to review the Geolocation Data section of this Privacy Policy and to contact Decoy Wallet with any questions about the collection, use, or retention of their location information.

NOTICE FOR NEVADA RESIDENTS
Under Nevada law, certain Nevada consumers may opt out of the sale of Personal Information for monetary consideration. Decoy Wallet does not engage in such activity; however, if you are a Nevada resident you may submit an opt-out request to support@decoywalletapp.com.

NO LIABILITY FOR THIRD-PARTY WEBSITES AND SERVICES
Third-party service providers used by Decoy Wallet, including SMS carriers, emergency services intermediaries, and analytics providers, have their own independent privacy policies. Decoy Wallet is not responsible for the data practices of third-party service providers. We encourage you to review applicable third-party privacy policies.

PURCHASE OR SALE OF THE APP OR OTHER ASSETS
Decoy Wallet may purchase other businesses or sell components of its business. In the event of such a transaction, your Personal Information will continue to be used consistent with the terms of this Privacy Policy.

HOW TO STOP DECOY WALLET FROM COLLECTING YOUR PERSONAL INFORMATION
You can request that Decoy Wallet stop collecting your Personal Information by contacting us at support@decoywalletapp.com and requesting deletion of your Account. You may also adjust your device settings to limit or disable location services and push notifications for the App.

PLEASE NOTE: Disabling location services will prevent the App from transmitting Geolocation Data to Emergency Contacts in the event of an alert. This may materially impair the core safety functionality of the App.

YOUR OBLIGATIONS
When using the App, you are obligated to inform Decoy Wallet of any changes to your Personal Information. You are also responsible for ensuring that the information you provide regarding Emergency Contacts is accurate and current.

CHILDREN'S ONLINE PRIVACY PROTECTION POLICY
The App is not intended for or directed to users under the age of 18, and Decoy Wallet does not knowingly collect Personal Information from children under the age of 13. If you believe Personal Information has been inadvertently collected from a child, please contact us immediately so appropriate steps may be taken.

CONTACT AND NOTICES
All questions and concerns regarding this Privacy Policy may be submitted to Decoy Wallet at:

Decoy Wallet LLC
2222 W. Grand River Ave Ste A
Okemos, MI 48864
support@decoywalletapp.com