Last Revised on September 8, 2025

This Privacy Policy (“Policy”) for the Morpho Association, a French association, and its related companies (“Association,” “we”, “our”, or “us”) describes the basis on which we may use and process personal information we may collect from users of the Association’s website (morpho.org), the various web apps hosted at that website (including but not limited to app.morpho.org) (morpho.org and such apps collectively referred to as “Sites”), and any tools, products, services, features, and functionalities available through the Sites (collectively, the “Services”), in accordance with applicable law. For purposes of applicable data protection laws, the Association is the data controller/business. For the purposes of this Policy, “you” and “your” refers to you as the user of the Services.

Read this Policy carefully so that you understand why and how we collect and use your personal data (hereinafter referred to as “Personal Information”). If you do not agree to this Policy, do not use, access, connect to, interact with, or download any of the Services or otherwise provide your information to us.

When you access, use, connect to, or interact with the Sites and/or Services, we may collect certain categories of information about you, including personal data, from a variety of sources.

Information you provide to us:

• Personal data may include (i) any digital-asset, smart-contract, or protocol address (“Wallet”) information, associations, and/or identifiers; (ii) geolocation data; and (iii) any information you may provide in connection with submitting a job application for any position with the Association.
• When connecting your Wallet to the Sites, the Association may view, access, and/or collect your publicly-available blockchain address and are able to read publicly available information, including without limitation, your blockchain data or history (such as your blockchain transaction history and other information associated with a linked address or Wallet), certain information needed to transfer or allocate tokens, token holdings, and any other information collected through the Services. 
• Should you contact us through email, social media, or other support channels like X formerly known as Twitter, Discord, or Telegram, or engage in surveys or questionnaires, we will collect the content of the communications we have with you and any personal data contained within. Your interaction with these channels would be in accordance with the privacy policy of such companies. We are not affiliated with these companies. 

We process this information to perform our contract with you, such as to provide you with our Services. In addition, we may collect and use your personal information to process and evaluate your job application, verify your identity and qualifications, and comply with legal obligations such as confirming your eligibility to work. This includes communicating with you, conducting interviews and background checks, and potentially considering you for other suitable roles. Where permitted, we may also use your information to improve our recruitment process and inform you of future opportunities.

Information we collect automatically:

When you visit certain pages on our Sites or access, use, connect to, or interact with certain Services, our servers may collect the following information: (i) any internet-protocol address (“IP Address”)of the requesting computer or device; (ii) the date and time of access; (iii) the country from which the Sites are accessed; (iv) any API endpoint; (v) cookies and/or web beacons; and (vi) information from localStorage and/or mobile deviceID.

The processing of this data is carried out for the business purpose of enabling your access to, use of, connection to, and interaction with the Services, including (i) to facilitate your connection to the Sites, and/or (ii) to identify if you are likely to be a Prohibited Person, as defined in our general Terms of Service, available at https://morpho.org/terms-of-use/, or if you are subject to any prohibitions with respect to the Services. Each case with respect to any of (i), and/or (ii) is in order for us to perform our contract with you and in our legitimate interests to provide effective Services to you.

We may also process this data in our legitimate interests to provide effective Services to you by processing the data to assist system security and stability for provision of the Services, to conduct troubleshooting, data analytics, testing, and research, and to enable optimization and internal statistical analysis with respect to the Services, as well as to maintain the safety and security of our users, the Sites, our Services (e.g., protect against, investigate, and stop fraudulent, unauthorized, or illegal activity) and to improve and develop our Services and Sites. 

Finally, the Association may use cookies, web beacons/clear gifs, geolocation and tracking technologies, and other applications when you visit the Sites, including technologies collecting certain information about your access to, use of, connection to, or interaction with the Services (“Usage Data”) that may be integrated with third-party service providers.

With your consent, we may use any data collected, including Usage Data, to tailor features and content to you and to ensure content is presented in the most effective manner for you and your device and to run analytics and better understand your user experience with respect to the Services and, if you have opted into marketing, for marketing purposes.

We may also use your information to provide the Services and perform our contract with you. 

In addition to the foregoing, we may use any of your information to comply with any applicable legal obligations, to enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.

Information we may collect from third-party wallet extensions or connections:

Certain transactions conducted via our Services may require you to connect a compatible third-party digital Wallet to the Services. By using such Wallet to conduct such transactions via the Services, you agree that your access to, use of, connection to, and/or interactions with such third-party Wallets are governed by the privacy policy for the applicable Wallet, and you agree that you are using the Wallet in accordance with the terms and conditions of the applicable third-party provider of such Wallet.

Wallets are not maintained or supported by, or associated or affiliated with, the Association. We expressly disclaim any and all liability for actions arising from your use of third-party Wallets, including without limitation, actions relating to the use and/or disclosure of personal information by such third-party Wallets.

Under applicable data protection laws, including without limitation GDPR, UK GDPR, and U.S. state privacy laws, you may have certain rights in relation to your personal data. You can exercise these rights by writing to us using the contact details below. For this matter we may ask you to provide us with additional information or documents to prove your identity. These rights may include the following:

1. Access to your personal data that the Association holds, and information on how we use it and who we share it with;
2. Correction of your personal data that the Association holds;
3. Deletion or removal of your personal data (“Right to be Forgotten”), in certain circumstances;
4. Objection and restriction of processing of your personal data, to stop us from processing the personal data we hold about you other than for storage purposes, in certain circumstances; 
5. Right to file a complaint to a competent supervisory authority, under GDPR article 77, if you consider that the processing of your personal data constitutes breach of applicable regulations;
6. Right to define instructions related to the retention, deletion and communication of your personal data after your death (article 40-1 of French law “informatique et libertés”);
7. Portability of your personal data; the Association will endeavor to provide you, or a third party, with a copy of the personal data that we hold about you and transfer it to a third party in a structured, commonly used, machine-readable format;
8. Objection to marketing communications; you may opt out of any marketing communications at any time by using any unsubscribe or opt-out functionalities displayed in any such communications to you;
9. Notice of a personal data breach (unless the breach is unlikely to be prejudicial to you);
10. Withdrawal of consent, where the Association is relying on consent to process personal data; this will not affect the processing of personal data carried out before consent is withdrawn or on legal bases other than consent.
11. Right to appeal. Depending on your state of residence in the U.S., you may be able to appeal our decision to your request regarding your personal information. 

In certain circumstances, we may disclose your information with third parties with your consent, as necessary, or as otherwise required or permitted by law. Specifically, we may disclose your personal data:

• To service providers and vendors: The Association may share your personal data with third parties to process on the Association’s behalf. Such third parties could include blockchain analysis service providers, screening service providers, developers, content delivery service providers, and data analytics service providers. Such service providers may assist us with many different functions and tasks, including determining your eligibility with respect to participation in certain Services.
• To professional advisors, in our legitimate interests or as required by law: As necessary, we will share your personal data with professional advisors such as auditors, law firms, cybersecurity specialists, data analysis associations, and/or consulting or accounting firms.
• For legal and security reasons and to protect our services and business, in our legitimate interests or as required by law.
• To law enforcement and regulatory authorities, in order to comply with applicable legal and regulatory requirements, respond to mandatory legal or governmental requests or demands for information.
• To our affiliates, in our legitimate interests: We may disclose your personal data with companies within our corporate family.
• In connection with an asset sale or purchase, merger, bankruptcy, or other business transaction or re-organization, in our legitimate interests: We will disclose your personal data with relevant third parties as necessary while negotiating or in relation to a change of corporate control such as a restructuring, merger, or sale of our assets.

Your personal information may be transferred to and stored or processed in countries outside the jurisdiction in which you live and reside, including outside the European Economic Area (“EEA”) and United Kingdom (“UK”), and including to the U.S., in order to provide the Services. Your personal information may also be processed by staff operating outside the UK/EEA who work for us or for third-party service providers or partners. We will take steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this Policy and applicable data protection laws. Should we transfer your personal information to third parties located outside the EEA/UK, we will seek to put in place appropriate safeguards to ensure that this transfer occurs in accordance with applicable data protection laws. These measures include seeking entry into the standard contractual clauses (“SCCs”) approved by the European Commission (for transfers outside the EEA) and/or an international data transfer agreement/addendum to the SCCs approved by the UK Information Commissioner’s Office (“ICO”) (for transfers outside the UK), unless the data transfer is to a country that has been determined by the European Commission or the relevant UK authorities, as applicable, to provide an adequate level of protection for individuals’ rights and freedoms for their personal data.

We will retain your personal data only for so long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements, or as otherwise required by law. The length of time we retain your data will depend on the nature of the data and the purpose for which it was processed. We expect to delete your personal data (at the latest) once there is no longer any legal or regulatory requirement or legitimate business purpose for retaining your data.

Persons under the age of eighteen (18) are not permitted to use the Services, and we do not seek to or knowingly collect any personal data about children under thirteen (13) years of age (or sixteen (16) years of age for individuals in the EEA/UK). If we become aware that we have unknowingly collected information about any person under eighteen (18) years of age, we will make commercially reasonable efforts to delete such personal data and other information from our records.

We take reasonable steps to protect your Personal Information from misuse, loss, unauthorised access, modification or disclosure, including implementing appropriate security measures. The security measures in place will, from time to time, be reviewed in line with legal and technical developments. However, we give no guarantee that such misuse, loss, unauthorised access, modification or disclosure will not occur. You are responsible for all of your activity on the Services, including the security of your blockchain network addresses, cryptocurrency wallets, and their cryptographic keys.

There may be links from our Sites to other websites and resources provided by third parties. This Privacy Policy applies only to our Sites. Accessing those third-party websites or sources requires you to leave our Sites. We do not control those third-party sites or any of the content contained therein and you agree that we are in no circumstances responsible or liable for any of those third-party sites, including, without limitation, their content, policies, failures, promotions, products, services or actions and/or any damages, losses, failures or problems caused by, related to or arising from those sites. We encourage you to review all policies, rules, terms and regulations, including the privacy policies, of each site that you visit.

We may modify the Policy at any time, in particular in order to comply with any regulatory, jurisprudential, editorial or technical change. These modifications will apply on the date of entry into force of the modified version. The date the Policy was last updated is identified at the top of this page.

Should you have any questions or complaints about our privacy or data-protection practices, your personal data, or this Policy, you can email us at contact@morpho.org.