Privacy Policy of the IOTA Multisig Manager

This privacy policy (“Policy”) explains how IOTA Ecosystem DLT Foundation, a distributed ledger technology foundation based in the Abu Dhabi Global Market, United Arab Emirates, with registration number 15533 and with its registered address at Office No. 1301 & 1302, Floor 13, Tamouh Tower, Tamouh, Al Reem Island, Abu Dhabi, UAE (referred to as "IOTA" or "we/us") processes personal data when you use the "IOTA EVM Multisig Manager" (the “Service” or the “Website”) and provides information about your rights under applicable data protection laws.

IOTA Ecosystem DLT Foundation is the controller responsible for the processing of personal data obtained through the Website. We are committed to handling your information with transparency and in compliance with the EU General Data Protection Regulation (“GDPR”), and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”), where applicable.

We operate core components of the Website using cloud-based servers located within the European Union. The Website frontend is delivered through globally distributed infrastructure providers, which may involve processing of technical data outside the EU/EEA. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

This Policy may be amended or updated from time to time to reflect changes in technology, legal requirements, or our operations. The latest version will always be available on our Website.

1. Data Controller and Contact

IOTA Ecosystem DLT Foundation

Address: Office No. 1301 & 1302, Floor 13, Tamouh Tower, Tamouh, Al Reem Island, Abu Dhabi, UAE
Email: [email protected]

For any questions, requests, or concerns regarding this Policy or our data protection practices, please contact us using the above details.

2. General Principles of Data Processing

We process personal data only to the extent necessary to provide a functional, secure, and user-friendly Website. Processing activities are carried out only where permitted under applicable data protection law and based on an appropriate legal basis. The applicable legal bases for processing include Article 6(1)(a) of the GDPR (consent); Article 6(1)(b) GDPR (performance of a contract); Article 6(1)(c) GDPR (legal obligations); and Article 6(1)(f) GDPR (legitimate interests).

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable law. Once the relevant purpose ceases to apply, or statutory retention periods expire, the data will be deleted or anonymised.

3. Processing Activities

3.1 Website Access and Technical Data

When you access the Website, certain technical information is automatically transmitted by your browser or device and temporarily stored in server log files. This information may include your IP address (stored only temporarily and, where possible, anonymised), browser type and version, operating system, referrer URL, date, and time of access. We do not use this data to identify users or to create behavioural or usage profiles.

The processing of this data is technically necessary to enable the display of the Website, ensure system stability and security, and prevent misuse. The legal basis for this processing is Article 6(1)(f) GDPR, which permits processing based on legitimate interest, namely, maintaining the security and functionality of the Website.

The collected log data is not combined with other data sources or used to create user profiles. Log files are stored only as long as necessary and are deleted once they are no longer required, unless retention is required for the investigation of potential security incidents.

3.2 Multisig Configurations and Transaction Proposals

When using the Multisig Manager, multisig configurations and transaction proposals associated with blockchain addresses are stored in order to enable the functionality of the service, including the coordination and execution of multisignature transactions. This information may include wallet addresses, transaction details, and proposal status information necessary for the operation of the Multisig Manager.

The processing of this data is necessary to provide the requested functionality of the service and is carried out based on Article 6(1)(f) GDPR, representing our legitimate interest in ensuring the proper operation, availability, and reliability of the Multisig Manager. We do not link these records to identifiable user accounts or IP addresses and do not use them to identify individual users or to create behavioural profiles.

Stored multisig configurations and transaction proposals are retained only for as long as necessary to maintain the functionality of the service or until they are no longer required for operational purposes, unless retention is required for legal or security reasons.

The Service may allow users to import a wallet by entering a private key into the interface. Any private key entered is processed locally within the user’s browser environment and is not transmitted to, processed by, or stored on servers controlled by IOTA.

3.3 Contact by Email

You may contact us directly via the email address provided on the Website. When you do so, we process the personal data you voluntarily include in your communication, such as your email address and any information contained within the message.

The purpose of processing this information is to handle your inquiry and respond to your message. The processing is carried out based on Article 6(1)(b) GDPR, where it relates to contractual communications, or Article 6(1)(f) GDPR, representing the legitimate interest in maintaining effective correspondence.

We retain your message and related correspondence for up to twelve (12) months after your request has been resolved, unless legal obligations require a longer retention period.

​​3.4 Necessary Cookies

The Service uses strictly necessary cookies to ensure the technical functionality and security of the Service. These cookies are essential for enabling core features of the Website, such as maintaining session stability, ensuring secure communication with the server, and protecting the Service against misuse or technical errors.

The processing of personal data in connection with necessary cookies is based on Article 6(1)(f) GDPR, reflecting our legitimate interest in providing a functional, stable, and secure Website.

Necessary cookies are stored only for the duration required to ensure the proper functioning of the Website and are automatically deleted once they are no longer required for this purpose.

4. Your Rights

As a user, you have several rights concerning the processing of your personal data under PDPL and GDPR. These include the right to access the personal data we process about you, the right to rectify inaccurate data, and the right to request the erasure of your data under certain conditions. You may also request the restriction of processing or exercise your right to data portability.

Where processing is based on your consent, you may withdraw this consent at any time with future effect. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You also have the right to object to processing based on our legitimate interests. Please note that due to the immutable nature of blockchain technology, we cannot modify or delete data recorded on the IOTA EVM network. The Website does not intentionally store personal data on-chain; however, users should avoid submitting personal data within blockchain transactions, as such information may become permanently publicly accessible. In such cases, we will take reasonable steps to minimise any potential link between such data and an identifiable person.

To exercise any of your rights, you may contact us at [email protected]. You also have the right to lodge a complaint with your local data protection authority if you believe that the processing of your personal data violates applicable law.

5. Data Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, misuse, loss, or destruction. These measures include encryption, restricted access controls, and regular security monitoring. However, due to the decentralised and public nature of blockchain networks, we cannot guarantee the deletion or modification of data once it has been recorded on-chain.

6. Changes to this Privacy Policy

We may update this Policy from time to time to reflect legal, technical, or operational developments. The current version is always available on our Website.

Last updated: 6th March 2026