Introduction

iDen2 Inc. ("iDen2," "we," "us," or "our") provides a suite of self-sovereign identity platforms and services, including the iDen2 platform (website at https://iden2.com and associated mobile/desktop applications), the Phenix ID platform, and other related project initiatives and hosted services (together, the "Services"). This Global Privacy Policy (this "Policy") explains how we collect, use, disclose, and protect personal information, and the rights and choices available to individuals worldwide.

This Policy applies to personal information we process as a controller (or "business") about visitors to our Website, users of our App and other project initiatives, and others who interact with us. It does not apply to the contents of the verifiable credentials and identity data that you create and control yourself, which we do not access, as explained below.

Summary. iDen2 is built on a self-sovereign, data-minimizing model. You control your identity keys and credentials; we do not hold them. The personal information we process — mostly account, device, and website-analytics data — is limited, and you have robust rights over it regardless of where you live.

2. Our Self-Sovereign, Data-Minimizing Approach

The iDen2 platform is designed so that you, and not iDen2, generate and control your cryptographic keys, seed phrases, and verifiable credentials. As a result:

• We do not take custody of, store, escrow, or have access to your private keys, seed phrases, or recovery phrases.

• We do not have access to the unencrypted contents of your verifiable credentials or the personal data they contain.

• Because we do not hold this information, we cannot recover it for you, and it is generally outside the scope of the personal information we process about you under this Policy.

We design our Services around the principles of data minimization and privacy by design and by default, collecting only the limited personal information described below.

3. Information We Collect

3.1 Information you provide to us

• Account information — when you create an account or register the App, such as your email address, username, and authentication settings.

• Communications — information you provide when you contact us for support, complete a form on our Website, or correspond with us.

3.2 Information collected automatically from the App

• Device and technical data — device identifiers, device model and operating system, app version, language settings, and similar technical information.

• Diagnostics and usage data — crash logs, error reports, performance data, and aggregated usage events used to operate and improve the App.

3.3 Information collected automatically from the Website

• Analytics and cookies — IP address, browser type, pages viewed, referring URLs, and interactions, collected through cookies and similar technologies (see Section 7).

3.4 Information we do NOT collect

We do not collect or have access to your private keys, seed phrases, recovery phrases, or the unencrypted contents of your verifiable credentials. We do not require you to provide sensitive personal information to use the core Services, and we ask that you do not send us such information except where strictly necessary.

3.5 Face Data

We do not retain, store, or have access to your face data. If you use biometric authentication (such as FaceID or similar features) to unlock the App, this data is processed exclusively on your device by your device's operating system. We do not collect, transmit, or store this data on our servers. Consequently, there is no retention period for face data, and we do not share this data with any third parties. No third-party services used by our application have access to or store your face data.

4. How We Use Personal Information

We use personal information for the following purposes:

• To provide, operate, maintain, and secure the Services, including authentication and account management;

• To diagnose problems, debug, and improve the performance, features, and reliability of the Services;

• To communicate with you, respond to inquiries, and provide customer support;

• To understand how the Website and App are used through analytics, in order to improve them;

• To protect against, investigate, and deter fraud, abuse, security incidents, and unlawful activity;

• To comply with legal obligations and enforce our terms and agreements; and

• With your consent, to send you marketing communications, which you can opt out of at any time.

5. Legal Bases for Processing (EEA/UK)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

Purpose Legal Basis Providing and securing the Services; account management Performance of a contract (Art. 6(1)(b)) Analytics, product improvement, fraud prevention, network and information security Legitimate interests (Art. 6(1)(f)) Marketing communications; non-essential cookies Consent (Art. 6(1)(a)) Compliance with legal obligations Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, you may object as described in Section 11. Where we rely on consent, you may withdraw it at any time without affecting prior processing.

6. Cookies and Similar Technologies

Our Website uses cookies and similar technologies for essential functionality, analytics, and (where applicable) marketing. Essential cookies are necessary for the Website to function. Non-essential cookies are used only with your consent where required by law.

You can manage cookies through our cookie banner or preference center and through your browser settings. For more detail, see our Cookie Policy at https://iden2.com/cookies. We honor recognized opt-out preference signals (such as Global Privacy Control) where required by law.

7. How We Share Personal Information

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under US state privacy laws. We disclose personal information only as follows:

• Service providers / processors — vendors that host infrastructure, provide analytics, deliver communications, or support our operations, under contracts that restrict their use of the information;

• Legal and safety — where required by law, legal process, or to protect the rights, safety, and security of iDen2, our users, or the public;

• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy;

• With your direction or consent — including any third parties you choose to interact with through the Services.

8. International Data Transfers

iDen2 operates globally, and personal information may be processed in the United States and other countries that may have different data-protection laws than your country of residence. Where we transfer personal information from the EEA, the UK, or Switzerland to countries not deemed adequate, we use appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), together with supplementary measures where needed. You may request a copy of the relevant safeguards using the contact details in Section 17.

9. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, including to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. When personal information is no longer needed, we delete or anonymize it. Because we do not hold your keys or credentials, those remain under your control and are not subject to our retention practices.

10. Data Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, misuse, and alteration, including encryption in transit, access controls, and monitoring. No method of transmission or storage is completely secure, and you are responsible for safeguarding your own devices, keys, and recovery phrases, which we cannot recover.

11. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights regarding your personal information. We honor these rights in accordance with applicable law and do not discriminate against you for exercising them.

11.1 EEA, UK, and Switzerland (GDPR)

You have the rights to access, rectify, erase, restrict, and object to processing, the right to data portability, and the right to withdraw consent. You also have the right to lodge a complaint with your local supervisory authority.

11.2 United States (California and other states)

Subject to applicable state laws (including the California Consumer Privacy Act as amended by the CPRA, and laws in Virginia, Colorado, Connecticut, Utah, Texas, and other states), you may have the rights to know/access, delete, correct, and obtain a portable copy of your personal information, and to opt out of the "sale" or "sharing" of personal information and certain profiling. iDen2 does not sell or share personal information as defined by these laws. California residents may also designate an authorized agent and have the right to limit the use of sensitive personal information, which we do not use for purposes requiring such a limit.

The categories of personal information we collect, the sources, purposes, and disclosures are described in Sections 3, 4, and 7 of this Policy and serve as our notice at collection.

11.3 Canada (PIPEDA)

You may request access to and correction of your personal information and may withdraw consent, subject to legal and contractual restrictions. You may also contact the Office of the Privacy Commissioner of Canada.

11.4 Brazil (LGPD)

You have the rights to confirmation of processing, access, correction, anonymization or deletion, portability, information about sharing, and to withdraw consent, as provided under the Lei Geral de Proteção de Dados.

11.5 Other jurisdictions

If you are located in another jurisdiction with applicable data-protection laws (including Australia, Japan, South Korea, South Africa, and others), you may have similar rights. We will respond to verified requests in accordance with applicable law.

12. How to Exercise Your Rights

To exercise any of your rights, contact us at privacy@iden2.com or through any mechanism we provide in the App or on the Website. We will verify your identity before responding and will reply within the timeframes required by applicable law. You may use an authorized agent where permitted. If we decline a request, we will explain why, and you may appeal where the law provides an appeal right.

13. Children's Privacy

The Services are not directed to children under the age of 16 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.

14. Third-Party Links and Services

The Services may link to or interoperate with third-party websites, networks, issuers, and relying parties that we do not control. This Policy does not apply to those third parties, and we encourage you to review their privacy notices.

15. Automated Decision-Making

We do not use your personal information to make decisions that produce legal or similarly significant effects about you based solely on automated processing, without human involvement, except where permitted by law and disclosed to you.

16. Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new "Last Updated" date and, where required, provide additional notice or obtain your consent. Your continued use of the Services after the changes take effect constitutes acceptance of the updated Policy.

17. Contact Us

Controller: iDen2 Inc., United States.
Privacy contact: privacy@iden2.com
Support: no-reply@phenix-id.com