Legal

Privacy Policy

Last updated: May 6, 2026.

This Privacy Policy explains how Crosspoint Company S.A., a company organized under the laws of the Republic of Panama ("Crosspoint", "we", "us"), processes personal data in connection with the Dara non-custodial wallet, the websites at dara.fi and related subdomains, and any related software and services (collectively, the "Services"). It is incorporated by reference into the Terms of Service.

We have designed Dara to be privacy-preserving by default. Dara is a self-custody wallet: your seed phrase, private keys and biometric data never leave your device and are never transmitted to or accessible by Crosspoint.

1. Data Controller

The data controller responsible for processing personal data described in this policy is:

Crosspoint Company S.A.
Panama City, Republic of Panama
Email: info@dara.fi

For users in the European Economic Area, the United Kingdom or other jurisdictions where local data-protection law applies, you may also direct privacy enquiries to the same email.

2. What stays only on your device

The following sensitive material is generated, stored and used locally on your device only and is not transmitted to Crosspoint:

  • Your BIP-39 seed phrase and derived private keys for every network you use (Bitcoin, Ethereum and EVM chains, Solana, Tron, Litecoin, Dash, Stellar, etc.).
  • Any PIN, passcode, password you set inside the application, including the password used to encrypt an optional cloud backup.
  • Your biometric templates (Face ID, Touch ID, fingerprint, passkey). The application asks the operating system to verify your biometric; the biometric data itself is held by the OS, not by us.
  • The contents of any encrypted cloud backup you choose to enable. Backups are encrypted on your device with a password only you know before being uploaded to your iCloud or Google Drive account; we cannot decrypt them.
  • Local app preferences, address book entries and labels, draft transactions and search history.

3. Data we collect

a. Information you provide

  • Email address, if you sign up for product updates, the waitlist, or contact support.
  • Support correspondence you send us, including any attachments or screenshots you choose to share.
  • Optional profile data if you enable social login through Web3Auth (e.g., the OAuth identifier and email associated with your Google or Apple account). Web3Auth uses this to derive a key share; we receive only the minimum needed to authenticate you.

b. Information collected automatically

  • Device and app data: device model, operating system and version, application version, language, timezone, a randomly generated app-install identifier, and crash and performance logs.
  • Network metadata: IP address (used transiently to deliver responses, for fraud prevention and rate limiting), approximate geolocation derived from IP at country/region level, and HTTP headers.
  • Push notification token issued by Apple Push Notification service or Firebase Cloud Messaging, if you enable notifications.
  • Product analytics events, such as which screens you opened, which features you used and which on-ramp partner you selected. We do not link these events to your seed phrase or private keys.
  • Security signals, such as detection of jailbroken or rooted devices and SSL-pinning failures, used to protect you and our infrastructure.
  • Cookies and similar technologies on our websites for essential functioning and aggregated analytics.

c. On-chain and infrastructure data

Because the Services let you read from and write to public blockchains, the following data is, by the design of those networks, public:

  • Your public wallet addresses on each network, your balances, and the full transaction history associated with those addresses.
  • The transactions you broadcast through Dara's relayer, swap router or directly to a third-party RPC.
  • Any data you sign through WalletConnect sessions or in-app dApp browser sessions, which is delivered to the dApp you connect to.

To display balances, prices and history we query third-party RPC nodes, indexers and price oracles. Those providers see the wallet address being queried and the requesting IP. We minimize identifiers where practical, but we do not control the logging practices of public infrastructure.

d. Data we do not collect

We do not collect, and we have no technical means to collect, your seed phrase, private keys, PIN or biometric data. We do not sell personal data. We do not use your data to train machine-learning models without your separate, opt-in consent.

4. Fiat on-ramp, off-ramp and KYC

If you choose to buy or sell crypto with fiat currency through a partner integrated into Dara (for example, a card on-ramp provider), the partner — not Crosspoint — collects and processes the personal data necessary to provide that service, including identity documents, selfies, address, payment-card or bank details, and tax identifiers required by AML/CFT law. The partner is an independent data controller for that processing, and its own privacy policy and terms apply. Crosspoint does not receive your KYC documents and does not have access to your card or bank credentials. We may receive a transaction reference, status, and the amount and asset purchased, in order to display it to you in the application and to support troubleshooting.

5. How we use personal data

  • Provide the Services — show your balances, render transaction previews, broadcast transactions through relayers, deliver push notifications, sync your encrypted backup.
  • Secure the Services and our users — detect and prevent fraud, abuse, sanctions evasion, account takeover, and attacks against our infrastructure; debug crashes; enforce the Terms of Service.
  • Improve the Services — measure feature usage and stability, evaluate UX changes, and prioritize roadmap.
  • Communicate with you — respond to support enquiries, send essential service messages and, only with your consent, product updates.
  • Comply with law — respond to lawful requests from competent authorities, comply with sanctions screening obligations applicable to us, and defend or establish legal claims.

6. Legal bases (EEA / UK / similar regimes)

Where the General Data Protection Regulation, the UK GDPR, Panama's Law 81 of 2019 on Personal Data Protection or a similar regime applies, we rely on the following legal bases:

  • Performance of a contract with you (the Terms of Service) — to provide the Services you request.
  • Legitimate interests — to keep the Services secure, prevent abuse, debug, and improve the product, balanced against your rights and freedoms.
  • Consent — for optional analytics, marketing communications and any cookies that are not strictly necessary. You may withdraw consent at any time.
  • Compliance with a legal obligation — sanctions screening, response to lawful requests, retention required by law.

7. Sharing with service providers and third parties

We share limited data with vendors who process it on our behalf and on our instructions, under contracts that restrict their use of the data. Categories include:

  • Cloud hosting and content delivery for our backend and websites.
  • Push notifications — Apple and Google (Firebase Cloud Messaging).
  • Crash and performance monitoring — error-reporting providers.
  • Product analytics — analytics providers configured to minimize identifiers.
  • Email delivery for support and waitlist.
  • Sanctions and address-screening providers as required by law.

We also interact with independent third parties whose own privacy policies govern their processing of your data: blockchain RPC and indexer providers; the WalletConnect protocol and any dApp you connect to; hardware wallet manufacturers (such as Ledger); social-login providers integrated through Web3Auth; bridge, swap and aggregator protocols; and fiat on/off-ramp partners and their KYC providers. We may also disclose data to courts, regulators or law-enforcement authorities where we are legally required to do so, and to advisors, acquirers or successors in connection with a corporate transaction (subject to confidentiality).

8. International transfers

Crosspoint operates from Panama and uses providers located in jurisdictions that may include the United States, the European Union, the United Kingdom and others. Where data is transferred from the EEA, UK or similar regime to a country that has not been recognized as offering an adequate level of protection, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent, together with supplementary measures where required.

9. Retention

We retain personal data only as long as needed for the purposes for which it was collected, plus any period required to comply with law or to establish, exercise or defend legal claims. Indicative retention periods:

  • Email and waitlist data — until you unsubscribe or request deletion, then archived for up to 12 months.
  • Support correspondence — up to 24 months from the last interaction.
  • Crash logs and analytics events — up to 13 months in identifiable form.
  • Security logs (IPs, anti-fraud signals) — up to 24 months.
  • Records required by AML/CFT or other law — for the period mandated by that law.

On-chain data is, by the nature of public blockchains, permanent and outside our control.

10. Your rights

Subject to local law, you have the right to: access the personal data we hold about you; request correction of inaccurate data; request deletion or anonymization; restrict or object to processing; receive a portable copy of data you provided; withdraw consent at any time without affecting prior processing; and lodge a complaint with the competent data-protection authority (in Panama, the Autoridad Nacional de Transparencia y Acceso a la Información — ANTAI; in the EEA, your local supervisory authority). Send requests to info@dara.fi. We may need to verify your identity before responding. Because Dara is non-custodial, we cannot delete on-chain data or anything stored only on your device — uninstalling the application removes local data on your side.

11. Security

We use technical and organizational measures appropriate to the risks, including: on-device storage of secrets in the OS secure enclave / keystore; biometric and PIN gating; client-side encryption of optional backups using a password only you know; SSL/TLS in transit, with certificate pinning in the mobile app; jailbreak / root detection and screen-capture protection; least-privilege access controls and audit logging on our infrastructure; and periodic third-party security review of critical components. No method of transmission or storage is perfectly secure; you must also do your part by protecting your device, your seed phrase and your backup password.

12. Children

The Services are not directed to, and are not intended for, anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact info@dara.fi and we will delete it.

13. Region-specific disclosures

California (US). If you are a California resident, you have rights under the CCPA/CPRA, including the right to know, delete, correct and limit use of sensitive personal information, and the right to opt out of "sale" or "sharing" of personal information. We do not "sell" personal information for money. We do not knowingly process the sensitive personal information of consumers under 16.

EEA / UK. See sections 6, 8 and 10 above. Our representative for Article 27 GDPR purposes will be appointed where required and identified here.

Panama. Processing is conducted in accordance with Law 81 of 2019 on Personal Data Protection and its implementing regulations.

14. Changes to this Policy

We may update this Privacy Policy from time to time. The updated version will be posted with a new "Last updated" date. If changes are material, we will notify you in-app or by email. Continued use of the Services after the effective date of an update constitutes acceptance.

15. Contact

Crosspoint Company S.A.
Panama City, Republic of Panama
Email: info@dara.fi