BILLS ON CHAIN

⚠ DRAFT NOTICE

This Privacy Policy is a structured draft prepared for review by qualified legal counsel. All placeholders shown in [BRACKETS] must be completed, and the document must be reviewed for compliance with applicable data protection laws in every jurisdiction where Bills on Chain operates or serves users — including, where applicable, the Indian Digital Personal Data Protection Act, 2023; the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021); the EU General Data Protection Regulation; and applicable US state privacy laws — before publication.

Introduction

STRING FINTECH HK LTD. ("Company", "we", "us", or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy describes the types of personal information we collect when you use the Bills on Chain platform, including the website located at https://billsonchain.io/ the Bills on Chain mobile and web applications, and all related services (collectively, the "Services"); how we use, share, store, and protect that information; the choices and rights available to you; and how you can contact us about our privacy practices.

This Privacy Policy applies to personal information we obtain through your interactions with the Services, including when you register an Account, upload bills or receipts, redeem Reward Points for $IDLE tokens, connect a wallet, communicate with us, or otherwise engage with the Platform.

This Privacy Policy is incorporated by reference into the Bills on Chain Terms & Conditions. Capitalized terms not defined herein have the meanings given to them in the Terms & Conditions.

1. Information We Collect

The categories of personal information we may collect about you depend on how you interact with the Services. They include:

1.1 Information You Provide Directly

• Contact information: your name, email address, phone number, postal/ZIP code, country of residence, and similar details you provide during Account registration or communications;
• Account credentials: username, password (stored in hashed form), security questions, and recovery information;
• Profile and demographic information: where you choose to provide it — for example, age or date of birth, gender, occupation, language preferences;
• Bill and receipt data: images of bills or receipts you upload, and the information extracted from them, including the seller or merchant name, items purchased, prices, total amount, transaction date, payment method (where visible), and any other details printed on the bill;
• Wallet and blockchain identifiers: the Hedera Hashgraph wallet address (and, if applicable, other blockchain wallet addresses) you provide to receive $IDLE tokens or hold NFTs;
• Reward and redemption history: Reward Points earned, redemptions requested, $IDLE token amounts and timestamps, and associated transaction references;
• Identity verification information: where required for regulatory compliance, including KYC/AML checks, we may collect government-issued identification, proof of address, photographs, and similar verification data;
• Communications: messages, support requests, survey responses, feedback, and any other communications you send to us;
• Other information you choose to provide: for example, responses to questionnaires, social media handles, or referral information.

1.2 Information from Third Parties

We may receive information about you from third-party sources, including:

• Identity verification and fraud prevention service providers;
• Authentication providers (for example, if you sign in using a third-party single sign-on service);
• Payment, wallet, or blockchain infrastructure providers, where you interact with them in connection with the Services;
• Advertising and analytics partners, in accordance with their own privacy notices;
• Public sources, such as publicly available blockchain data.

2. Information Collected Automatically

When you use the Services, we and our service providers may collect certain information through automated means, including cookies, pixel tags, web beacons, software development kits (SDKs), device logs, server logs, and similar technologies. The information collected in this manner may include:

• Device information: device type, model, operating system and version, unique device identifiers, mobile network information, language and time zone settings, screen resolution, and battery status;
• Connection and network information: IP address, internet service provider, WiFi network identifier, and signal strength;
• Browser information: browser type and version, browser settings, and referring URLs;
• Usage information: pages, features, and screens you view, actions you take within the Services, clickstream data, search queries, dates and times of usage, frequency of use, and performance and diagnostic data;
• Geolocation information: approximate location derived from your IP address, and — only with your explicit permission — precise geolocation derived from GPS, Bluetooth, WiFi, or similar signals. You may disable precise geolocation through your device settings, though doing so may limit certain features of the Services.

2.1 Cookies and Similar Technologies

Cookies are small text files placed on your device when you visit a website. Pixel tags (also known as web beacons or clear GIFs) are small graphics linked to web servers. We use cookies and similar technologies to:

• Remember your preferences and settings, so you do not have to re-enter them;
• Authenticate your identity and maintain secure sessions;
• Analyze how the Services are used and improve their performance;
• Detect, prevent, and respond to fraud, abuse, and security incidents;
• Measure the effectiveness of communications and marketing campaigns.

You can manage cookies through your browser settings or, where available, through cookie preference controls on the Services. Disabling cookies may limit certain features. Our Services are not currently designed to respond to "Do Not Track" signals from web browsers.

2.2 Analytics

We may use third-party analytics providers (such as Google Analytics, Mixpanel, or similar tools) to help us understand how the Services are used. These providers may use cookies, SDKs, and similar technologies to collect information about your use of the Services. The information they collect may be subject to their own privacy policies. We use this information solely to operate, evaluate, and improve the Services and to communicate with you about the Services.

3. How We Use Your Information

We use the personal information we collect to operate, maintain, and improve the Services, and for the following specific purposes:

• Service provision: to create and manage your Account, authenticate you, process bill submissions, run OCR extraction, perform AI verification (Truth Scan), mint NFTs on the Hedera Hashgraph network, award Reward Points, and process $IDLE token redemptions;
• Communications: to respond to inquiries, send transactional and service-related notifications, provide customer support, and notify you of material changes to the Services or this Privacy Policy;
• Personalization: to tailor your experience within the Services, including content, offers, and recommendations;
• Fraud detection and prevention: to detect, investigate, and prevent fraudulent bill submissions, duplicate or AI-generated bills, multiple-account abuse, and other prohibited or unlawful activity;
• Security: to maintain the security and integrity of the Services, our systems, and our Users;
• Legal and regulatory compliance: to comply with applicable laws, regulations, court orders, and lawful requests from competent authorities, including any applicable KYC/AML obligations and tax-reporting obligations;
• Analytics and improvement: to perform analytics, conduct research, evaluate and improve the Services, develop new features, and produce internal reports;
• Promotions and marketing: with your consent where required, to offer promotions, contests, or marketing communications you may be interested in. You may opt out of marketing communications at any time as described in Section 8;
• Aggregated and de-identified data: to compile aggregated or de-identified data for our business purposes, including statistical analysis, research, and benchmarking. We do not attempt to re-identify de-identified data;
• Business operations: to operate and protect our business, including accounting, auditing, risk management, and corporate transactions;
• Enforcement: to enforce our Terms & Conditions and other policies, exercise our legal rights, and defend against legal claims.

We may also use your information for other purposes for which we provide specific notice at the time of collection or for which you provide consent.

4. Use of AI and Automated Processing

The Bills on Chain platform relies on automated processing, including artificial intelligence and machine learning, to deliver its core functionality. Specifically:

• OCR Extraction: uploaded bill images are processed by optical character recognition systems to extract structured information such as merchant name, line items, total amount, and transaction date;
• Truth Scan AI Verification: an AI model analyzes each submitted bill to detect AI-generated, manipulated, duplicate, or otherwise fraudulent submissions. Bills that fail verification may be rejected, and your Account may be flagged for review;
• Model Training and Improvement: as permitted by applicable law, we may use bill images and extracted bill data — in identifiable, pseudonymized, or de-identified form — to train, evaluate, and improve our AI and machine learning models, including the Truth Scan model and OCR systems.

Where automated decisions made by these systems produce a significant effect on you (for example, the rejection of a bill or suspension of your Account on the basis of automated verification), you have the right, to the extent provided by applicable law, to request human review of the decision. You may exercise this right by contacting us at the address in Section 14.

5. Blockchain Data and On-Chain Transactions

IMPORTANT — PUBLIC AND PERMANENT NATURE OF BLOCKCHAIN DATA

Information recorded on the Hedera Hashgraph network and other public blockchain networks is, by design, public, immutable, and permanent. Once data is recorded on-chain, it cannot be deleted, modified, or reversed — including by the Company. You should carefully consider this before using the Services.

In connection with the Services, certain information may be recorded on the Hedera Hashgraph network or stored on decentralized storage networks (including, without limitation, Pinata/IPFS). This may include:

• Your Hedera wallet address;
• NFT identifiers and metadata associated with verified bills;
• Hashes or references that point to off-chain bill metadata stored on decentralized storage;
• $IDLE token transfer transactions associated with reward redemptions.

This on-chain information is publicly accessible and may be linked back to your wallet address by anyone with access to a Hedera network explorer or similar tool. We design our integrations to minimize the on-chain disclosure of directly identifying personal information — for example, by storing bill images and detailed bill data off-chain wherever feasible, and recording only minimal references on-chain. However, you should not rely on the confidentiality of any information recorded on a public blockchain.

Because of the immutable nature of blockchain records, your right to request erasure (as described in Section 8) cannot extend to information that has already been recorded on-chain. In such cases, we will, where required by applicable law, restrict our further use of the corresponding off-chain personal information and respond to your request to the maximum extent technically and legally possible.

6. How We Share Your Information

We do not sell your personal information for monetary consideration. We may share your personal information with the following categories of recipients, in each case subject to appropriate contractual and security safeguards:

• Service Providers: third-party vendors that perform services on our behalf, including cloud hosting and infrastructure providers (such as Amazon Web Services), OCR providers, AI verification providers, decentralized storage providers (such as Pinata), wallet and blockchain infrastructure providers, customer support platforms, communications providers, analytics providers, identity verification providers, and IT and security service providers;
• Affiliates: our parent company, subsidiaries, and other entities under common control with us, where necessary to operate the Services or for the purposes set out in this Privacy Policy;
• Professional Advisors: our auditors, lawyers, accountants, insurers, and other professional advisors, subject to appropriate confidentiality obligations;
• Legal and Regulatory Authorities: government agencies, law enforcement, regulators, courts, and other authorities, where required to comply with applicable law, respond to lawful requests, establish or exercise legal rights, or defend against legal claims;
• Corporate Transactions: in connection with a contemplated or actual merger, acquisition, financing, joint venture, restructuring, reorganization, sale of assets, bankruptcy, or similar transaction, in which case personal information may be transferred to or accessed by counterparties, advisors, and successors;
• With Your Consent or At Your Direction: in any other situation, with your consent or at your express direction;
• Aggregated or De-identified Data: we may share aggregated or de-identified data that cannot reasonably be used to identify you for any lawful purpose.

We require our service providers to use your personal information only for the specific purposes for which it is disclosed and to maintain appropriate confidentiality and security safeguards.

7. Cross-Border Data Transfers

We are a global business, and the personal information we collect may be transferred to, stored in, and processed in jurisdictions other than the one in which you reside, including [INSERT JURISDICTIONS WHERE DATA IS STORED OR PROCESSED — e.g., India, the United Arab Emirates, the United States, and the European Union]. The data protection laws of these jurisdictions may differ from those of your jurisdiction of residence.

When we transfer personal information across borders, we take steps to ensure that an adequate level of protection is provided, including by using contractual safeguards such as standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms recognized under applicable data protection law. By using the Services, you understand that your personal information may be transferred to and processed in such jurisdictions.

8. Your Rights and Choices

Subject to applicable law and to verification of your identity, you may have one or more of the following rights with respect to your personal information:

• Access: the right to request confirmation of whether we process personal information about you and to obtain a copy of that information;
• Correction: the right to request correction of inaccurate or incomplete personal information;
• Deletion / Erasure: the right to request deletion of your personal information, subject to certain exceptions (including, without limitation, the immutability of information already recorded on a public blockchain as described in Section 5);
• Portability: the right to receive your personal information in a portable, machine-readable format and, where technically feasible, to have it transmitted to another controller;
• Restriction / Objection: the right to restrict or object to certain processing of your personal information, including for purposes of direct marketing;
• Withdrawal of Consent: where we process your personal information on the basis of consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal;
• Automated Decision-Making: the right, in certain circumstances, to obtain human review of automated decisions that produce a significant effect on you, as described in Section 4;
• Complaint to a Regulator: the right to lodge a complaint with the data protection authority of your jurisdiction of residence.

To exercise any of these rights, please contact us at [INSERT PRIVACY CONTACT EMAIL]. We will respond to your request within the time period required by applicable law. We may need to verify your identity before fulfilling your request, and in some cases we may be unable to comply with a request because of legal exemptions or because we no longer hold the relevant information.

8.1 Marketing Communications

You can unsubscribe from marketing emails at any time by clicking the "unsubscribe" link included in such emails, or by contacting us at the address in Section 14. Even if you unsubscribe from marketing emails, we may still send you transactional or service-related communications, such as notifications about your Account, security alerts, and material changes to our policies.

8.2 Regional Privacy Rights

Depending on your jurisdiction of residence, you may have additional rights under local data protection law. The Company will honor such rights in accordance with applicable law. If you are a resident of [INSERT RELEVANT JURISDICTIONS — e.g., the European Economic Area, the United Kingdom, India, the United Arab Emirates, or specific US states], please contact us using the details in Section 14 for information about your specific rights and how to exercise them.

9. Data Retention

We retain your personal information for as long as is reasonably necessary to fulfill the purposes for which it was collected (as set out in this Privacy Policy), to comply with our legal, regulatory, tax, and accounting obligations, to resolve disputes, and to enforce our agreements.

Specific retention periods depend on the type of information and the purpose of processing. By way of example:

• Account information is retained for the duration of your Account, plus a reasonable period thereafter to address legal, regulatory, or security obligations;
• Bill images and extracted bill data are retained for the period needed to operate the Services, support audit and dispute resolution, and meet any applicable record-retention obligations;
• Communications and support records are retained for a reasonable period to enable service quality review and dispute resolution;
• Information required for compliance with applicable law (including KYC/AML obligations, where applicable) is retained for the period required by such law;
• Information already recorded on a public blockchain network cannot be deleted by the Company and will remain on-chain permanently, as described in Section 5.

When we no longer need to retain personal information, we will delete or anonymize it in accordance with applicable law and our internal retention schedules.

10. How We Protect Your Information

We maintain administrative, technical, and physical safeguards designed to protect your personal information against accidental, unlawful, or unauthorized access, destruction, loss, alteration, disclosure, or use. These safeguards include, where appropriate:

• Encryption of personal information in transit and, where appropriate, at rest;
• Access controls and authentication mechanisms to restrict access to personal information to authorized personnel only;
• Network security measures, including firewalls, intrusion detection, and monitoring;
• Secure development practices, vulnerability management, and periodic security testing;
• Employee training on data protection and information security;
• Incident response procedures to detect, investigate, and respond to security incidents.

However, no method of transmission over the internet or method of electronic storage is completely secure. Although we take reasonable steps to protect your personal information, we cannot guarantee its absolute security. You are responsible for keeping your Account credentials, wallet credentials, and other access mechanisms secure, and for notifying us promptly of any suspected unauthorized access to your Account.

11. Children's Privacy

The Services are designed for a general audience and are not directed to children. We do not knowingly collect personal information from children under the age of eighteen (18), or such other age of majority as may apply in the user's jurisdiction. If you believe that a child has provided personal information to us, please contact us using the details in Section 14, and we will take appropriate steps to delete the information in accordance with applicable law.

12. Third-Party Services and Links

The Services may contain links to, or integrations with, third-party websites, applications, services, and features that are not operated by us — including, without limitation, blockchain network explorers, decentralized storage providers, wallet providers, exchanges, app stores, and social media platforms. We are not responsible for the privacy practices of these third parties. The collection, use, and disclosure of your personal information by such third parties are governed by their own privacy policies, which we encourage you to review.

13. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other operational reasons. When we make material changes, we will update the \"Last Updated\" date at the top of this Privacy Policy and, where required by applicable law, provide additional notice (for example, by email or through a prominent notice within the Services). Your continued use of the Services following such updates constitutes your acknowledgement of the updated Privacy Policy.

14. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, or to exercise your rights, please contact us at:

Where required by applicable law, we will respond to your request within the time period prescribed by such law. If you are not satisfied with our response, you may have the right to lodge a complaint with the data protection authority in your jurisdiction.