RABBIT.IO PRIVACY POLICY

Last Updated: November 20, 2025

This Privacy Policy describes how Rabbit.io (“Rabbit”, “Platform”, “we”, “us”, or “our”) collects, uses, shares, and safeguards personal data in connection with your access to and use of our crypto-to-crypto non-custodial exchange platform.

We understand that privacy is essential in the context of digital finance and blockchain-based ecosystems. That is why we process personal data in accordance with the highest international standards, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA”), and any other data protection or financial compliance legislation applicable to your jurisdiction.

This Policy outlines the types of data we may collect when you interact with the Platform, the lawful bases for such processing, the manner in which data may be shared with trusted service providers or compliance partners, and the rights you may exercise under relevant law. Our data practices are designed to reflect the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, and accountability, as required by global data protection frameworks.

By continuing to access or use the Platform, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy and to our corresponding Terms of Service. If you do not agree with any provision of this Policy, we kindly ask that you refrain from using the Platform.

Due to the decentralized nature of blockchain technology, certain transaction-related information (including wallet addresses and transaction hashes) is permanently recorded on public ledgers beyond our control. While we apply robust privacy safeguards to all personal data within our systems, blockchain records are immutable and cannot be altered or deleted by Rabbit.io.

Rabbit.io operates exclusively as a non-custodial crypto-to-crypto exchange aggregator. We do not host user accounts, store private keys, or hold custody of digital assets at any time. All transactions occur directly between your wallet and the selected liquidity provider. Rabbit.io has no ability to reverse, recover, or alter any transaction once it is broadcast to the blockchain. By using the Platform, you acknowledge that the security of your wallet, private keys, and devices is solely your responsibility.

1. SCOPE OF THIS PRIVACY POLICY

   This Privacy Policy governs the collection and processing of personal data by Rabbit.io in connection with your interaction with our Platform, including the Rabbit.io website, APIs, and any ancillary services provided directly by us. It applies to all users who access or make use of the Platform, regardless of geographic location or legal domicile.

   Please note, however, that this Policy does not extend to third-party websites, platforms, or services that may be accessed through Rabbit.io, including but not limited to external liquidity providers and integrated crypto exchange solutions. These third parties operate independently and are governed by their own privacy policies and data protection practices. Rabbit.io does not accept responsibility for the data handling procedures or privacy compliance of such third parties.

   By using our Platform, you acknowledge and accept that certain features and exchange functions are facilitated through independent third-party liquidity providers, including, without limitation SwapSpace, LetsExchange, Exolix, Binance, and WhiteBit. These providers operate under their own privacy policies and terms of service, as expressly referenced in our Terms of Service, and act as independent controllers or processors of personal data. Rabbit.io integrates with such providers solely to execute your requested transactions and assumes no responsibility for their data handling practices, security measures, service availability, or regulatory compliance. The list of active providers is maintained and updated in our Terms of Service, and we strongly encourage you to review each provider’s privacy policy before initiating a transaction involving their infrastructure. By proceeding with a transaction, you consent to the applicable provider’s terms and privacy policy, and acknowledge that any data shared is under their exclusive control.

2. DEFINITIONS

   For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below. Defined terms apply regardless of whether they appear in singular or plural form.

   1. "Platform" refers to the non-custodial crypto-to-crypto exchange environment made available by Rabbit.io, including its website, APIs, interfaces, transaction processing flows, and any related features or services.
   2. "User" means any natural person who accesses, interacts with, or transacts through the Platform, whether or not they create an account or otherwise register. Users may access the Platform on a pseudonymous basis and are not required to disclose identifying information unless triggered by risk-based compliance procedures
   3. "Personal Data" shall have the meaning ascribed to it under Article 4(1) of the General Data Protection Regulation (EU) 2016/679 and, where applicable, the California Consumer Privacy Act as amended by the CPRA. It includes any information that relates to an identified or identifiable natural person, such as IP addresses, blockchain wallet addresses, transaction identifiers, or other technical identifiers capable of being linked to a user under certain conditions.
   4. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including but not limited to collection, storage, use, access, disclosure, transfer, or deletion.
   5. "Controller" refers to Rabbit, which determines the purposes and means of the processing of Personal Data as described in this Privacy Policy.
   6. "Processor" refers to any third party that processes Personal Data on behalf of the Controller in accordance with Article 28 of the GDPR or similar legal requirements under Applicable Law.
   7. "Third Party" means any individual or legal entity other than Rabbit.io, including but not limited to liquidity providers, analytics vendors, compliance partners, cloud service providers, and regulators with whom data may be shared in accordance with this Policy.
   8. "Non-Custodial" describes a platform architecture in which Rabbit.io does not hold, store, or retain control over user funds on a continuous basis. All digital asset exchanges are performed either through temporary proxy wallets used exclusively for transaction execution or directly through third-party exchange integrations.
   9. "Applicable Law" means all data protection and privacy legislation relevant to Rabbit.io’s operations and the processing of Personal Data, including without limitation the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act and California Privacy Rights Act (collectively, “CCPA”), and any equivalent laws or regulations in other jurisdictions from which Users access the Platform.
   10. "Personal Data" means any information relating to an identified or identifiable natural person.
   11. "Processing" means any operation performed on Personal Data, whether automated or not, such as collection, storage, use, disclosure, or deletion.
   12. "Blockchain Data" means transaction-related data recorded on a distributed ledger that is immutable and publicly accessible.
   13. "Non-Custodial Service" means a service that does not hold or control a user’s assets or private keys.
   14. "Third-Party Provider" means an external service integrated with the Platform to facilitate transactions, liquidity, analytics, or other functionalities.
   15. "AML/KYC Requirements" means obligations under anti-money laundering and counter-terrorism financing laws applicable to certain transactions.

3. LEGAL BASIS FOR PROCESSING

   1. Rabbit.io processes personal data only where such processing is permitted under applicable law. In jurisdictions governed by the General Data Protection Regulation (EU) 2016/679 ("GDPR"), we rely on one or more of the following lawful bases for processing, as defined under Article 6 of the GDPR:
      1. Where the processing is necessary for the performance of a contract or in order to take steps at the request of the User prior to entering into a contract, we process data to fulfill the crypto-asset exchange transaction you initiate through the Platform, including the communication of transaction details to third-party liquidity providers or compliance vendors.
      2. Where we have a legitimate interest in ensuring the functionality, security, and integrity of the Platform, we may process technical information such as IP addresses, wallet identifiers, user-agent data, and device-level metadata. Such processing is strictly limited to what is necessary to safeguard the Platform against fraud, abuse, technical failures, or regulatory violations, and is always balanced against your fundamental rights and freedoms.
   2. In circumstances where processing is required to comply with a legal obligation to which Rabbit.io is subject - such as anti-money laundering (AML), counter-terrorism financing (CTF), sanctions enforcement, or compliance with a lawful request from competent authorities - we will process and retain the necessary data accordingly.
   3. Where required under applicable data protection laws, such as for the use of cookies or analytics tools not strictly necessary for the functioning of the Platform, we will request your explicit consent. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
   4. For Users accessing the Platform from jurisdictions that recognize equivalent legal bases - such as under the California Consumer Privacy Act (as amended by the CPRA) or other global data protection frameworks - we apply these same principles to ensure transparency, purpose limitation, and data minimization.
   5. A Data Transfer Impact Assessment (DTIA) is conducted before transferring Personal Data to a jurisdiction lacking an adequacy decision, in compliance with GDPR Articles 44-49.
   6. Rabbit.io does not knowingly engage in automated decision-making or profiling that produces legal or similarly significant effects on Users, as defined under Article 22 of the GDPR.
   7. You are solely responsible for ensuring that your use of Rabbit.io is lawful in your jurisdiction. Rabbit.io disclaims any liability for your failure to comply with applicable local laws, including but not limited to those governing cryptocurrency trading, taxation, AML/CTF, and data protection.

4. INFORMATION WE COLLECT

   1. At Rabbit.io, we adhere to the principle of data minimization as defined under Article 5(1)(c) of the GDPR and equivalent global frameworks. As a non-custodial crypto-to-crypto exchange, we do not require Users to register accounts, disclose identity documents, or submit personal identifiers to interact with the Platform under normal circumstances. The data we collect is strictly limited to what is necessary to maintain technical integrity, execute transactions, ensure regulatory alignment, and respond to User-initiated inquiries.
   2. We do not collect names, physical addresses, government-issued identification numbers, or fiat-related payment information. However, the following categories of personal and pseudonymous data may be collected either automatically through your interaction with the Platform or directly from you in connection with a specific transaction or request.
   3. Technical Usage Data. When you access the Platform, our systems automatically record limited technical metadata required for security and platform diagnostics. This may include your IP address, browser type and version, operating system, device type, language settings, time zone, and general geographic location (e.g., country or region). Additionally, we log timestamps of visits, referral URLs, and basic session telemetry to monitor system integrity and detect suspicious activity. This information is collected on the basis of our legitimate interest in maintaining a secure and operable service infrastructure (Art. 6(1)(f) GDPR).
   4. Transaction Data. In order to facilitate crypto-to-crypto exchange operations, we collect data directly related to each transaction you initiate on the Platform. This includes your deposit and recipient blockchain wallet addresses, the type and volume of digital assets exchanged, transaction hashes, network IDs, applicable rates and currency pairs, as well as blockchain-specific metadata such as memos, destination tags, or extra identifiers (where applicable). If you voluntarily provide a refund address or supplemental transaction note, this data is also stored to support reprocessing or dispute resolution. All such data remains pseudonymous and is not associated with any registered identity unless you explicitly disclose it to us.
   5. Optional Contact Information. In the normal course of using the Platform, no contact information is required or requested. However, should you initiate contact with our support team - whether via email, web form, or integration with a third-party exchange provider - we may collect the contact details you voluntarily provide, such as an email address or message metadata. Such information will be used strictly for the purpose for which it was submitted, such as responding to a support inquiry or facilitating a refund, and is not retained beyond what is necessary.
   6. Cookies and Analytics Data. As further detailed in the Cookie Policy, Rabbit.io uses cookies and similar technologies to understand how Users interact with the Platform and to optimize performance. This includes data such as pages visited, clickstream patterns, referral URLs, session duration, and interactions with specific features. We use third-party analytics services, including Google Analytics and Yandex Metrica, which may collect and process this information in anonymized or aggregated formats using their own identifiers. No directly identifying personal data is collected through analytics cookies, and all non-essential tracking is subject to your explicit consent.
   7. Rabbit.io does not process any sensitive personal data as defined under Article 9 of the GDPR, such as biometric identifiers, financial account credentials, health information, or racial or ethnic origin. All crypto-asset transactions on the Platform are conducted on-chain and remain pseudonymous by design, with data linked exclusively to blockchain wallet addresses. Any personal data you choose to submit to Rabbit.io - whether through direct communication or transactional metadata - is handled in accordance with this Privacy Policy and applicable data protection laws.
   8. We implement encryption, pseudonymization, and strict access controls to protect collected data. We do not intentionally collect any “special categories of personal data” as defined in Article 9 GDPR or “sensitive personal information” under CPRA.

5. HOW WE USE YOUR INFORMATION

   1. Rabbit.io processes personal data exclusively for clearly defined, lawful, and proportionate purposes that are directly aligned with the delivery and maintenance of our crypto-to-crypto non-custodial exchange services. All uses of data are consistent with the principle of purpose limitation set forth under Article 5(1)(b) of the General Data Protection Regulation (GDPR) and equivalent international data protection regimes. We do not process personal data in any manner incompatible with the purposes for which it was originally collected, nor do we engage in profiling, behavioral advertising, or commercial resale of user data.
   2. We primarily use Transaction Data and Technical Usage Data to enable the core functionalities of the Platform. This includes validating, coordinating, and executing the crypto-to-crypto swap transactions you initiate, whether processed via Rabbit.io’s proprietary systems or routed through integrated third-party liquidity providers. Wallet addresses, transaction amounts, blockchain identifiers, and relevant metadata are essential to carry out your requested exchange and are processed strictly for that operational purpose. Technical parameters such as IP address, device type, browser version, and session context may be used to render the Platform correctly across user environments and to ensure seamless interaction.
   3. We further process certain data to uphold the security, integrity, and lawful operation of the Platform. This includes monitoring usage patterns and transaction flows to detect anomalies, prevent abuse, and mitigate fraud. IP address logs, session data, and on-chain transaction metadata may be assessed - either directly or via third-party compliance tools - for potential violations of anti-money laundering (AML) obligations, sanctions enforcement measures, or other financial crime prevention requirements applicable under international regulatory frameworks. Such processing is carried out under a combination of legal obligation and legitimate interest, as defined by Articles 6(1)(c) and 6(1)(f) of the GDPR.
   4. To comply with applicable legal and regulatory obligations, we may retain or disclose specific transaction-related data where required to do so by law, subpoena, court order, or request from a competent authority. While Rabbit.io does not mandate Know-Your-Customer (KYC) verification for general Platform use due to its non-custodial architecture, we adhere to a risk-based compliance model. In cases where a transaction triggers elevated AML risk or is linked to a sanctioned entity, we reserve the right to pause or reject processing and to disclose relevant information to the appropriate supervisory authority in accordance with applicable legal standards.
   5. We also utilize aggregated, pseudonymized analytics to improve the functionality and user experience of the Platform. Data such as clickstream behavior, error logs, and performance metrics may be reviewed internally or through trusted analytics vendors to optimize navigation, diagnose technical issues, and refine future product iterations. We do not use this data to identify or profile individual users, and all analytics involving personal data are subject to explicit consent where legally required.
   6. In the event that you contact Rabbit.io for customer support or submit a transactional inquiry, we may process any information you voluntarily provide (e.g., email address, transaction ID, or message content) for the sole purpose of responding to and resolving your request. This may include referencing your previous transaction history or temporarily retaining your correspondence for quality assurance.
   7. Importantly, Rabbit.io does not use personal data for advertising, remarketing, or audience segmentation purposes. We do not sell, license, or otherwise monetize personal data in any form, nor do we allow third parties to engage in such practices via our infrastructure. All data processing activities are limited to the scope necessary to provide, maintain, secure, and improve the Platform in accordance with our legitimate interests and applicable legal requirements.
   8. The legal bases on which we rely for such processing include the performance of a contract (Article 6(1)(b) GDPR), compliance with legal obligations (Article 6(1)(c)), and legitimate interests (Article 6(1)(f)), provided such interests are not overridden by your fundamental rights and freedoms. Where required - for instance, when deploying non-essential cookies or collecting optional contact information - we will request your freely given, specific, informed, and unambiguous consent in accordance with Article 6(1)(a) and Article 7 of the GDPR. You retain the right to withdraw consent at any time without prejudice to the lawfulness of prior processing.
   9. We do not engage in profiling or automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.
   10. Rabbit.io adheres to the principle of data minimization under Article 5(1)(c) GDPR and processes only the personal data that is adequate, relevant, and strictly necessary to achieve the purposes stated above.

6. DATA SHARING AND THIRD-PARTY DISCLOSURES

   1. Rabbit.io does not engage in the commercial sale, rental, or licensing of personal data. We share personal and pseudonymous information only in limited circumstances, where such disclosure is necessary to operate the Platform, comply with legal obligations, protect our rights, or fulfill a transaction you have requested. All data sharing is governed by binding contractual safeguards and conducted in accordance with the requirements of Article 28 (processor obligations) and, where applicable, Articles 44-49 (international transfers) of the GDPR, as well as equivalent provisions under other applicable laws.
   2. Integrated Liquidity Providers. Certain crypto-to-crypto swap transactions are facilitated via trusted third-party exchange partners, such as SwapSpace, LetsExchange, and Exolix, or other providers named in our Terms of Service. When you initiate a transaction that routes through one of these providers, we share only the information strictly required to complete the exchange - such as deposit and recipient wallet addresses, asset type and amount, transaction hash, and any relevant network identifiers. These providers act as independent controllers of your data for the purposes of executing their part of the transaction and are subject to their own privacy policies. We strongly encourage you to review those policies before engaging in their services.
   3. Compliance and Fraud Prevention Partners. To meet obligations under applicable anti-money laundering (AML), counter-terrorism financing (CTF), and sanctions enforcement frameworks, Rabbit.io may disclose certain transaction-related information to vetted third-party compliance vendors. These processors assist us in screening wallet addresses and transaction metadata against sanctions lists, suspicious activity databases, and blockchain analytics intelligence feeds. Such processing is conducted under strict contractual terms that ensure confidentiality, security, and purpose limitation.
   4. Technology and Infrastructure Providers. We may engage external service providers to support the operation, hosting, and maintenance of the Platform. This can include cloud infrastructure vendors, DDoS mitigation providers, secure email delivery services, and analytics platforms (e.g., Google Analytics and Yandex Metrica). Where such providers process personal data on our behalf, they do so solely in accordance with our written instructions and under data processing agreements compliant with GDPR Article 28.
   5. Legal Disclosures. Rabbit.io may disclose personal data when required to do so by law or pursuant to a valid legal process, such as a subpoena, court order, or binding request from a competent governmental authority. This includes circumstances where disclosure is necessary to enforce our Terms of Service, protect the rights, property, or safety of Rabbit.io, our Users, or others, or to investigate suspected unlawful activity.
   6. Corporate Transactions. In the unlikely event of a merger, acquisition, restructuring, or sale of assets involving Rabbit.io, personal data relevant to the continuity of services may be transferred to the acquiring entity, subject to equivalent or stronger privacy protections and applicable data protection laws.
   7. In all such cases, Rabbit.io ensures that any third party receiving personal data is contractually bound to maintain confidentiality, implement robust technical and organizational safeguards, and process the data only for the specific purposes for which it was disclosed.

7. INTERNATIONAL DATA TRANSFERS

   1. Given the inherently global nature of blockchain networks and the operational structure of Rabbit.io, certain personal and pseudonymous data may be transferred to, processed in, or stored in jurisdictions outside of the country from which you access the Platform. This includes transfers to countries that may not provide an equivalent level of data protection as that guaranteed under the General Data Protection Regulation (GDPR) or other applicable privacy laws.
   2. Where such transfers involve personal data originating from the European Economic Area (EEA), the United Kingdom, or other jurisdictions with cross-border data transfer restrictions, Rabbit.io implements appropriate safeguards in accordance with Articles 44–49 of the GDPR. These safeguards may include the use of European Commission Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other legally recognized transfer mechanisms. In certain limited cases, transfers may be based on your explicit and informed consent, or where the transfer is necessary for the performance of a contract you have entered into with us.
   3. Personal data may be processed by:
      1. Integrated liquidity providers and compliance vendors located in various jurisdictions, solely for the purposes described in this Privacy Policy;
      2. Cloud infrastructure, analytics, and security service providers whose servers may be geographically distributed;
      3. Competent regulatory or enforcement authorities where disclosure is legally mandated.
   4. Rabbit.io ensures that all recipients of personal data, regardless of location, are bound by contractual obligations requiring them to maintain confidentiality, implement industry-standard security measures, and process data strictly in line with the purposes for which it was transferred.
   5. It is important to note that blockchain-based transactions are inherently borderless and are confirmed across a decentralized network of nodes that may be located worldwide. Rabbit.io does not control the geographic routing of blockchain data once a transaction is broadcast to the network, and such on-chain processing is outside the scope of regulated international data transfer mechanisms.
   6. By using the Platform, you acknowledge that your personal and pseudonymous data may be transferred to and processed in jurisdictions outside your country of residence, subject to the safeguards and limitations set out in this Privacy Policy.
   7. For transfers to jurisdictions without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) under Article 46 GDPR and apply encryption, pseudonymization, and strict access controls.

8. DATA RETENTION

   1. We apply strict retention schedules in accordance with the principle of storage limitation under Article 5(1)(e) of the General Data Protection Regulation (GDPR) and equivalent provisions of other applicable laws.
   2. Technical Usage Data, including IP addresses, browser metadata, device identifiers, and access logs, is typically retained for no longer than three (3) months from the date of collection. This retention period allows us to ensure the stability, security, and integrity of the Platform, and to investigate and mitigate potential security incidents.
   3. Transaction Data, such as wallet addresses, transaction hashes, and associated blockchain metadata, is retained for a minimum of three (3) months to support operational dispute resolution, fraud prevention, and platform diagnostics. In certain cases, where required under anti-money laundering (AML), counter-terrorism financing (CTF), sanctions compliance, or other applicable laws, we may be legally obligated to retain such data for extended periods - often up to five (5) years - as prescribed by relevant regulations.
   4. Customer Support Records, including communications you initiate with us and any related metadata, are retained only for the duration necessary to resolve your inquiry and for reasonable follow-up, unless longer retention is required for compliance, auditing, or dispute resolution purposes.
   5. Cookies and Analytics Data are retained in accordance with the durations specified in our Cookie Policy, after which they are automatically deleted or anonymized.
   6. Once the applicable retention period expires, Rabbit.io securely deletes or irreversibly anonymizes personal data in a manner designed to prevent reconstruction or re-identification. Blockchain-based transaction records, by their nature, cannot be altered or deleted once confirmed on-chain; however, any off-chain records that link such transactions to personal data under our control will be subject to our retention and deletion protocols.
   7. In all cases, retention decisions are guided by the principle of proportionality, ensuring that data is not stored for longer than is necessary for the purposes for which it was processed, while maintaining compliance with applicable laws and regulatory frameworks.

9. USER RIGHTS

   1. Rabbit.io is committed to safeguarding the fundamental rights and freedoms of every individual whose personal data we process, regardless of nationality or place of residence, and to applying the highest standards of transparency, accessibility, and legal compliance. Our framework for data subject rights is built upon the General Data Protection Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA), the Seychelles Data Protection Act, and comparable international privacy regimes.
   2. We voluntarily extend these protections to all Users of Rabbit.io worldwide, unless such application is expressly prohibited or restricted by applicable law in a given jurisdiction. Our non-custodial design means that the scope and technical feasibility of certain rights may differ from platforms that maintain user accounts; however, we implement measures to facilitate every right to the fullest extent permitted.
   3. Scope of Rights under GDPR and Equivalent Laws. If you are located in the European Economic Area (EEA), the United Kingdom, or any other jurisdiction granting equivalent data protection rights, you may exercise the following rights in accordance with Chapter III of the GDPR and relevant local laws:
      1. Right of Access (Art. 15 GDPR) - You have the right to obtain confirmation as to whether Rabbit.io processes your personal data. If we do, you may request a copy of that data, together with detailed information on: the purposes of processing; categories of personal data concerned; recipients or categories of recipients to whom the data has been disclosed; the envisaged retention period; and the safeguards in place for any international transfers (pursuant to Chapter V GDPR).
      2. Right to Rectification (Art. 16 GDPR) - You may request the correction of any inaccurate personal data without undue delay, as well as the completion of incomplete data, taking into account the purposes for which it is processed.
      3. Right to Erasure - “Right to be Forgotten” (Art. 17 GDPR) - You may request the deletion of your personal data where:
         1. It is no longer necessary for the purposes for which it was collected;
         2. You withdraw consent and there is no other lawful basis for processing; or
         3. You have successfully objected to processing.
         4. This right is subject to statutory obligations and exemptions, including mandatory anti-money laundering (AML) and counter-terrorist financing (CTF) record-keeping requirements, which may require us to retain transaction-related data for a period of up to five (5) years under applicable law.
      4. Right to Restriction of Processing (Art. 18 GDPR) - You may request that we temporarily restrict the processing of your data, for example where you contest its accuracy (pending verification) or where processing is unlawful but you oppose erasure.
      5. Right to Data Portability (Art. 20 GDPR) - You may request to receive the personal data you have provided to us in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and, where technically feasible, to have it transmitted directly to another data controller.
      6. Right to Object (Art. 21 GDPR) - You may object at any time to processing of your personal data based on our legitimate interests, including any related profiling. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is required for the establishment, exercise, or defense of legal claims.
      7. Right to Withdraw Consent (Art. 7(3) GDPR) - Where we rely on your consent for specific processing activities (e.g., analytics cookies, optional contact information), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
   4. Rabbit.io treats these rights not as procedural obligations, but as core commitments to privacy and user autonomy. All requests are handled in line with Article 12 GDPR - meaning they are processed transparently, without undue delay, and in clear, plain language.
   5. Scope of Rights under CCPA/CPRA. If you are a California resident, you have the following rights under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) (California Civil Code §1798 et seq.):
      1. Right to Know - You may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom we have shared it. Upon request, and where permitted by law, we may extend the look-back period beyond 12 months for information collected after January 1, 2022.
      2. Right to Delete - You may request the deletion of personal information we have collected from you, subject to statutory exceptions such as completion of a requested transaction, security incident detection, fraud prevention, legal compliance (including AML/CTF record-keeping), or other operational requirements permitted under Cal. Civ. Code §1798.105(d).
      3. Right to Correct - You may request the correction of inaccurate personal information we maintain about you, taking into account the nature of the information and the purposes of processing.
      4. Right to Opt Out of Sale or Sharing - Rabbit.io does not sell or share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA. Should our practices change, you will have the right to opt out via a “Do Not Sell or Share My Personal Information” link and through recognized browser privacy signals such as Global Privacy Control (GPC).
      5. Right to Limit Use of Sensitive Personal Information - Rabbit.io does not collect Sensitive Personal Information (SPI) as defined under Cal. Civ. Code §1798.140(ae). If we ever do, you will have the right to limit its use to purposes reasonably necessary for the service.
      6. Right to Non-Discrimination - You will not receive any discriminatory treatment for exercising your privacy rights, in compliance with Cal. Civ. Code §1798.125.
   6. Verification of Identity. Given Rabbit.io’s non-custodial architecture and the absence of user accounts, we require sufficient information to verify that you are the individual to whom the request pertains before fulfilling any CCPA/CPRA rights request. Verification may involve providing one or more of the following:
      1. A relevant blockchain transaction hash;
      2. The wallet address used in the transaction;
      3. The approximate date, time, and value of the transaction;
      4. Any communication reference number from prior correspondence; or
      5. An email address or identifier used in prior interactions (if applicable).
      6. We will not disclose, correct, or delete personal information if we cannot reasonably verify your identity and your entitlement to such information, to prevent unauthorized access or deletion.

   7. How to Exercise Your Rights

      1. You or your authorized agent (with valid written authorization or a power of attorney) may submit a request to exercise your rights by contacting our Data Protection Officer at [email protected]. Authorized agent submissions may require additional identity verification from both the agent and the consumer.
      2. We will acknowledge receipt of your request promptly and respond within 45 days as required by CCPA/CPRA, with a possible single extension of up to an additional 45 days if reasonably necessary due to the complexity or volume of requests (in which case we will notify you of the extension and reasons). For GDPR-covered individuals, we will respond within 30 days subject to similar permissible extensions.
      3. Our responses will be delivered electronically in a portable and readily usable format (such as JSON, CSV, or PDF). For deletion requests, we will confirm deletion or explain any applicable statutory exception. For “Right to Know” requests, we will provide the requested information for the applicable period.

   8. Limitations. The exercise of certain rights may be restricted where:

      1. It would adversely affect the rights and freedoms of others;
      2. It would interfere with ongoing legal obligations, investigations, or enforcement actions; or
      3. It would conflict with mandatory record-keeping requirements imposed by applicable anti-money laundering (AML), counter-terrorist financing (CTF), or sanctions laws.
   9. Where a request is denied or restricted, we will provide a clear explanation of the legal or operational basis for the decision.
   10. Due to the immutable nature of blockchain, Rabbit.io cannot delete, amend, or restrict access to transaction data recorded on public ledgers. However, we can delete or anonymize related records within our systems.

10. BLOCKCHAIN DATA AND YOUR RIGHTS

    1. Transactions executed through the Platform are permanently recorded on decentralized public blockchains. Once confirmed, these records - such as wallet addresses, transaction amounts, asset types, and timestamps - cannot be altered, deleted, or otherwise modified by Rabbit.io or any other party. This immutability is an inherent characteristic of blockchain technology and is recognized by global data protection regulators as a technical limitation.
    2. Data recorded on a blockchain is pseudonymous by design and generally does not directly identify you. However, in certain circumstances - such as where a wallet address can be linked to you through off-chain information - it may be considered personal data under applicable law. While Rabbit.io cannot erase or modify on-chain records, we will delete or irreversibly anonymize any related off-chain data under our control (such as logs, support communications, or transaction metadata) if you exercise your right to erase and it is technically feasible to do so.
    3. By using a blockchain-based service, you acknowledge and accept that certain transaction data will be permanently recorded on distributed networks outside our control, and that the exercise of some privacy rights may be technically limited as a result.
    4. Blockchain transactions are recorded permanently on decentralized public ledgers outside our control. Rabbit.io is not responsible for any third-party analysis, deanonymization, or correlation of wallet addresses to personal identities, whether by blockchain analytics firms, law enforcement, or other actors. We do not engage in proactive deanonymization and will only share wallet address associations when legally compelled.

11. DATA PROTECTION PRINCIPLES

    1. Rabbit.io processes personal and pseudonymous data in accordance with the core principles of data protection as set out in Article 5 of the General Data Protection Regulation (GDPR) and mirrored in the Seychelles Data Protection Act and other equivalent laws. These principles are embedded into our operational and technical framework and govern every stage of the data lifecycle.
    2. We process data lawfully, fairly, and transparently, ensuring that Users are informed of the purposes and legal bases for processing before such processing takes place. All processing is tied to a clearly identified lawful basis, and we do not engage in practices that could mislead or disadvantage Users.
    3. We apply the principle of purpose limitation, collecting and using personal data solely for legitimate, specific, and explicitly stated purposes connected to the operation, security, and regulatory compliance of our crypto-to-crypto exchange services. Data is never repurposed in a way that is incompatible with those original purposes.
    4. We adhere to data minimization, collecting only the data that is strictly necessary to achieve the stated purposes. This is reinforced by our non-custodial architecture, which eliminates the need for account registration and avoids collection of traditional identity documents for general use of the Platform.
    5. We uphold accuracy, taking reasonable steps to ensure that data under our control is correct and, where necessary, kept up to date. Users may exercise their rights to rectification to correct or complete data that is inaccurate or incomplete.
    6. We follow the principle of storage limitation, retaining personal data only for as long as is necessary to fulfill the processing purpose or to meet legal and regulatory obligations, after which it is securely deleted or irreversibly anonymized.
    7. We ensure integrity and confidentiality by implementing robust technical and organizational measures to safeguard personal data against unauthorized access, unlawful processing, accidental loss, destruction, or damage.
    8. Finally, we operate under the principle of accountability, maintaining comprehensive internal records of processing activities and being able to demonstrate compliance with all applicable data protection obligations upon request by a competent authority.

12. DATA SECURITY MEASURES

    1. Rabbit.io maintains a comprehensive information security program designed to protect personal and pseudonymous data against unauthorized access, disclosure, alteration, or destruction. These measures align with Article 32 of the GDPR, industry best practices for digital asset services, and applicable cybersecurity standards.
    2. Technical Safeguards. We employ encryption in transit (TLS 1.2 or higher) and at rest for all data under our control. Our infrastructure is hosted in secure, access-controlled environments with intrusion detection and prevention systems, regular vulnerability scanning, and continuous monitoring. Where feasible, data is pseudonymized or anonymized to minimize the risk of re-identification.
    3. Organizational Measures. Access to personal data is strictly limited to authorized personnel who require it for legitimate operational purposes and are bound by confidentiality obligations. All employees and contractors undergo mandatory data protection and security training, with periodic refreshers and audits to ensure ongoing compliance.
    4. Third-Party Security Oversight. Before engaging any third-party processor or service provider, we conduct due diligence to assess their technical and organizational safeguards. Data Processing Agreements (DPAs) are in place with all processors, requiring compliance with GDPR Article 28 and equivalent standards. We also perform periodic reviews of vendor compliance.
    5. Blockchain-Specific Measures. While blockchain transactions are inherently public and outside Rabbit.io's control once broadcast to the network, we take measures to prevent the unnecessary linking of wallet addresses to identifiable personal data in our off-chain records. Where on-chain transparency may pose a risk to a User, we work to mitigate such exposure through operational and architectural controls.
    6. Incident Response. Rabbit.io maintains a documented incident response plan to address potential data breaches. In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay, and, where required, affected Users, in accordance with Articles 33 and 34 of the GDPR.
    7. While no method of transmission or storage is completely secure, Rabbit.io's layered security framework, continuous monitoring, and adherence to privacy-by-design principles are intended to reduce risk to a level appropriate to the nature of the data and the potential harm from unauthorized processing.
    8. While Rabbit.io implements industry-standard security measures to protect personal data under its control, we are not liable for security breaches, unauthorized access, or data loss occurring within systems operated by independent third-party providers, infrastructure vendors, or blockchain networks.

13. USE BY MINORS AND ELIGIBILITY

    1. The Platform is designed and offered exclusively for use by individuals who are at least eighteen (18) years of age and who possess the full legal capacity to enter into binding contracts under the laws of their country or territory of residence. By accessing, browsing, or otherwise using Rabbit.io, you expressly represent and warrant that you satisfy these eligibility requirements and that your use of the Platform is fully compliant with all applicable laws, regulations, and governmental orders in your jurisdiction.
    2. We do not knowingly collect, solicit, or process any personal data from individuals under the age of eighteen (18). In jurisdictions where the legal age of majority is higher than eighteen, you must meet that higher age threshold before using the Platform. Any attempt by a minor to access or use Rabbit.io is strictly prohibited and constitutes unauthorized use of the Platform.
    3. This policy is implemented in compliance with Article 8 of the EU General Data Protection Regulation (GDPR), the U.S. Children's Online Privacy Protection Act (COPPA), and equivalent child data protection laws worldwide. We have adopted internal safeguards to prevent the inadvertent collection of minors' personal data, including filtering measures, contractual prohibitions in our third-party integrations, and monitoring of support communications for age-related indicators.
    4. If we become aware - through automated detection, third-party notification, or direct communication - that we have inadvertently collected personal data from an individual under the required age without verified parental or guardian consent, we will take immediate steps to:
       1. Secure the data to prevent further processing;
       2. Permanently delete the data from our systems and any applicable third-party processors to the extent technically and legally feasible; and
       3. Terminate or block the minor's access to the Platform, including via IP or wallet address restrictions where appropriate.
    5. Parents or legal guardians who believe their child has provided personal data to Rabbit.io without consent should contact us at [email protected]. Upon verification of both identity and relationship to the minor, we will take all appropriate remedial actions without undue delay.
    6. Any breach of these eligibility requirements constitutes a material violation of our Terms of Service and may result in the immediate suspension or permanent termination of Platform access, without prejudice to any other legal remedies available to Rabbit.io under applicable law.
    7. If a minor is found to be using our services, we may suspend related wallet addresses and block associated IPs to prevent further access.

14. COOKIES AND TRACKING TECHNOLOGIES

    1. Rabbit.io uses cookies and comparable tracking technologies (including local storage objects, JavaScript-based trackers, and pixel tags) to ensure the secure and efficient operation of the Platform, enhance the quality of your user experience, and obtain aggregated insights into how our services are used. The use of cookies is governed by applicable privacy frameworks, includingArticle 5(3) of the ePrivacy Directive, relevant provisions of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other equivalent laws in jurisdictions where we operate.
    2. What Are Cookies. Cookies are small text files that are stored on your device when you visit or interact with a website. They serve multiple purposes: enabling essential site functions, remembering preferences, supporting security features, and providing anonymized analytical data that allows us to improve our Platform.
    3. Categories of Cookies Used on Rabbit.io:
       1. Strictly Necessary Cookies - Required for the core functionality of the Platform, such as initiating and tracking cryptocurrency exchange transactions, maintaining secure sessions, storing temporary order identifiers, and remembering your language or regional settings. These cookies are essential and do not require your consent. Disabling them may prevent the Platform from functioning properly.
       2. Performance and Analytics Cookies - Deployed via trusted third-party analytics services, including Google Analytics and Yandex Metrica, to collect aggregated usage statistics such as pages visited, session durations, navigation flows, and error reports. Where supported, IP addresses are anonymized to enhance privacy. This data is not used to directly identify you and is analyzed solely to optimize Platform performance, detect issues, and improve usability.
       3. Functionality Cookies - Remember your optional preferences (e.g., preferred currency display) to deliver a more personalized and consistent user experience.
       4. Security Cookies - Assist in identifying suspicious activity, mitigating automated attacks, and protecting the integrity of transactions and user sessions.
    4. We do not use advertising cookies, retargeting pixels, or cross-site tracking mechanisms for third-party marketing purposes. We do not engage in behavioral advertising or sell cookie-derived data to external parties.
    5. Consent and Control. Upon your first visit to Rabbit.io, you will be presented with a cookie consent banner. In jurisdictions requiring explicit opt-in for non-essential cookies (e.g., the EU/EEA and UK), no analytics or functionality cookies will be placed until you have granted your consent. In other regions, the banner will still provide an opt-out mechanism for non-essential cookies.
    6. You may update or withdraw your cookie preferences at any time via:
       1. The Cookie Settings link in the website footer;
       2. Your browser's cookie management tools;
       3. The opt-out functionality offered by third-party analytics providers (e.g., Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout and Yandex Metrica blocker tools).
    7. We honor recognized browser privacy signals, including Global Privacy Control (GPC) and Do Not Track (DNT), where technically feasible, treating them as an opt-out from all non-essential cookies.
    8. Our cookie consent mechanism allows granular control, enabling users to accept or reject specific categories of cookies. Essential cookies: session-based, expire upon browser closure. Analytics cookies: persistent, expire between 6 months and 2 years unless cleared earlier.
    9. Cookie Lifespan:
       1. Session Cookies - Expire automatically when you close your browser.
       2. Persistent Cookies - Remain on your device for a predefined duration or until you manually delete them. Persistent analytics cookies typically last between six (6) months and two (2) years, depending on the provider.
       3. We periodically review cookie retention periods to ensure compliance with legal requirements and the principle of data minimization under GDPR Article 5(1)(c).
    10. Cookie Transparency. Full details of the cookies in use, their providers, purposes, and storage durations are published in our Cookie Policy, accessible via the footer of our website or through the cookie banner settings panel. No cookies used by Rabbit.io collect sensitive personal data (e.g., government-issued IDs, financial account numbers, biometric data).
    11. For more information on how our analytics providers process collected data, please refer to the privacy policies of Google and Yandex, which are available on their respective official websites.

15. CROSS-BORDER JURISDICTION AND GOVERNING LAW

    1. Rabbit.io is a legal entity duly established under the laws of the Republic of Seychelles. All matters relating to privacy, data protection, and the operation of the Platform are primarily governed by the laws of Seychelles, including (where applicable) the Seychelles Data Protection Act 2003, except to the extent that mandatory provisions of other applicable laws override such governance.

    2. While Seychelles is the primary legal jurisdiction, Rabbit.io voluntarily aligns its privacy and data protection practices with leading international frameworks, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and other comparable global standards, thereby extending enhanced privacy rights to users worldwide. Such voluntary adherence does not constitute a waiver of any jurisdictional defenses and is undertaken solely as a commitment to best practices.

    3. If you are located outside Seychelles, your personal data may be transferred to, stored in, or otherwise processed within Seychelles and in other jurisdictions (as outlined in the International Data Transfers section). The privacy laws in these jurisdictions may differ from those in your home country. For example, Seychelles is not a member of the European Economic Area (EEA), and therefore, while Rabbit.io implements Standard Contractual Clauses (SCCs) and other GDPR-compliant safeguards, the enforcement of certain EU-specific rights may involve cooperation between EU supervisory authorities and Seychelles regulators.

    4. We maintain a cooperative approach with legitimate investigations and requests from recognized data protection authorities, subject always to compliance with applicable law, due process, and proportionality principles.

    5. Dispute Resolution. In accordance with our Terms of Service, any disputes arising in relation to privacy or data protection matters will be resolved through binding arbitration seated in Singapore and conducted under Seychelles law, unless otherwise required by overriding legal provisions. We strongly encourage users to contact us directly in the first instance to resolve any concerns amicably before commencing formal proceedings.

    6. Cross-Border Government and Law Enforcement Requests. If a foreign government or authority seeks access to personal data under Rabbit.io’s control, we will assess the request’s legal basis, jurisdictional reach, and necessity. As a matter of policy, we require that such requests follow established international cooperation mechanisms, such as Mutual Legal Assistance Treaties (MLATs) or letters rogatory, unless we determine that direct compliance is lawful, proportionate, and consistent with user rights. For example, a subpoena issued by a U.S. court will generally not have direct effect in Seychelles; accordingly, we may insist on formal international channels unless the request relates to a non-contentious matter where voluntary compliance is appropriate and lawful. In all cases, we prioritize the protection of user privacy and adherence to the rule of law.

    7. By accessing or using Rabbit.io, you acknowledge and agree that your data will be processed in accordance with this Privacy Policy and that Seychelles law governs the operation of the Platform, subject to mandatory provisions of other applicable laws. If any provision of this Privacy Policy is deemed unenforceable under relevant law, such provision will be enforced to the maximum extent permissible, and the remaining provisions will remain in full force and effect.

16. THIRD-PARTY LINKS, INTEGRATIONS, AND SERVICES

    1. The Rabbit.io Platform may contain hyperlinks, embedded interfaces, or API integrations that connect you to external third-party websites, applications, platforms, or services. These include, but are not limited to, our integrated liquidity and exchange partners SwapSpace, LetsExchange, Exolix, GoExme, ChangeNOW, ChangeHero, and - upon future integration - Binance, WhiteBit, and other counterparties necessary to execute your requested transactions.

    2. These third parties operate as independent data controllers or processors under their own privacy policies, terms of service, and security standards. Rabbit.io has no ownership, control, or direct oversight over their operations, data handling practices, or legal compliance, and we do not make any warranties - express or implied - regarding their reliability, accuracy, security, or lawfulness.

    3. When you interact with a third-party service - whether by following a link from the Platform, engaging with an embedded tool, or authorizing a transaction routed through their systems - you acknowledge and agree that:

       1. You are subject solely to that third party’s policies and terms, including their data processing and retention practices, which may differ materially from ours.

       2. Your engagement is at your own risk, and you bear full responsibility for reviewing and understanding the applicable terms and privacy notices before proceeding.

       3. Rabbit.io shall not be liable for any loss, damage, data breach, delay, regulatory action, or other consequence arising out of, or in connection with, your use of any third-party service, even if it is integrated into our Platform interface.

    4. The inclusion of any third-party link, widget, API, or liquidity source within Rabbit.io does not constitute an endorsement, sponsorship, partnership, or formal affiliation, except where expressly stated in writing.

    5. We strongly encourage you to:

       1. Review the privacy policies and terms of service of each integrated provider (SwapSpace, LetsExchange, Exolix, Binance, WhiteBit, etc.) before initiating any transaction.

       2. Consider the jurisdiction, licensing status, and security posture of the provider when deciding whether to proceed.

    6. By using Rabbit.io, you expressly release us from any claim, demand, or liability connected to third-party services accessed through our Platform, except where such exclusion is prohibited by applicable law.

    7. In certain cases, third-party liquidity providers may require you to complete their own AML/KYC checks before executing a transaction. Rabbit.io neither conducts nor stores such verification data. All AML/KYC information you submit is handled exclusively by the relevant provider under their own privacy policy.

17. LIABILITY AND RESPONSIBILITY FOR THIRD-PARTY SERVICES, INCLUDING AML/KYC PROVIDERS

    1. Rabbit.io integrates with independent third-party liquidity and service providers - including, without limitation, SwapSpace, LetsExchange, Exolix, GoExme, ChangeNOW, ChangeHero, Binance, and WhiteBit - exclusively for the technical execution of user-requested transactions. These entities operate as autonomous controllers and/or processors of personal data, governed by their own privacy policies, contractual terms, and regulatory obligations.

    2. Rabbit.io neither controls nor assumes responsibility for the operational availability, transactional performance, security measures, data protection standards, or compliance status of these third-party services. Any personal data or transaction-related information shared with such providers is transmitted solely for the purpose of enabling the requested transaction and is processed strictly in accordance with the applicable legal framework of the respective provider.

    3. AML/KYC Procedures: In certain circumstances, a third-party provider may require you to complete its own anti-money laundering (“AML”) and know-your-customer (“KYC”) verification before executing a transaction. Rabbit.io does not conduct such verifications, does not receive or store any documents or data submitted for AML/KYC purposes, and has no influence over the outcome of such checks. All AML/KYC data is collected, processed, and stored exclusively by the relevant third-party provider under its own policies and jurisdiction.

    4. In the event of any data breach, service outage, regulatory enforcement action, compliance failure, or other incident arising from or attributable to a third-party provider, Rabbit.io shall bear no liability for any loss, damage, delay, or disclosure of personal data, except where such liability cannot be lawfully excluded under applicable legislation.

    5. By initiating a transaction through Rabbit.io that involves any integrated third-party provider, you expressly acknowledge and agree that:

       1. The relevant provider’s terms of service and privacy policy will govern the processing of your data.

       2. You are solely responsible for reviewing and accepting such terms before proceeding.

       3. Rabbit.io’s role is strictly limited to facilitating the technical integration and transmission of transaction instructions and does not extend to post-transmission control, monitoring, or storage of your personal data.

18. UPDATES TO THIS PRIVACY POLICY

    1. Rabbit.io may amend or update this Privacy Policy from time to time to reflect changes in our operational practices, technological developments, applicable legal requirements, or other legitimate business needs. Any revised version will be published on our official website, with the “Last Updated” date at the top indicating its effective date. Unless expressly stated otherwise, all updates become effective upon publication.

    2. Where an update introduces material changes - that is, changes that substantially alter the way we collect, use, store, or disclose personal data - we will provide additional and timely notice to you. Such notice may include a prominent banner on our homepage, an in-platform notification, or, where possible and appropriate, direct communication via the contact details you have voluntarily provided to us (e.g., through a prior support inquiry).

    3. Examples of material changes include, but are not limited to:

       1. expansion of the categories of personal data collected;

       2. new or modified purposes for which data is processed, particularly if they differ from those previously disclosed;

       3. engagement in data sharing practices that materially differ from prior disclosures; or

       4. the introduction of any form of data sale (note: Rabbit.io does not sell personal data).

    4. We strongly encourage you to review this Privacy Policy periodically to remain informed about our data protection practices. Your continued use of Rabbit.io following the posting of an updated Privacy Policy constitutes your acceptance of the updated terms, to the extent permitted by law.

    5. Where required by applicable law - such as when a change introduces a new processing activity based on consent - we will seek your express consent before implementing the change.

    6. For transparency and historical reference, we maintain an archived record of previous versions of this Privacy Policy, available upon request, so that you may track the evolution of our privacy practices.

19. CONTACT US

    1. For any questions, concerns, or requests relating to this Privacy Policy, your personal data, or our data protection practices, you may contact us at [email protected]. When contacting us by email, please include “Privacy Inquiry” in the subject line to ensure priority handling.

    2. For general support inquiries that may involve personal data, you may also contact us at [email protected]. Such requests will be routed to the appropriate privacy personnel.

    3. If you choose to contact us by postal mail, please allow additional time for delivery and processing due to international handling.

    4. We aim to respond to all privacy-related requests within 30 days, in accordance with GDPR requirements, or 45 days under CCPA/CPRA, subject to permissible extensions in complex cases. For data rights requests, please refer to the Your Rights section of this Policy for the specific information you should include to help us verify and fulfill your request efficiently.

    5. If you believe your privacy rights have been infringed, we encourage you to contact us first so that we may address your concerns directly and in good faith. However, you also retain the right to escalate your concern to your national data protection authority or other competent regulator, as applicable.

    6. At Rabbit.io, we treat privacy not merely as a legal obligation but as a fundamental trust. We welcome feedback, questions, and constructive dialogue to ensure our practices remain clear, lawful, and aligned with the expectations of our global user base.

    7. If required by applicable law, Rabbit.io will appoint an EU and/or UK Representative to serve as a point of contact for data protection matters.