Privacy Policy

Effective Date: May 2, 2026

Last Updated: May 2, 2026

1. Introduction

This Privacy Policy describes how WORLDAI PTE LTD ("Luna," "we," "us," or "our") collects, uses, discloses, and protects personal data when you access or use the Luna platform at luna-money.com and any related services (collectively, the "Service").

We are committed to protecting your personal data in accordance with the Singapore Personal Data Protection Act 2012 ("PDPA") and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. About Us

Company: WORLDAI PTE LTD Unique Entity Number (UEN): 202533744G Registered Address: 103A Bidadari Park Drive, Singapore Data Protection Officer Contact: privacy@luna-money.com General Inquiries: support@luna-money.com

3. What Luna Does

Luna is a non-custodial decentralized finance ("DeFi") yield platform. We help users deploy USDC stablecoin into yield-generating opportunities across third-party DeFi protocols on the Arbitrum One blockchain.

Important: Luna does not custody, hold, or have access to your funds at any time. Your funds remain under your sole control via your self-custody wallet. We provide software interfaces and smart contracts that route your funds between protocols on your instruction.

4. Personal Data We Collect

4.1 Information You Provide Directly

Email Address: Collected when you authenticate to the Service via Privy (our embedded wallet provider). Used for account access and service-related communications.

4.2 Information Collected Automatically

Wallet Address: Your Ethereum-compatible wallet address is associated with your account. Wallet addresses and on-chain transactions are public information recorded permanently on the Arbitrum One blockchain.

Server Logs: When you access the Service, our hosting provider (Vercel) automatically records technical information including IP address, browser type, device information, pages visited, timestamps, and referring URLs.

Cookies and Local Storage: We use essential cookies and browser local storage to maintain your session, remember preferences, and operate the Service. We do not currently use third-party analytics, advertising, or tracking cookies.

4.3 Information from Third Parties

Identity Verification (KYC) for Fiat Services: When you use fiat on-ramp or off-ramp features, our payment partners (currently MoonPay) collect identity verification information directly from you, including name, date of birth, government-issued identification, address, and payment method details. This information is collected, processed, and stored by the payment partner under their own privacy policy. Luna does not receive or store this KYC information.

Privy: Our wallet authentication provider (Privy.io) collects authentication data on our behalf. Their handling of your data is governed by Privy's privacy policy.

5. Why We Collect Personal Data

We collect and process personal data for the following purposes:

• Account Operation: Creating and maintaining your account, authenticating you, and providing access to the Service.
• Service Delivery: Routing your transactions, displaying your positions and yields, and operating the user interface.
• Communication: Responding to your inquiries, sending service-related notifications, and providing customer support.
• Security and Fraud Prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activity.
• Legal and Regulatory Compliance: Complying with applicable laws, regulations, and lawful requests from authorities.
• Service Improvement: Understanding how users interact with the Service to improve functionality and user experience.

6. Legal Basis for Processing

Under the PDPA, we process your personal data based on:

• Consent: You have consented to the processing for the purposes described in this policy.
• Legitimate Interests: Processing necessary for our legitimate business interests (such as security and service operation), provided these interests are not overridden by your privacy rights.
• Legal Obligations: Processing required to comply with legal obligations applicable to us.
• Contractual Necessity: Processing necessary to perform our agreement with you under the Terms of Service.

7. Who We Share Personal Data With

We do not sell your personal data. We share personal data only with the following categories of recipients:

7.1 Service Providers

• Privy (privy.io): Wallet authentication and embedded wallet infrastructure. Receives your email address and authentication data.
• Vercel (vercel.com): Hosting and content delivery. Receives technical information from server logs.
• MoonPay (moonpay.com): Fiat on-ramp and off-ramp services. Receives information you provide during fiat transactions, including identity verification data.

7.2 Blockchain Networks

When you transact through the Service, your wallet address, transaction details, and amounts are recorded on the Arbitrum One blockchain and the Ethereum mainnet. This information is public, permanent, and cannot be deleted. Anyone can view on-chain transactions.

7.3 Third-Party DeFi Protocols

The Service interacts with third-party DeFi protocols including Aave, Morpho, Pendle, and Ondo Finance. Your wallet address and transaction details are visible to these protocols and recorded on-chain. We do not control how these third-party protocols handle data.

7.4 Legal and Regulatory Disclosure

We may disclose personal data when required to comply with applicable laws, regulations, court orders, or lawful requests from government authorities, including for law enforcement, fraud prevention, or protection of legal rights.

7.5 Business Transfers

If WORLDAI PTE LTD is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any such transfer affecting your personal data.

8. Cross-Border Data Transfers

The Service involves international data transfers. Your personal data may be processed in:

• United States: Privy, Vercel, and MoonPay process data in the United States.
• Other Jurisdictions: Service providers may process data in other countries depending on their infrastructure.

We rely on appropriate safeguards for cross-border transfers, including standard contractual clauses, adequacy decisions, and the privacy frameworks of the receiving jurisdictions, to the extent required by the PDPA and applicable laws.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Account Data: Retained while your account is active and for up to 24 months after account closure, unless longer retention is required by law.
• Server Logs: Retained for up to 12 months for security and operational purposes.
• Transaction Records: On-chain transactions are permanently recorded on the blockchain and cannot be deleted by us or anyone else.
• Legal and Compliance Records: Retained for the period required by applicable law (typically 5-7 years for financial records).

After the applicable retention period, we delete or anonymize personal data unless we are required to retain it for legal reasons.

10. Your Rights Under PDPA

If you are an individual in Singapore or otherwise covered by the PDPA, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Withdraw Consent: Withdraw your consent to our processing of your personal data, subject to legal or contractual limitations.
• Right to Data Portability: Request your personal data in a structured, commonly used format (where applicable).

To exercise any of these rights, contact our Data Protection Officer at privacy@luna-money.com. We will respond within 30 days, as required by the PDPA. We may need to verify your identity before processing your request.

Note: Some rights are limited by the nature of blockchain technology. We cannot delete or modify on-chain data — this is a fundamental property of blockchain networks, not a choice we make. We can only modify data we control directly (such as account email associations).

11. Other Jurisdictions

If you access the Service from outside Singapore, your personal data may be governed by additional laws:

• European Economic Area / United Kingdom: If you are a data subject under the GDPR or UK GDPR, you may have additional rights, including the right to erasure ("right to be forgotten") for off-chain data, the right to object to processing, and the right to lodge a complaint with a supervisory authority.
• California, USA: If you are a California resident, you may have rights under the California Consumer Privacy Act, including the right to know what personal information is collected and the right to request deletion of off-chain data.

To exercise rights under non-Singapore privacy laws, contact privacy@luna-money.com and identify the applicable jurisdiction.

12. Security

We implement reasonable technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (HTTPS / TLS)
• Secure authentication via Privy
• Limited access controls for data we directly handle
• Regular security reviews of our smart contracts and infrastructure

No system is completely secure. Despite our efforts, we cannot guarantee absolute security. You are responsible for maintaining the security of your wallet credentials, recovery methods, and authentication factors.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete that information promptly.

If you believe a child has provided us with personal data, please contact privacy@luna-money.com.

14. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services not controlled by Luna. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing personal data to them.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. Material changes will be communicated by:

• Posting the updated policy at luna-money.com/privacy
• Updating the "Last Updated" date at the top of this policy
• Where appropriate, sending notice to your registered email address

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

16. Contact Us

For privacy-related questions, requests, or complaints:

Data Protection Officer WORLDAI PTE LTD Email: privacy@luna-money.com Address: 103A Bidadari Park Drive, Singapore

General Inquiries: support@luna-money.com

If you have a privacy concern that we have not resolved to your satisfaction, you have the right to file a complaint with the Personal Data Protection Commission of Singapore (www.pdpc.gov.sg) or, if applicable, your local data protection authority.

This Privacy Policy is provided in English. In the event of any inconsistency between this Privacy Policy and any translated version, the English version shall prevail.