tharwa

Privacy Policy

Last updated: January 10, 2026

1. Introduction

This Privacy Policy ("Policy") describes how Tharwa (Complete Legal name), ("Tharwa," "we," "us," or "our") collects, uses, processes, and discloses your Personal Data.

This Policy applies to your use of the Tharwa website (https://www.tharwa.finance/), our decentralized application ("dApp"), and all associated services, products, and tools (collectively, the "Services").

Tharwa is committed to protecting your privacy and handling your data in an open and transparent manner. Our data processing activities are primarily governed by applicable data protection laws in the jurisdictions in which we operate, including but not limited to the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL").

By accessing or using our Services, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your Personal Data as described in this Policy and our Terms & Conditions ("Terms"). This Policy is an integral part of our Terms.

2. Definitions

Key terms used in this Policy (such as "Personal Data", "Controller", and "Processing") shall have the meanings set out in applicable data protection laws, such as the PDPL.

  • "Personal Data" means any information relating to an identified or identifiable natural person. This can include data collected both on-chain and off-chain.
  • "Controller" means the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data are, or are to be, Processed. For the purpose of this Policy, Tharwa is the Controller.
  • "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "On-Chain Data" means data that is publicly and immutably recorded on a blockchain, such as your public wallet address and transaction history.
  • "Off-Chain Data" means data that is stored outside of a blockchain, such as information you provide during a verification process (e.g., name, email) or data collected automatically from your device (e.g., IP address).

3. The Personal Data We Collect

We collect Personal Data to provide and improve our Services, to administer your use of the Services, and to comply with our legal and regulatory obligations. We may collect the following categories of Personal Data:

3.1. Data You Voluntarily Provide

  • Identity Verification & Compliance Data (KYC/AML): To comply with our legal and regulatory obligations and global anti-money laundering ("AML") and counter-terrorist financing ("CTF") laws, we may require you to provide Personal Data for identity verification. This may include:
    • Full legal name;
    • Date of birth;
    • Residential address;
    • Email address;
    • A government-issued identification document (e.g., passport, national ID card, driver's license);
    • Proof of address (e.g., utility bill); and
    • A photograph or "selfie" for biometric verification. This data is typically collected and processed by our trusted third-party verification partners.
  • Communications Data: When you contact us for support, provide feedback, or make any other inquiry, we collect any information you voluntarily provide, such as your name, email address, wallet address, and the content of your message.

3.2. Data We Collect Automatically (On-Chain Data)

  • Public Blockchain Data: Our Services are, by their nature, non-custodial and interact with public blockchains. When you connect your wallet and use our Services, we automatically collect and process On-Chain Data, which is publicly accessible. This includes:
    • Your public wallet address;
    • Transaction details (e.g., transaction ID, gas fees, assets transferred, smart contracts interacted with);
    • Token balances and types of assets held (e.g., thUSD, $TRWA, sthUSD, Tharwa Bonds, vault-related receipt tokens); and
    • A history of your interactions with our protocol's smart contracts.

3.3. Data We Collect Automatically (Off-Chain Data)

  • Usage and Device Data: When you access our website or dApp, we automatically collect technical information from your browser or device. This includes:
    • Log Data: IP address, browser type and version, operating system, pages visited, time spent on pages, and timestamps of access.
    • Device Information: Device type (e.g., mobile, desktop), screen resolution, and language settings.
    • Usage Analytics: Information about how you interact with our Services, such as features used, buttons clicked, and navigation paths.
    • Location Data: We may approximate your geographic location based on your IP address to, among other things, enforce jurisdictional restrictions as required by our Terms.
  • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to collect Usage and Device Data, remember your preferences, and secure your access. Please see Section 10 ("Cookies and Tracking Technologies") for more details.

3.4. Data from Third-Party Sources

  • Sanctions and Watchlist Screening: As part of our compliance obligations, we use third-party service providers to screen your Personal Data (including wallet addresses) against public sanctions lists, politically exposed persons (PEP) lists, and other watchlists to prevent Prohibited Conduct (as defined in our Terms).
  • Analytics Providers: We use third-party analytics services (e.g., Google Analytics) to help us understand and improve the use of our Services.
  • Third-Party Dependencies: As stated in our Terms, the Services rely on third-party dependencies such as RPC providers, oracles, and custodians. These services may collect their own data, which is subject to their respective privacy policies.

4. How and Why We Use Your Personal Data (Legal Basis)

We Process your Personal Data only when we have a valid legal basis to do so under applicable data protection laws. Our purposes for using your data and the legal bases we rely on are as follows:

  • To provide and administer the Services: We use On-Chain Data and Usage Data to execute smart contracts, display your vault positions, process transactions for thUSD or $TRWA, and perform other core functions. The legal basis for this is the Performance of a Contract (our Terms).
  • To comply with legal and regulatory obligations: We use Identity Verification Data, On-Chain Data, and Location Data to conduct AML/KYC checks, perform sanctions screening, fulfill tax reporting requirements, and respond to lawful requests from regulators like the ADGM or law enforcement. The legal basis for this is a Legal Obligation.
  • To enforce our Terms & Conditions: We use Identity Verification Data, On-Chain Data, Usage Data, and Location Data to block users from restricted jurisdictions, investigate Prohibited Conduct, and monitor for market manipulation. The legal basis for this is our Legitimate Interest to protect our Services, users, and legal rights.
  • To improve our Services and Products: We use Usage Data, Device Data, and Anonymized/Aggregated Data for analytics, to understand user behavior, fix bugs, and conduct research. The legal basis for this is our Legitimate Interest to develop and improve our business.
  • To develop and train our AI models: We use Anonymized/Aggregated On-Chain Data to improve and train our "Confluence Engine" (our AI-driven portfolio management system). The legal basis for this is our Legitimate Interest in core product development and R&D.
  • To align with product and compliance frameworks: We may process Personal Data and On-Chain Data to audit, monitor, and ensure our product structures (such as our vaults and asset portfolios) align with our stated frameworks, including our Legitimate Interest in building architecture that can be aligned with Sharia principles (e.g., avoidance of interest).
  • To provide customer support: We use Communications Data and On-Chain Data to respond to your inquiries and feedback. The legal basis for this is our Legitimate Interest to assist our users and, where applicable, the Performance of a Contract.
  • To send marketing and product communications: We use Communications Data (such as your email address) to send newsletters and product updates. The legal basis for this is your Consent, which you can opt-out of at any time.

5. Data Sharing and Disclosure

We do not sell your Personal Data. We may share your Personal Data with the following categories of third parties, only as necessary and in accordance with the legal bases described above.

  • Third-Party Service Providers: We engage vendors to perform functions on our behalf. These include:
    • Identity Verification (KYC/AML) and sanctions screening partners.
    • Cloud hosting providers (e.g., AWS, Google Cloud).
    • Data analytics and monitoring services.
    • Blockchain analytics services.
    • Custodians and Real-World Asset providers who manage the assets backing thUSD.
    • Oracles and market makers.
    • Professional advisors (e.g., legal counsel, auditors, accountants).
    These providers are contractually bound to use Personal Data only to perform services on our behalf and to implement appropriate security measures.
  • Legal and Regulatory Authorities: We will share your Personal Data with law enforcement, regulatory bodies, government officials, and other parties when we are compelled to do so by a subpoena, court order, or other legal procedure, or when we believe in good faith that the disclosure is necessary to comply with a Legal Obligation, prevent physical harm or financial loss, or report suspected illegal activity.
  • To Enforce our Rights: We may share Personal Data to enforce our Terms, protect our intellectual property, or defend against legal claims, as outlined in the "Indemnification" and "Dispute Resolution" sections of our Terms.
  • Business Transfers: In the event of a merger, acquisition, financing, reorganisation, or sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such deal and outline your choices.
  • Aggregated and Anonymized Data: We may share data that has been aggregated and anonymized (and is therefore no longer Personal Data) with third parties for research, analysis (including for our AI models), or public reporting.

6. International Data Transfers

Our third-party service providers may be located and Process your Personal Data in jurisdictions outside of the UAE. When we transfer your Personal Data internationally, we will ensure that appropriate safeguards are in place as required by applicable data protection laws, such as implementing Standard Contractual Clauses (SCCs) or ensuring the recipient jurisdiction provides an adequate level of data protection.

7. Data Security

We take the security of your Personal Data very seriously. We implement robust technical, administrative, and physical security measures designed to protect your Personal Data from unauthorized access, disclosure, use, alteration, or destruction. These measures include:

  • Encryption of data in transit (SSL/TLS) and at rest.
  • Strict access controls and "least privilege" principles.
  • Regular security assessments and smart contract audits.
  • Internal policies and training for staff on data protection.

However, as stated in our Terms ("Risk Disclosures"), no system is 100% secure. We cannot guarantee the absolute security of your Personal Data. Your use of non-custodial wallets and your own security practices (e.g., protecting your private keys) are critical.

8. Data Retention

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Policy. The retention period is determined by:

  • The duration of your relationship with us and your use of the Services.
  • Our legal and regulatory obligations (e.g., AML/CTF laws require us to retain KYC data for a specific period, typically 5-7 years after the business relationship ends).
  • The need to resolve disputes, enforce our Terms, or defend against legal claims.

Important Note on On-Chain Data: Personal Data recorded on a public blockchain (On-Chain Data) is immutable by design. We cannot erase or alter this data, nor can any third party. This data will remain on the blockchain permanently.

9. Your Data Protection Rights

Under applicable data protection laws (such as the PDPL), you may have specific rights regarding your Personal Data, subject to certain limitations (especially concerning On-Chain Data).

  • Right of Access: You have the right to request a copy of the Personal Data we hold about you.
  • Right to Rectification: You have the right to request correction of any inaccurate or incomplete Personal Data.
  • Right to Erasure ("Right to be Forgotten"): You have the right to request that we delete your Personal Data, where we no longer have a legal basis to Process it.
  • Right to Restrict Processing: You have the right to request that we temporarily halt the Processing of your Personal Data in certain circumstances.
  • Right to Data Portability: You have the right to request that we provide your Personal Data to you, or transfer it to another Controller, in a structured, commonly used, and machine-readable format.

To exercise any of these rights please contact us at team@tharwa.finance, we will respond to your request within the timeframes mandated by applicable law. We may need to verify your identity before processing your request.

10. Cookies and Tracking Technologies

A "cookie" is a small text file stored on your device. We use cookies and similar technologies (e.g., pixels, web beacons) to:

  • Essential Cookies: Secure your access and maintain session integrity. These are necessary for the Services to function.
  • Preferences Cookies: Remember your settings (e.g., language, wallet connection).
  • Analytics Cookies: Help us understand how you use our Services (e.g., which pages are popular) so we can improve them.
  • Marketing Cookies: (If applicable) To deliver relevant information about our products.

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may render parts of the Services unusable.

11. Children's Privacy

Our Services are not intended for individuals under the age of 18 or the legal age of majority in your jurisdiction ("Eligibility" in our Terms). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child, we will take steps to delete it immediately.

12. Third-Party Links and Services

As noted in our Terms, our Services may contain links to third-party websites or services (e.g., wallets, RPC providers, custodian websites) that are not controlled by Tharwa. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you interact with.

13. Changes to This Privacy Policy

We may amend this Privacy Policy at any time. If we make material changes, we will notify you by posting the revised Policy on our website and updating the "Last Updated" date. Your continued use of the Services after such changes become effective constitutes your acceptance of the new Policy.

14. Contact Us & Supervisory Authority

If you have any questions, concerns, or complaints about this Privacy Policy or our data-handling practices, please contact us first. You may also be required to appoint a Data Protection Officer (DPO) under applicable regulations.

Tharwa Data Protection Email: team@tharwa.finance

Address: Business Bay, Dubai, UAE

Tharwa Finance