Privacy Policy

2.1 Information You Provide Directly

When you create an account or use Taffi, we collect:

• Phone number — used for identity verification via SMS one-time passcode (OTP)
• Email address — used for account verification and transactional communications
• Full name / display name — shown on your profile and in payment screens
• Date of birth — used to verify you are at least 18 years old
• Home address — used for identity verification and regulatory compliance
• @handle — your public username within the App
• Debit card information (optional) — collected and processed by a third-party payment processor for deposits via Apple Pay; Taffi does not store raw card numbers
• Bank account information — linked via third-party bank connection providers for deposits and withdrawals; Taffi receives and stores account identifiers and balance data as needed to process transfers

2.2 Information Generated by Your Use of Taffi

• Transaction history — records of payments sent and received, including amounts, timestamps, and counterparties
• Account balance — your current USDC balance held within the App
• Device information — device type, operating system version, and push notification token (for payment alerts)
• Authentication events — records of logins and biometric authentication confirmations (Face ID / Touch ID); biometric data itself is processed entirely by your device's operating system and is never transmitted to Taffi

2.3 Contacts (Phone Number Discovery)

With your permission, Taffi accesses your device's contact list solely to identify which of your existing contacts are already Taffi users, making it easier to send payments. Phone numbers from your contacts are hashed (one-way cryptographically transformed) directly on your device before any comparison occurs. Raw contact phone numbers are never transmitted to Taffi's servers. Only the resulting hashes are used for matching. You may revoke contacts permission at any time through your device's Settings.

2.4 What We Do Not Collect

We do not collect:

• Social Security Numbers (SSN) or Social Insurance Numbers (SIN)
• Credit scores or credit report data
• Employment history or income information
• Tracking pixels, advertising IDs, or cross-app behavioral data
• Web browsing data (Taffi is a mobile-only application)

4.1 Service Providers and Partners

We share information with third parties who help us provide, maintain, and improve the Services, including:

• Service providers and technology partners who help us operate and deliver the Services, including providers that store and process account and transaction data, host our infrastructure, or provide software that supports our operations;
• Identity verification and compliance providers who help us verify your identity, prevent fraud, and meet our anti-money laundering (AML), "know your customer" (KYC), and other regulatory compliance obligations;
• Financial partners, such as financial institutions, payment networks and processors, payment card associations, and other financial entities, in connection with processing your deposits, withdrawals, and transfers, or to otherwise help us provide the Services;
• Customer support providers who assist us in responding to your questions and resolving account issues; and
• Legal and fee collection providers who help us enforce our rights and comply with applicable law.

All service providers and partners are required to handle your information in accordance with applicable law and our data protection requirements.

4.2 Legal and Regulatory Disclosure

We may disclose information to law enforcement, regulators, or other third parties when required by applicable law, court order, or to protect the rights, safety, or property of Taffi, our users, or the public.

4.3 Business Transfers

If Taffi is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change via the App or email.

4.4 With Your Consent

We may share information for any other purpose with your explicit consent.

7.1 United States Residents

All US Users: You may request access to the personal information we hold about you, correct inaccuracies, or request deletion (subject to legal retention requirements) by contacting hello@taffi.me.

California Residents (CCPA/CPRA):

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, or sell
• Delete personal information we hold about you (subject to exceptions)
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information (Taffi does not sell or share personal information for advertising purposes)
• Non-discrimination for exercising your privacy rights

To submit a California privacy request, contact hello@taffi.me with the subject line "California Privacy Request." We will respond within 45 days.

Vermont Residents: We do not share information about Vermont residents with non-affiliated third parties for marketing purposes without your express consent, consistent with Vermont's financial privacy requirements.

GLBA Privacy Notice (US Financial Customers):

Taffi is required to tell you how we collect, share, and protect your personal financial information.

Information we collect: Account balances, transaction history, bank account identifiers, deposit and withdrawal activity.

To limit sharing or ask questions: Contact hello@taffi.me.

7.2 Canadian Residents (PIPEDA and Provincial Laws)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Withdraw consent to certain collections or uses (noting that withdrawal may affect your ability to use Taffi)
• File a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca

Quebec Residents (Law 25): Quebec residents have additional rights under Loi 25, including the right to data portability and the right to be informed of any automated decision-making that significantly affects you. To exercise these rights, contact our Privacy Officer at hello@taffi.me.

CASL (Canada's Anti-Spam Legislation): Commercial electronic messages we send will include an unsubscribe mechanism. Transactional messages (OTP codes, payment confirmations, security alerts) are not subject to CASL opt-out requirements, as they are necessary for the operation of your account.