Crouton Digital – Privacy policy

Last updated: 28 November 2025

This Privacy Policy explains how Crouton Digital or Crouton Nodes (“Crouton Digital”, “we”, “us”, or “our”) collects, uses, stores, and shares information about you when you use our Services.

“Services” means all products, services, tools, content, and websites operated by Crouton Digital under the crouton.digital domain and any subdomains, as well as any related validator, staking, and infrastructure services that we make available.

Your use of the Services is also governed by our Terms of Use. Please read both this Privacy Policy and the Terms of Use carefully. If you do not agree with this Privacy Policy, you should stop using the Services and not provide us with your personal data.

1. Who We Are and Scope of This Policy

For the purposes of applicable data protection law (including the EU General Data Protection Regulation – GDPR), Crouton Digital acts as a data controller for the personal data described in this Privacy Policy when we decide how and why that data is processed.
We operate from within the European Union (Estonia). If you have any questions or wish to exercise your rights, you can contact us at: [email protected]

This Privacy Policy applies to:

• Visitors to our websites;
• Individuals who use or are interested in our staking and infrastructure Services;
• People who communicate with us (for example, through contact forms, email, or social channels).

It does not apply to third-party websites, wallets, exchanges, or other services that are not operated by us, even if we link to them or they link to us.

2. Personal Data We Collect

“Personal data” means any information relating to an identified or identifiable natural person. We collect personal data in several ways.

2.1. Data You Provide to Us

We may collect personal data that you choose to provide directly, for example when you:

• Fill in a contact or inquiry form;
• Request information about our Services;
• Subscribe to updates or newsletters;
• Engage with us as a prospective or existing institutional client or partner.

Depending on how you interact with us, this can include:

• Contact details – name, email address, job title, organization, country, and any other information you include in messages you send to us.
• Business and account information – if you discuss or enter into a commercial relationship with us (e.g., infrastructure or institutional staking services), we may collect additional information such as business contact details, billing details, support history, and technical configuration information relevant to the service.
• Wallet information – if you interact with us in a way that requires it (for example, institutional integrations, support queries), you may provide information about one or more wallet addresses that delegate or stake to our validators. We generally do not need your private keys and will never ask you to share them.
• Communications – the content of emails, chat messages, or other communications you send us, and any responses we provide.

You may choose not to provide certain information, but this might limit your ability to use some parts of the Services or receive certain communications.

2.2. Data We Collect Automatically

When you access or use the Services, we may automatically collect certain information, for example:

• Device and connection information – IP address, browser type and settings, device information, operating system, language, and approximate location based on your IP.
• Usage data – pages or screens you view, dates and times of access, referring/exit pages, interactions with forms, clicks, and other actions on the website, as well as log data from infrastructure endpoints (e.g. RPC or API calls) that may include IP address, timestamps, request metadata, and wallet addresses involved in requests.
• Staking-related technical logs – to operate validators and infrastructure securely, we may log technical events such as connection attempts, error messages, and certain network-level identifiers.

We use this information to operate, secure, and improve our Services and to understand how they are used.

2.3. Cookies and Similar Technologies

Our websites and online Services may use cookies and similar technologies (such as pixels and local storage) to:

• Make the site work correctly and securely;
• Remember your preferences;
• Understand how visitors use the site;
• Support analytics and, where enabled, marketing.

Cookies are small data files stored on your device by your browser. You can manage or delete cookies through your browser settings. If you disable certain cookies, parts of the website may not function properly.

We may also use third-party analytics tools (for example, providers similar to Google Analytics) to help us understand website usage patterns. These tools may collect and process information such as your IP address, device identifiers, and usage data. Where required by law, we will seek your consent before using non-essential cookies or similar technologies.

More details on cookies and controls may be provided in a separate cookie notice on our website.

2.4. Data from Other Sources

We may receive information about you from other sources, including:

• Publicly available sources (e.g. public blockchain data, block explorers, or public records);
• Our partners or institutional clients, where they provide contact or configuration information in the context of a business relationship;
• Social networks or communication platforms, when you engage with our official accounts or communities.

We may combine this information with other data we hold about you for the purposes described in this Privacy Policy.

3. How and Why We Use Your Personal Data

We process personal data for various purposes and under different legal bases, as permitted by GDPR.

3.1. To Provide and Operate the Services

We use personal data to:

• Operate and maintain our websites and infrastructure;
• Respond to your inquiries and support requests;
• Provide information you request about staking, validators, and related services;
• Manage and fulfill contractual relationships with institutional or business customers.

Legal basis: performance of a contract or taking steps prior to entering into a contract; and/or legitimate interests in providing and operating our Services.

3.2. To Secure and Protect Our Infrastructure

We process personal data (including logs and IP addresses) to:

• Monitor, troubleshoot, and secure our validators, nodes, websites, and related systems;
• Detect and prevent abuse, fraud, unauthorized access, or other harmful activity;
• Apply technical safeguards and investigate incidents.

Legal basis: legitimate interests in securing our Services and protecting networks, users, and systems; and, where applicable, compliance with legal obligations.

3.3. To Improve and Develop the Services

We may analyze how the Services are used to:

• Understand performance and usage patterns;
• Develop new features or products;
• Optimize user experience and infrastructure;
• Perform aggregated or anonymized analytics.

Where possible, we use aggregated or anonymized information that does not identify you directly.

Legal basis: legitimate interests in analyzing and improving our Services; consent where required (for example, certain analytics cookies).

3.4. To Communicate with You

We may use your contact details to:

• Respond to messages and requests;
• Send important service-related notices (e.g. changes to terms or policies, security notices);
• Share updates, research, or marketing communications that we think may interest you, where permitted.

You can opt out of non-essential marketing communications at any time by following the unsubscribe instructions in the message or contacting us.

Legal basis: performance of a contract or legitimate interests (service communications); consent or legitimate interests (marketing, where permitted and subject to your rights).

3.5. To Comply with Legal Obligations

We may process personal data as needed to:

• Comply with applicable laws and regulations;
• Respond to lawful requests from public authorities;
• Establish, exercise, or defend legal claims.

Legal basis: compliance with legal obligations; legitimate interests in protecting our rights.

4. How We Share Personal Data

We do not sell your personal data. We may share personal data in the following circumstances:

4.1. Service Providers and Contractors

We may engage third parties to provide services on our behalf, such as:

• Hosting, cloud infrastructure, and storage providers;
• Analytics and monitoring services;
• Communication and support tools;
• Professional advisers (e.g., legal, accounting).

These providers may process personal data as processors under our instructions and subject to appropriate contractual safeguards.

4.2. Institutional Clients and Partners

Where we provide institutional or white-label services, we may share limited personal data:

• With institutional clients or partners, but only to the extent reasonably necessary to manage the relationship, perform the services, or support integration; or
• When you directly interact with a particular institutional client or partner and they already have your information.

In such cases, those parties may also act as controllers of your personal data and will process it in line with their own privacy policies.

4.3. Legal and Regulatory

We may disclose personal data if we believe it is reasonably necessary to:

• Satisfy any applicable law, regulation, legal process, or governmental request;
• Enforce our Terms of Use or other agreements;
• Protect the rights, property, or safety of Crouton Digital, our users, or others.

4.4. Business Transfers

If we undergo a business transition, such as a reorganization, merger, acquisition, or other transfer of assets, personal data may be transferred as part of that transaction, subject to this Privacy Policy and applicable law.

4.5. Public Blockchains

Please note that certain actions you take in connection with staking or interacting with Supported Blockchains are recorded on public blockchains. Public blockchain data (such as wallet addresses, transaction history, and sometimes associated metadata) is by design visible to anyone and may be analyzed by third parties. This is not controlled by Crouton Digital.

5. International Data Transfers

Because our infrastructure and that of our service providers may be located inside and outside the European Economic Area (EEA), your personal data may be transferred to, and processed in, countries outside your country of residence, including countries that may not provide the same level of data protection as the EEA.

Where required by law, we will ensure that appropriate safeguards are in place for such transfers, for example:

• Using the European Commission’s Standard Contractual Clauses (SCCs); or
• Relying on an adequacy decision or other lawful transfer mechanism.

You can contact us for more information about international transfers and safeguards.

6. How We Protect Your Personal Data

We use a combination of technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

• Access controls and authentication;
• Network and infrastructure security measures;
• Logging and monitoring of key systems;
• Staff and contractor confidentiality obligations.

However, no system or transmission over the internet can be guaranteed to be completely secure. You are responsible for safeguarding your own devices, accounts, and Wallet credentials.

7. Data Retention

We keep personal data only for as long as reasonably necessary to:

• Provide the Services;
• Fulfil the purposes described in this Privacy Policy;
• Comply with legal and regulatory requirements;
• Resolve disputes and enforce agreements.

Retention periods may vary depending on the type of data and context. For example:

• Contact and communication data may be retained while we maintain an ongoing relationship with you and for a period afterwards, as required by law or our legitimate interests (e.g., record-keeping).
• Technical logs may be retained for shorter periods, unless needed for security investigations or legal reasons.

Where data is no longer needed, we will delete it or anonymize it so that it no longer identifies you.

8. Your Rights

If you are in the European Economic Area or another jurisdiction that grants similar rights, you may have some or all of the following rights regarding your personal data:

• Right of access – to obtain confirmation of whether we process personal data about you and, if so, receive a copy.
• Right to rectification – to ask us to correct inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”) – to request that we delete your personal data in certain circumstances.
• Right to restriction of processing – to request that we limit the processing of your personal data in certain circumstances.
• Right to data portability – to receive personal data that you provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible and legally required.
• Right to object – to object to certain processing based on our legitimate interests, and to object to processing for direct marketing at any time.
• Right to withdraw consent – where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity before responding.

You also have the right to lodge a complaint with your local data protection authority. In Estonia, this is the Estonian Data Protection Inspectorate. You can find contact details for EU supervisory authorities on the website of the European Data Protection Board.

9. Third-Party Websites and Services

The Services may contain links to third-party websites, wallets, tools, or services that are not controlled by Crouton Digital (for example, wallets, exchanges, explorers, social platforms).

This Privacy Policy does not apply to those third parties. Their use of your personal data is governed by their own privacy policies, not ours. We are not responsible for the privacy or security practices of third-party services, and we encourage you to review their policies before providing personal data to them or using their services.

10. Children’s Privacy

The Services are not intended for children under the age of 18, and we do not knowingly collect personal data from children under 18.

If you believe that a child under 18 has provided personal data to us, please contact us at [email protected], and we will take appropriate steps to delete that information as required by law.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, practices, or legal requirements. When we do so, we will update the “Last updated” date at the top of this page.

If we make material changes, we may also provide additional notice (for example, by posting a notice on our website or contacting you directly, where appropriate).

Your continued use of the Services after the effective date of an updated Privacy Policy means that you accept the changes. If you do not agree with the updated Privacy Policy, you should stop using the Services.

12. Contacting Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our Terms of Use, or our handling of your personal data, you can contact us at:
[email protected] or [email protected]