Privacy Policy

1. About This Policy and the dApp

This Privacy Policy governs the handling of personal data by Haycar Global Pty Ltd (ABN pending) ("we", "us") in connection with the Animalis aRK dApp at animalisark.app - a decentralised application for animal digital identity, AARK token operations, DePIN node staking, and conservation DAO governance on the Cardano blockchain.

We are committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For users in the European Economic Area or United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR.

The dApp operates across two distinct environments: (1) the off-chain web application at animalisark.app, and (2) the Cardano public blockchain. These environments have fundamentally different privacy characteristics. Please read Section 2 carefully before connecting your wallet.

2. A Note on Blockchain Architecture

Before connecting your wallet or interacting with any on-chain feature of this dApp, please understand:

• Your Cardano wallet address is pseudonymous but publicly visible and may be traceable to your identity through external means (exchange KYC, transaction patterns)
• Every on-chain action (token transfer, DID registration, governance vote) is permanently recorded and cannot be erased
• AARK token transactions, staking positions, and DAO vote history are public and searchable on Cardano blockchain explorers
• DID credential attestations (e.g. veterinary certifications linked to animal DIDs) are recorded on-chain and are permanent

If you are not comfortable with public, permanent records of your wallet activities, do not connect your wallet to this dApp.

3. Data We Collect Off-Chain

The off-chain components of the Animalis aRK dApp (the web application at animalisark.app) may collect the following:

3.1 Connection and session data

• Your Cardano wallet address (when you connect a CIP-30 compatible wallet)
• Wallet type (Nami, Eternl, Lace, etc.) - for compatibility purposes only
• Session tokens for authenticated API requests

3.2 Technical data

• IP address and general location (country/region)
• Browser and device type
• Pages visited, features used, error logs

3.3 Voluntarily submitted data

• Any information entered into app forms (e.g. DID lookup queries, animal registration details)
• Support requests or feedback submitted through the app

3.4 What we do NOT collect off-chain

• We do not request or store your wallet's private keys, seed phrases, or signing credentials
• We do not have access to your full wallet balance or transaction history beyond what is visible on the public blockchain

4. On-Chain Data - Wallets, DIDs, Tokens, Governance

The following categories of data are recorded on the Cardano blockchain by your actions within the dApp. All such data is public and permanent:

• AARK token transactions: Transfers, staking deposits, reward withdrawals - publicly visible on-chain
• DePIN node registrations: Your node's on-chain registration, staking amount, and uptime proofs
• DAO governance votes: AARK-weighted votes on conservation proposals, protocol upgrades, and treasury decisions. All votes are public and permanently attributed to your wallet address
• DID registrations: Animal DID registrations (e.g. did:haycar:animal:wildlife-koala-QLD-0042) and credential issuances anchored via Atala PRISM
• TWIN NFT issuance and transfers: NFT minting events and ownership history on-chain
• Smart contract interactions: All interactions with Animalis aRK Plutus V3 smart contracts are permanently recorded

5. Animal DID and TWIN NFT Data

Animalis-IC device DIDs are anchored to Cardano via Atala PRISM. The DID document contains:

• The device's public key (pseudonymous - no animal name or owner name on-chain by default)
• The DID creation block hash and timestamp
• Hashes of veterinary credential attestations (the raw credential data is stored off-chain and linked by hash)

Raw veterinary health records and clinical data are stored off-chain in our secure platform (animalisark.io) and are subject to the 7-year health records retention policy. Only cryptographic hashes are written on-chain.

The animal's owner details (human name, contact info) are not written to the blockchain. The DID is pseudonymous. However, the association between a wallet address and an animal may be determinable by a sophisticated observer through external means.

6. How We Use Off-Chain Data

We use off-chain data collected by the dApp to:

• Operate the dApp and provide wallet-connected services
• Display your on-chain portfolio (AARK balance, staked nodes, DAO proposals)
• Facilitate DID lookups and verifiable credential verification
• Provide technical support and diagnose application errors
• Monitor for security incidents and fraudulent activity
• Generate anonymised analytics to improve the dApp
• Comply with applicable legal obligations

We do not sell off-chain data. We do not use your wallet address or dApp activity for third-party advertising.

7. Legal Basis for Processing

Under the Australian Privacy Act 1988, we process personal information where reasonably necessary for delivering the dApp services in the context of the user's voluntary use.

For EEA/UK users under GDPR:

• Contract performance: Operating the wallet-connected dApp services you have connected to
• Legitimate interests: Security monitoring, fraud prevention, service improvement
• Legal obligation: Applicable financial and digital asset regulations

On-chain data (once written) is outside the scope of privacy law erasure rights due to blockchain immutability - this is an inherent technical characteristic of public blockchain infrastructure, not a choice we make.

8. Third-Party Infrastructure

• Cardano node network: Our app submits transactions to the Cardano peer-to-peer node network, which globally replicates all on-chain data
• Atala PRISM / IOG: DID anchoring and verifiable credential infrastructure provided by Input Output Global
• IPFS: Decentralised file storage for NFT metadata and off-chain credential data
• Cloudflare: CDN, DDoS protection, and DNS for the animalisark.app web application
• CIP-30 wallet providers: Nami, Eternl, Lace, Vespr, and other Cardano wallets are independent third-party software. We have no control over how these wallets handle your data. Review each wallet's privacy policy separately.
• World Mobile Network: DePIN connectivity layer in supported regions (East Africa). Fallback connectivity provider for node operators.

9. Data Retention

• On-chain data: Permanent - blockchain records cannot be deleted
• Wallet session data: Off-chain session tokens expire within 24 hours of disconnection
• Technical logs (IP, browser): 12 months for security and fraud prevention
• Animal health records (off-chain): 7 years from last clinical event (see animalisark.io Privacy Policy)
• Support correspondence: 3 years from resolution

10. International Data Transfers

Cardano blockchain data is replicated globally by the decentralised node network - this is inherent to the technology. Off-chain application data may be hosted on servers in Australia and/or Singapore. We apply appropriate safeguards for cross-border transfers of off-chain personal data.

The animalisark.app web application is accessible globally via Cloudflare's CDN. Cloudflare may process request metadata at edge nodes worldwide; this is governed by Cloudflare's privacy policy and data processing agreements.

11. Your Rights

Under the Australian Privacy Act 1988 and GDPR, you have the following rights over your off-chain personal data:

• Access: Request a copy of off-chain data we hold linked to your wallet or account
• Correction: Request correction of inaccurate off-chain data
• Erasure: Request deletion of off-chain data where no retention obligation applies
• Data portability: Request your off-chain data in a structured format
• Objection: Object to processing based on legitimate interests

To exercise rights over off-chain data, contact [email protected]. We respond within 30 days.

12. Wallet Security

Your wallet security is solely your responsibility. We will never ask for your seed phrase, private key, or wallet password. Any communication claiming to be from Animalis aRK that asks for these credentials is a scam - do not respond.

We recommend using hardware wallets for significant AARK holdings. We are not liable for losses arising from compromised wallet credentials, phishing attacks, or unauthorised wallet access.

13. Children's Privacy

The Animalis aRK dApp involves cryptocurrency and blockchain operations and is not suitable for or directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has connected a wallet or created an account, contact [email protected].

14. Data Breaches

In the event of an eligible data breach affecting off-chain personal data:

• We will assess the breach within 30 days of becoming aware
• Notify affected individuals and the OAIC as required under the Notifiable Data Breaches Scheme
• Notify EEA/UK supervisory authorities within 72 hours where GDPR applies

On-chain data cannot be subject to a "breach" in the conventional sense, as it is already public by design. We implement technical security measures for all off-chain application data including encrypted storage, access controls, and audit logging.

15. Contact and Complaints

Complaints unresolved by us may be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. EEA/UK users may contact their local data protection authority.

This Privacy Policy may be updated. Material changes will be communicated via the dApp interface and via our foundation communications. The current version and effective date are shown at the top of this page.