Privacy policy

Last updated:  1 May 2026

1. INTRODUCTION 

Bluwhale Foundation (“Bluwhale”, “we,” “us,” or “our”), a foundation company registered in the Cayman Islands, is committed to protecting your personal data. This Privacy Policy (this “Policy”) explains how we, as the data controller, collect, use, share, and safeguard your information when you access or use our services provided through our platform and its related ecosystem (collectively, the “Platform”), including services provided on the Platform known as WhaleScore, Agent Store, WhaleTank, Nodes, Staking, and AI agents that you may create on the Platform (each, an “AI Agent”) (each of the foregoing services, a “Service”, and collectively, the “Services”).

By accessing the Platform and any Services, you acknowledge that you have read and understood this Policy. Where we rely on your consent for specific processing activities, we will seek that consent separately through a clear, opt-in mechanism as described in Section 4. If you do not agree to be bound by the terms and conditions herein, please discontinue your use of the Platform.

2. DATA WE COLLECT

We collect the following categories of personal data:

ACCOUNT REGISTRATION DATA

When you register for a Platform Account (as defined in our Terms of Service, as amended and available at our Terms of Service” on the Platform, we collect the following basic information:

  • Platform Account Information: Username, email address, and password (stored in encrypted form)
  • Financial Information: Wallet address and related financial data necessary to provide the Services.
  • Usage Information: How you access and use the Services, including interactions, forum posts, and other content you provide.
  • Technical Data: IP address, browser type, device identifier, operating system, pages visited, and time of access.
  • Communications: Email address, message contents, and attachments when you contact us directly.
  • Web3 Data: Public wallet addresses and on-chain transaction history, collected primarily to calculate your WhaleScore.
  • Web2 Social Data:
    Where you choose to create or access your Platform Account using a linked social account (such as X or Discord), we collect the data returned by that platform's API that is necessary to create and maintain your account, which may include your unique platform user ID, display name, and email address (where provided by the platform). This processing is necessary to perform our contract with you and cannot be opted out of while you continue to use social login to access your account.
    With your separate consent, we may access additional metadata from your linked X or Discord accounts, such as follower counts, account activity metrics, and server membership details, to personalize your experience. This data is processed on the basis of your consent and is not required to access the core Services. You may withdraw this consent at any time through your account privacy settings or contacting our DPO, without affecting your Platform Account access.
    We do not access your private messages, direct messages, or any content that is not publicly available or expressly authorized by you through the relevant platform's permission settings.
  • Local Agent Data: Data generated locally by your AI Agents (e.g., via OpenClaw) to improve personalization.
  • Profile and Token Data: Where you create a Profile Token (as defined in our Terms of Service) or AI Agent on the Platform, we collect and process the underlying personal data used to generate and maintain that Token or Agent, including your WhaleScore, on-chain behavioral data, and any additional data you choose to incorporate.
  • AI Interaction Data: Where you interact with AI Agents on the Platform, including by submitting queries, prompts, or instructions, we collect the content of those interactions. This data may be used to provide the Services, improve the performance of our AI systems (subject to your consent where required), and detect misuse of the Platform.

IDENTITY VERIFICATION DATA (KYC-REQUIRED USERS ONLY)

Access to certain Services requires identity verification in accordance with applicable anti-money laundering (“AML”) and know-your-customer (“KYC”) regulations.

Identity verification is conducted directly by our third-party KYC provider on its own platform and subject to its own privacy policy. The collection and processing of your full name, date of birth, nationality, government-issued identification documents, photographs, and biometric data (including Face ID where applicable) is performed solely by our KYC provider. Bluwhale does not receive, store, or process your underlying identity documents or biometric data.

Bluwhale receives only:

  • a zero-knowledge proof result confirming whether your identity verification has been successfully completed (the "KYC Verification Result"); and
  • confirmation of your eligibility status under applicable AML and sanctions screening requirements.

We encourage you to review the privacy policy of our KYC provider before completing the verification process. For the current KYC provider that we use, please contact our DPO.

Provision of Account Registration Data (including your wallet address) is required to access the core Services. Where you register using social login, the social account data necessary to create and maintain your account is required for that registration method. You may alternatively register directly without linking a social account. Completion of the KYC process is required only where you seek access to KYC-gated Services.

Before your personal data is processed by our AI systems, all personal identifiers are subjected to de-identification and data masking to the extent technically feasible. Where we use aggregated or de-identified data derived from your personal data, we will maintain and use that data in anonymous or de-identified form and will not attempt to re-identify it, unless required to do so by applicable law.

3. LEGAL BASIS FOR PROCESSING YOUR DATA

We process your personal data only where we have a lawful basis to do so:

  1. Contract Performance: We process your KYC Verification Result, wallet address, on-chain transaction history, and AI agent data to provide the Services, including onboarding, account management, and delivery of your WhaleScore and personalized insights. Where you register for a Platform Account using social login, we process the social account data returned at login on the basis of contract performance, as it is necessary to create and maintain your Platform Account under that registration method.
  2. Legal Obligation: We process KYC Verification Results, financial records, and transaction histories to comply with applicable AML, KYC, tax reporting, and sanctions screening requirements. This includes automated screening against applicable sanctions lists, including those maintained by the Office of Foreign Assets Control of the United States Treasury Department (OFAC) and equivalent regulatory bodies. This processing cannot be opted out of.
  3. Legitimate Interests: We process usage data, technical data, and analytics to maintain and improve the security, performance, and features of the Services, and to detect and prevent fraud. You may contact our Data Protection Officer (“DPO”) to request further information about the balancing assessment we have carried out. We also process usage data and interaction data to detect and prevent misuse of the Platform, including abuse of AI systems, violations of our Terms of Service, and activities that may harm other users or third parties.
  4. Consent: We process data for marketing communications, non-essential cookies, AI profiling beyond contract performance, Web2 social account linking, and model training solely on the basis of your freely given, specific, informed, and unambiguous consent. We may process additional social account metadata, beyond what is strictly necessary for social login, on the basis of your separate consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  5. User-Initiated Monetization: We process personal data used to generate Profile Tokens, AI Agents, and data contributions on the basis of your explicit consent. This processing is entirely voluntary and separate from the processing necessary to provide the core Services.

4. CONSENT MECHANISM

Where we rely on consent, we will always: (a) provide a clear description of the processing before asking; (b) request consent through a positive opt-in action, separately from other agreements; (c) not bundle optional processing consent with access to core Services; (d) obtain separate consent for separate purposes (marketing, profiling, and model training are distinct categories); and (e) maintain a record of your consent choices.

You may withdraw consent at any time by accessing your account privacy settings, contacting our DPO, or using opt-out links in marketing communications. Withdrawal does not affect the lawfulness of prior processing.

5. SHARING OF YOUR DATA

We do not rent or sell your personal data. In particular, we do not share your personal data with third parties for the purposes of cross-contextual behavioral advertising. We may share your data with:

  1. Group entities and affiliates to provide the Services;
  2. Third-party service providers (hosting, analytics, customer service, email delivery, auditing, infrastructure provision, compliance screening, etc.) acting as data processors under written agreements as described below;
  3. Potential acquirers or successors in connection with a business reorganization or transaction; and/or
  4. Regulatory and law enforcement authorities where required by law or to protect our rights and operations.

In connection with the operation of the Platform and provision of the Services, we engage third-party service providers who may process your personal data on our behalf. These include, but are not limited to:

  • infrastructure and cloud hosting providers;
  • blockchain indexing and on-chain data services;
  • vector database and AI model providers;
  • identity verification and KYC/AML screening providers;
  • analytics and performance monitoring tools;
  • customer support and communication platforms; and
  • payment and transaction processing services.

All such providers act as data processors under written agreements that restrict their use of your personal data to the purposes specified by us, prohibit them from processing your data for their own purposes, and require them to implement appropriate security measures.

Please note that our third-party KYC provider acts as an independent data controller in respect of the identity and biometric data you submit during the verification process, and not as a data processor on our behalf. Please refer to the KYC provider's own privacy policy for details of how your identity data is handled.

WHALETANK / dAPPS

We do not share your personal data — whether raw, de-identified, or anonymized — with third-party dApps within the WhaleTank ecosystem without your explicit further consent. Where derived, aggregated intelligence signals are shared with ecosystem participants, such signals will not identify you individually.

MCP / OPENCLAW

Our Platform uses the Model Context Protocol (MCP) to interact with third-party tools including OpenClaw. Those tools operate under their own privacy practices. We are not responsible for third-party privacy practices and encourage you to review their policies before use.

In addition, we may use third-party analytics vendors to evaluate and provide us with information about your use of the Services. We do not share your information with these third parties, but these analytics services providers may set and access their own cookies, pixel tags and similar technologies on the services and they may otherwise collect or have access to information about you which they may collect over time and across different websites. For example, we use Google Analytics to collect and process certain analytics data. Google provides some additional privacy options described at https://www.google.com/policies/privacy/partners.

A current list of our key third-party service providers is available upon request from our DPO at the details provided in Section 16.  

We may share aggregate, anonymized data that cannot identify any individual for any purpose permitted by law.

6. AI, AUTOMATED DECISION-MAKING AND PROFILING

We use AI and machine learning systems to analyze your financial data and generate personalized insights and services, including your WhaleScore, personalized recommendations, risk scoring, fraud detection, and user segmentation.

Our AI-powered Services, including WhaleScore and any other AI-generated outputs, are produced by analyzing available data and predicting likely outputs based on patterns in that data. Such outputs may not always be factually accurate, complete, or up to date, and should not be relied upon as the sole basis for any financial decision. If you believe an AI-generated output contains inaccurate information about you, please contact our DPO to request a review. Where technically feasible, we will correct or suppress the inaccurate output. Where this is not technically possible, we will inform you of the limitation and, where requested, take reasonable steps to limit further use of that output.

Bluwhale is built on the principle that your personal data and digital identity have measurable value. Where you choose to participate in our data monetization features, you retain ownership of your underlying personal data and have the right to determine how it is used to generate value on the Platform, subject to our Terms of Service.

PROFILE TOKENS

Where you choose to create a Profile Token (as defined in our Terms of Service), based on your personal data, the following applies:

  1. Your Profile Token is generated from your personal data, including your on-chain transaction history, and represents a portable, pseudonymous digital identity asset on the Platform.
  2. The creation of your Profile Token constitutes your explicit consent to the processing of the underlying personal data for the purpose of generating and maintaining that Token. You may withdraw this consent at any time by retiring your Profile Token, subject to any on-chain finality constraints applicable to completed transactions.
  3. We process the personal data underlying your profile token on the basis of your consent. Where a Profile Token is traded or transferred to another user or third party, the recipient receives access to the tokenized representation only, not to your underlying raw personal data.

USER-GENERATED AI AGENTS

Where you create, or launch an AI Agent on the Platform using your personal data or behavioral profile:

  1. While the underlying code and technical infrastructure of AI Agents created on the Platform is owned by Bluwhale in accordance with our Terms of Service, you retain the right to monetize the outputs and capabilities of AI Agents created using your personal data, and Bluwhale processes your personal data for that purpose on the basis of your consent.
  2. You have the right to monetize your AI Agent, including by listing it, licensing it to other users, or deploying it on such third-party protocols and platforms, on terms you determine within the parameters of the Platform, our Terms of Service and any applicable terms of the third-party protocol or platform.
  3. Where your AI Agent is trained on or incorporates your personal data, we process that data on the basis of your consent. This consent is specific to the creation of that AI Agent and does not extend to other processing purposes.
  4. Where another user or third party interacts with or deploys your AI Agent, we will not disclose your underlying personal data to that party without your separate, explicit consent. The agent's outputs and capabilities may be made available, but your identity and raw data remain protected.
  5. You may withdraw your AI Agent from the Platform at any time through your account settings. Withdrawal will not affect transactions or interactions that have already been completed.

DATA CONTRIBUTION AND REWARDS [Note to Bluwhale:  Please confirm if this is applicable.]

Where you choose to contribute your personal data to Bluwhale's decentralized intelligence layer in exchange for incentives if there is external demand for it:

  1. Participation in the data contribution and reward program is entirely voluntary. You may use the core Services without contributing data for reward purposes.
  2. We process contributed data on the basis of your freely given, explicit consent. This consent is separate from, and does not affect, your consent for other processing activities.
  3. You may withdraw from the data contribution program at any time through adjusting your account settings or contacting our DPO without affecting your access to the core Services. Withdrawal will apply to future contributions only and will not reverse rewards already earned.
  4. All data contributed to the shared intelligence layer is de-identified and aggregated before being made available to the ecosystem. Your raw personal data will not be accessible to other participants.

IMPORTANT NOTICE ON DATA MONETIZATION AND PRIVACY RIGHTS

Participation in any data monetization feature, including AI Agent trading and deployment on eligible third-party platforms, is based on your consent and is entirely voluntary. Your exercise of data subject rights under this Policy (including the right to erasure and the right to withdraw consent) may affect active monetization activities. In particular:

  1. A request to erase your personal data may result in the retirement or the suspension of associated AI Agents;
  2. Withdrawal of consent for data contribution will cease future data contributions but will not reverse completed token rewards or transactions; and
  3. On-chain transactions that have already been finalized cannot be reversed as a matter of blockchain architecture. Please refer to Section 12(c) for our cryptographic deletion policy in respect of on-chain data.

We will inform you of the specific consequences before acting on any rights request that affects your monetization activities.

7. MODEL TRAINING

We may use aggregated, anonymized data derived from user interactions to train and improve our AI models and agents. This data cannot reasonably identify you individually.

We will never use your personal financial data, including transaction data or account details, to train our AI models without your explicit, separately obtained consent. You may give or withhold this consent independently of your use of the Services, and withdraw it at any time without affecting your access.

Third-party AI model providers engaged by us act as data processors under agreements that prohibit them from storing and using your data for their own training purposes. A list of key providers is available upon request from our DPO.

Where technically feasible, we implement privacy-preserving techniques such as encryption and zero-konwledge proof, including differential privacy (adding calibrated noise to aggregate statistics) and federated learning (training models on distributed data without centralizing it), to minimize privacy risk in our AI training processes.

8. THIRD-PARTY SERVICES

We may display third-party content on the Platform. Third parties may use cookies or similar technologies to collect data about your interactions. By providing these links we do not imply that we endorse or have reviewed these sites. We are not responsible for third-party privacy practices and encourage you to review their respective privacy policies. Transmitting information over the internet carries inherent risks and we cannot guarantee the security of data in transit.

9. SECURITY

We implement administrative, technical, and physical safeguards to protect your personal data, including secure server storage, access controls, and encryption where appropriate. Access to your data is limited to personnel who require it for legitimate business purposes. We do not store passwords.

You are responsible for maintaining the security of your account credentials and logging out after each session. No security measures are completely impenetrable and we cannot guarantee absolute security of data transmitted over the internet.

DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. We maintain an internal record of all personal data breaches.

10. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies (such as pixel tags and local storage) on our Platform. Cookies are small text files placed on your device that help us operate and improve the Services. We use the following categories of cookies:

  • Strictly necessary cookies: Essential to the operation of the Platform (e.g., session management, security). These cannot be disabled.
  • Functional cookies: Remember your preferences and settings to improve your experience.
  • Analytics cookies: Help us understand how users interact with the Platform (e.g., pages visited, time spent). We may use Google Analytics for this purpose.
  • Marketing cookies: Used to deliver relevant advertising and measure campaign effectiveness.

When you first visit the Platform, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies by category. You may update your preferences at any time through [here]. Rejecting non-essential cookies will not affect your access to core Services.

11. DATA RETENTION

We retain your personal data only for as long as necessary to provide the Services and comply with our legal obligations. In particular:

  • Account Registration Data: Retained for the duration of your Platform Account and for a period of 3 years following account closure or termination, to allow for account reactivation, resolve post-closure queries, and address any disputes arising from your use of the Service.
  • KYC Verification Result (KYC-required users only): Retained for 5 years after termination of the business relationship, as required by applicable AML and CTF regulatory frameworks. Underlying identity documents and biometric data are retained by our third-party KYC provider in accordance with its own retention policy.
  • Financial and Transactional Records: Retained for a minimum of 5 years from the date of the transaction to comply with AML, CTF and tax obligations in applicable jurisdictions.
  • Technical Logs and Analytics: Retained for 12 months for security monitoring and platform improvement.
  • Consent and Communications Records: Duration of the relationship plus 3 years, to evidence compliance with our legal and regulatory obligations.

Where a specific period is not stated above, we determine retention based on the applicable statute of limitations under the governing law of this Policy, or such longer period as may be required by applicable law. For a personalized breakdown of the retention periods applicable to your specific data, you may contact our DPO. Upon expiry of the applicable retention period, your data will be securely deleted or anonymized.

12. YOUR RIGHTS

Depending on where you are located, you may have the following rights in relation to your personal data:

  1. Right to Access: You may request a copy of the personal data we hold about you and information about how we process it (a "Subject Access Request" or "SAR"). We will respond within 21 days of receipt at no charge, unless your request is manifestly unfounded or excessive.
  2. Right to Rectification: You may request that we correct any inaccurate personal data we hold about you. Most account information can be updated directly through your account settings.
  3. Right to Erasure ('Right to be Forgotten'): You may request that we delete your personal data where it is no longer necessary for the purposes collected, where you withdraw consent and there is no other lawful basis, or where you object and we have no overriding legitimate grounds. We cannot delete data we are legally required to retain, such as AML or tax records. Where your personal data is stored on or derived from blockchain infrastructure or other systems where conventional deletion is not technically possible, we will implement such technical measures as are reasonably available to us to render your data permanently inaccessible or unintelligible. Such measures may include, without limitation, cryptographic deletion, destruction of encryption keys, anonymization, aggregation, or such other technical means as are appropriate in the circumstances. Any such measure that renders your data permanently inaccessible or unintelligible will be treated as equivalent to erasure for the purposes of this Policy.
  4. Right to Restriction: You may request that we restrict processing of your personal data — for example, while you contest its accuracy or while we consider your objection.
  5. Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, machine-readable format, or ask us to transmit it directly to another controller where technically feasible.
  6. Right to Object: You may object to processing based on our legitimate interests where you have grounds relating to your particular situation. You have an absolute right to object to processing for direct marketing purposes at any time.
  7. Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you.

EXERCISING YOUR RIGHTS

To exercise any of the rights described above, please contact our DPO with the contact details provided in Section 16. We may ask you to verify your identity before processing your request. We will respond within 21 days of receipt, or such other timeframe as required under applicable law, and will notify you if we need to extend this period. You may also submit a rights request through an authorised agent. If you do so, we may require written confirmation of the agent's authority and may ask you to independently verify your identity.

If we decline your rights request, we will explain our reasons in writing. You may appeal our decision by contacting our DPO. If you remain unsatisfied following our response to your appeal, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

Please note that the exercise of certain rights may affect our ability to provide certain Services to you. Where this is the case, we will inform you before acting on your request so that you may make an informed decision.

CALIFORNIA RESIDENTS

If you are a California resident, you have the additional right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising, and to limit our use of your sensitive personal information to purposes necessary to provide the Services. To exercise these rights, please contact our DPO with the contact details provided in Section 16.

13. CROSS-BORDER DATA TRANSFERS

The Platform operates globally. Where your data is transferred outside your home jurisdiction, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) for transfers out of the EEA, adequacy decisions where available, and equivalent contractual safeguards for transfers from other jurisdictions.

14. CHILDREN’S PRIVACY

The Platform is not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact our DPO immediately.

15. UPDATES TO THIS POLICY

We may update this Policy from time to time. The "Last Updated" date at the top indicates when it was last revised. We will notify you of material changes via email or in-Platform communication. Continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.

16. CONTACT US

We have appointed a DPO responsible for overseeing our data protection compliance and serving as your primary contact for privacy matters.

Name: Han Jin

Email: team@bluwhale.com

Postal Address: Citrus Grove, Ground Floor, 106 Goring Avenue, George Town, P.O. Box 31489, Grand Cayman KY1-1206, Cayman Islands.

We will respond within 21 days of receipt, or such shorter period as required by applicable law.

17. GOVERNING LAW

This Policy is governed by the laws of the Cayman Islands. Notwithstanding this, your data protection rights under applicable mandatory law in your home jurisdiction are not affected by this choice of governing law and remain fully enforceable.

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Deny
Accept