Privacy Policy
Last Updated: 20 March 2026
1. Introduction
This Privacy Policy ("Policy") describes how Stormbit Labs Pte. Ltd. ("Stormbit," "we," "us," or "our"), a company incorporated in Singapore, collects, uses, discloses, and protects information when you access or use the Stormbit Protocol, including the website located at https://stormbit.finance, any associated subdomains, and the decentralised application interface (collectively, the "Services").
Stormbit is a decentralised finance ("DeFi") lending protocol that enables users to lend and borrow digital assets through smart contracts deployed on blockchain networks. Users interact with the Services by connecting compatible cryptocurrency wallets. No traditional account creation is required.
By accessing or using the Services, you acknowledge that you have read, understood, and agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, you should not access or use the Services.
This Policy is drafted in compliance with the Personal Data Protection Act 2012 of Singapore ("PDPA") and, where applicable, other relevant data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
Stormbit Labs Pte. Ltd. Republic of Singapore
For all privacy-related inquiries, you may contact us at: Email: [email protected]
3. Data We Collect
We collect minimal data necessary to provide, secure, and improve the Services. The categories of data we collect are set out below.
3.1 Blockchain and Wallet Data
Wallet addresses. When you connect a cryptocurrency wallet to the Services, we collect your public wallet address. Wallet addresses are pseudonymous identifiers associated with blockchain networks and are publicly visible on-chain.
On-chain transaction data. When you interact with the Stormbit Protocol smart contracts, your transaction data — including transaction hashes, token amounts, block timestamps, and smart contract interactions — is recorded on the applicable public blockchain. This data is inherently public and immutable. We may index, aggregate, or display this data in connection with the Services.
3.2 Automatically Collected Technical Data
When you access the Services through a web browser, we automatically collect certain technical information, including:
Device information: device type, operating system, and browser type and version.
Usage data: pages visited, time spent on pages, click-stream data, referring and exit URLs.
Network information: IP address (which may be truncated or anonymised), approximate geographic location derived from IP address.
Analytics identifiers: unique identifiers assigned by analytics tools such as Google Analytics.
3.3 Cookies and Similar Technologies
We use cookies and similar tracking technologies to collect certain data automatically. Please refer to Section 8 (Cookies and Tracking Technologies) for further details.
3.4 Data We Do Not Collect
In the ordinary course of providing the Services, we do not collect:
Names, email addresses, phone numbers, or mailing addresses.
Government-issued identification documents, tax identification numbers, or social security numbers.
Financial account information such as bank account or credit card details.
Exception — Compliance Programmes. If you participate in any programme, promotion, or feature that requires enhanced due diligence or Know Your Customer ("KYC") verification, we may collect additional personal data (including legal name, identification documents, and proof of address) as required by applicable law. If such collection is necessary, you will be informed separately and your express consent will be obtained at that time.
4. How We Collect Data
We collect data through the following means:
Wallet connection. When you connect your cryptocurrency wallet to the Services using a wallet provider (such as MetaMask, Argent, Braavos, or similar), your public wallet address is transmitted to us.
Blockchain interaction. When you execute transactions through the Services, transaction data is broadcast to and recorded on the applicable blockchain network. We read this publicly available data to display your activity within the Services.
Automated collection. Cookies, pixels, and analytics scripts embedded in the Services automatically collect technical and usage data when you access the Services through a web browser.
Direct communication. If you contact us at [email protected] or through any other channel, we collect the information you provide in your communication.
5. Purposes of Data Collection and Use
We use the data we collect for the following purposes:
Service provision
To operate, maintain, and provide the core functionality of the Services, including facilitating lending and borrowing transactions, displaying wallet balances, and rendering transaction histories.
Security and fraud prevention
To detect, investigate, and prevent fraudulent, unauthorised, or malicious activity, including potential exploits of the Protocol's smart contracts.
Sanctions and compliance screening
To screen wallet addresses against applicable sanctions lists and to comply with applicable anti-money laundering ("AML") and counter-terrorism financing ("CTF") laws and regulations.
Analytics and improvement
To understand how users interact with the Services, identify usage trends, measure performance, and improve the user experience.
Legal compliance
To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including the PDPA.
Communication
To respond to your inquiries and provide support when you contact us.
6. Legal Basis for Processing
Under the PDPA and applicable data protection laws, we process personal data on the following legal bases:
Consent. Where you have provided consent to the collection, use, or disclosure of your personal data — for example, by connecting your wallet to the Services or accepting cookies. Under the PDPA, consent may be express or deemed. By voluntarily connecting your wallet and using the Services after being presented with this Policy, you are deemed to have consented to the collection, use, and disclosure of data as described herein.
Legitimate interests. Where processing is necessary for our legitimate interests, provided that such interests are not overridden by your rights. Our legitimate interests include operating and securing the Services, preventing fraud, and improving the Protocol.
Legal obligation. Where processing is necessary to comply with a legal obligation to which we are subject, including sanctions screening requirements and responses to lawful requests from regulatory authorities.
Contractual necessity. Where processing is necessary in connection with any agreement you may have with us.
You may withdraw your consent at any time by ceasing to use the Services and disconnecting your wallet. Please note that withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal, nor does it affect processing carried out on legal bases other than consent. Additionally, data that has already been recorded on a public blockchain cannot be deleted or modified due to the immutable nature of blockchain technology.
7. Third-Party Sharing and Disclosure
We do not sell your personal data. We may share or disclose data in the following circumstances:
7.1 Analytics Providers
We use Google Analytics, a web analytics service provided by Google LLC ("Google"). Google Analytics uses cookies and similar technologies to collect and analyse information about use of the Services. Google may use this data to evaluate your use of the Services, compile statistical reports, and provide related services. Google's ability to use and share information collected by Google Analytics is governed by the Google Analytics Terms of Service and the Google Privacy Policy. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
7.2 Blockchain Networks
When you execute transactions through the Services, your wallet address and transaction data are broadcast to and permanently recorded on the applicable blockchain network (e.g., Ethereum, Starknet). Blockchain data is publicly accessible and cannot be deleted or modified. This disclosure is an inherent feature of blockchain technology and is not within our control.
7.3 Compliance and Sanctions Screening Providers
We may share wallet addresses with third-party compliance service providers, such as TRM Labs or similar blockchain analytics firms, for the purpose of sanctions screening, AML compliance, and risk assessment. These providers process data in accordance with their own privacy policies and contractual obligations to us.
7.4 Legal and Regulatory Disclosures
We may disclose your data if we believe in good faith that such disclosure is necessary to:
Comply with applicable law, regulation, legal process, or enforceable governmental request.
Enforce our terms of service or other agreements.
Protect the rights, property, or safety of Stormbit, our users, or the public.
Detect, prevent, or address fraud, security, or technical issues.
7.5 Business Transfers
In the event of a merger, acquisition, reorganisation, bankruptcy, or other similar event, your data may be transferred to the successor entity, subject to this Policy or a policy at least as protective.
7.6 With Your Consent
We may share your data with third parties when you have provided explicit consent for such sharing.
8. Cookies and Tracking Technologies
8.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. They are widely used to make websites work efficiently and to provide reporting information.
8.2 Cookies We Use
Strictly necessary cookies
Essential for the operation of the Services, including wallet connection session management. These cannot be disabled.
Session or up to 1 year
Analytics cookies
Used by Google Analytics to distinguish unique users, track session information, and understand usage patterns.
Up to 2 years
Preference cookies
Store your preferences such as interface settings (e.g., dark mode, network selection).
Up to 1 year
8.3 Managing Cookies
You can control and manage cookies through your browser settings. Most browsers allow you to:
View what cookies are stored and delete them individually.
Block third-party cookies.
Block all cookies from specific sites.
Delete all cookies when you close your browser.
Please note that blocking or deleting cookies may affect the functionality of the Services.
8.4 Do Not Track
The Services do not currently respond to "Do Not Track" signals transmitted by web browsers.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
Analytics data. Technical and usage data collected through Google Analytics is retained in accordance with Google's data retention settings. We have configured our analytics retention period to 14 months, after which data is automatically deleted.
Wallet and transaction data. Data derived from public blockchain records may be retained indefinitely, as this information is publicly and permanently available on the blockchain regardless of our retention practices.
Communication data. If you contact us, we retain your communication for as long as necessary to resolve your inquiry and for a reasonable period thereafter for record-keeping, generally not exceeding 3 years.
Compliance data. Data processed for sanctions screening or legal compliance purposes is retained for the period required by applicable law, which may extend beyond the cessation of your use of the Services.
When personal data is no longer required, we will delete, anonymise, or aggregate it so that it can no longer be associated with you.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Encryption of data in transit using Transport Layer Security (TLS).
Access controls limiting personnel access to personal data on a need-to-know basis.
Regular security assessments and monitoring of our systems and infrastructure.
Use of reputable cloud infrastructure providers with established security certifications.
Smart contract audits conducted by independent security firms to secure the Protocol.
While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of your data.
11. Your Rights
Under the PDPA and, where applicable, other data protection laws, you have the following rights with respect to your personal data:
11.1 Right of Access
You have the right to request access to the personal data we hold about you. Upon a verifiable request, we will provide you with information about the data we have collected and how it has been used or disclosed during the preceding year.
11.2 Right to Correction
You have the right to request the correction of any personal data that is inaccurate, incomplete, or misleading. Where we are satisfied that the data requires correction, we will make the necessary amendments as soon as practicable.
11.3 Right to Withdrawal of Consent
You have the right to withdraw your consent to the collection, use, or disclosure of your personal data at any time by:
Disconnecting your wallet from the Services.
Clearing cookies from your browser or adjusting your cookie preferences.
Contacting us at [email protected].
Upon receiving your withdrawal request, we will inform you of the likely consequences of withdrawing consent, which may include our inability to provide certain Services to you. Withdrawal of consent does not affect the lawfulness of data processing carried out prior to withdrawal.
11.4 Right to Data Portability
Where technically feasible, you may request a copy of your personal data in a structured, commonly used, and machine-readable format.
11.5 Blockchain Data Limitations
Please note that personal data recorded on a public blockchain (such as wallet addresses and transaction data) is immutable and cannot be modified, deleted, or erased. This is an inherent characteristic of blockchain technology. Your rights of access, correction, and erasure do not extend to data that is permanently recorded on a public blockchain and outside of our control.
11.6 How to Exercise Your Rights
To exercise any of the rights described above, please submit your request to:
Email: [email protected]
We will respond to your request within 30 days of receipt. We may request additional information to verify your identity before processing your request. There is generally no fee for exercising your rights, but we reserve the right to charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive, in accordance with the PDPA.
12. International Data Transfers
Stormbit Labs Pte. Ltd. is based in Singapore. However, the Services are accessible globally, and data may be transferred to, stored in, or processed in jurisdictions outside of Singapore, including jurisdictions where our service providers operate (such as the United States, in the case of Google Analytics).
Where personal data is transferred outside of Singapore, we take reasonable steps to ensure that the data is protected to a standard comparable to the protection afforded under the PDPA. These steps may include:
Entering into data transfer agreements with recipients that include appropriate data protection obligations.
Ensuring that the recipient jurisdiction provides a comparable standard of protection for personal data.
Implementing technical measures such as encryption to safeguard data during transfer.
By using the Services, you acknowledge and consent to the transfer of your data to jurisdictions outside of Singapore as described in this Policy.
13. Children's Privacy
The Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data as promptly as possible.
If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at [email protected] so that we can take appropriate action.
14. Third-Party Links and Services
The Services may contain links to third-party websites, applications, or services that are not operated or controlled by Stormbit. This Policy does not apply to any third-party services. We are not responsible for the privacy practices of any third-party services. We encourage you to review the privacy policies of any third-party services you access.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
Update the "Last Updated" date at the top of this Policy.
Post the revised Policy on the Services.
Where required by applicable law, provide notice of the changes through the Services or by other appropriate means.
Your continued use of the Services after the posting of a revised Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically to stay informed about how we protect your data.
16. Governing Law
This Policy and any dispute arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Singapore, without regard to its conflict of laws principles.
17. Contact Us
If you have any questions, concerns, or requests regarding this Policy or our data practices, please contact us at:
Stormbit Labs Pte. Ltd. Email: [email protected]
For data protection matters, you may also direct inquiries to our appointed Data Protection Officer at the email address above.
If you are not satisfied with our response to your inquiry or complaint, you may contact the Personal Data Protection Commission ("PDPC") of Singapore at https://www.pdpc.gov.sg.
This Privacy Policy is effective as of 20 March 2026.
Last updated