1. Scope, Roles, and Interpretation
This Policy governs the collection, use, disclosure, and retention of Personal Data by GENZA Inc. when you access or use the GENZA website, mobile application, and Telegram Mini App (collectively, the “Service”). It does not apply to third-party sites, applications, wallets, marketplaces, payment systems, or platforms that we do not control, including Telegram and app stores, which operate under their own privacy rules. For processing operations performed through the Service, GENZA acts as the data controller. Telegram and app stores are independent controllers for processing performed in their ecosystems. Certain suppliers (including hosting/CDN, analytics and diagnostics, AI infrastructure, KYC/AML, and payment providers) act as our processors under written data-processing agreements and solely on our documented instructions. “Personal Data” means any information relating to an identified or identifiable natural person; “Processing” means any operation performed on Personal Data. This Policy supplements our Terms and Conditions; in case of inconsistency on privacy matters, this Policy prevails, while the Terms govern the contractual relationship. This Policy may be provided in multiple languages; the English version controls.


2. Categories of Personal Data We Process
We process Personal Data in a manner that is adequate, relevant, and limited to what is necessary for the purposes set out herein. The data may include identifiers and account information made available via Telegram (such as Telegram ID, username/display name, profile photo, interface language, device and operating system details, Telegram Premium status, and theme settings), Service usage information (including in-app actions, session parameters, events, diagnostics and crash logs, and preferences), Web3 and blockchain information (including public wallet addresses such as TON and, where applicable, EVM, transaction and NFT metadata, wallet identifiers, and in-Service economic activity), images voluntarily uploaded by you for the purpose of generating a 3D avatar and derivative avatar files linked to your profile, user content and interactions with AI features (including messages, prompts, images, and other UGC), approximate geolocation at city or region level if provided by you or inferred from locale or timezone, KYC and payment information where required to comply with law or complete a transaction (including name, date of birth, and identification data processed by a KYC provider, and payment tokens/receipts processed by stores or payment processors; full card numbers are not stored by GENZA), as well as technical and network identifiers such as IP address and device identifiers used for security, analytics, and fraud prevention. The Service is intended for users aged 18 or older; we do not knowingly collect data from children under 13.


3. Sources of Personal Data
We obtain Personal Data directly from you when you register, link a wallet, upload images, or communicate with support; automatically through the Service via usage, diagnostics, and security logs; from third parties and platforms, including Telegram, app stores, payment processors, KYC providers, wallet providers, and blockchain explorers; and from public blockchains, where records are by nature public and immutable.


4. Purposes and Legal Bases
We process Personal Data to provide, maintain, and develop the Service, including authenticating users, ensuring component compatibility, enabling features such as TON-based NFTs, and providing user support; to prevent and address fraud, abuse, and unauthorized access, and to preserve the integrity of accounts, wallets, and transactions; to process payments, perform KYC/AML checks where required, and maintain obligatory records; to transform images you upload for avatar generation and to power AI features; to perform analytics, diagnostics, and quality improvements, including A/B experiments where lawful; and to comply with laws, enforce our Terms, and protect the rights, legitimate interests, and safety of users, GENZA, and third parties. In the EEA/UK/Switzerland, the legal bases consist of the necessity to perform a contract with the user, GENZA’s legitimate interests in operating, securing, and improving the Service, compliance with legal obligations, and, where required by local law, for example, for the processing of uploaded facial images that may be considered biometric data or for non-essential cookies/SDKs, your explicit consent. GENZA does not engage in decision-making that produces legal or similarly significant effects on you solely by automated means without human involvement.


5. Special Category and Biometric Considerations
Facial images you voluntarily upload are processed strictly to generate your avatar and operate the related feature. We do not use such images to identify you across services and do not process them for incompatible purposes. Where required by law, separate explicit consent is obtained. Source images are retained for a limited period and deleted in accordance with the retention regime specified in this Policy.


6. Cookies, SDKs, and Similar Technologies
The website and applications may use cookies, software development kits, and similar technologies to enable essential functionality such as security and sessions, to support user preferences, to perform analytics and diagnostics, and to combat fraud. The Telegram Mini App may rely on Telegram’s own storage mechanisms rather than browser cookies. Where required by law, consent is obtained before deploying non-essential technologies through a clear preference-management interface, and users may adjust their choices at any time. Non-standardized browser “Do Not Track” signals may not be honored, while legally mandated opt-out signals applicable in a given jurisdiction are respected to the extent required.


7. Sharing and Disclosures
Personal Data is disclosed only to the extent necessary for the purposes described. Disclosures may occur to processors acting on our instructions, such as hosting and CDN providers, analytics and diagnostics services, AI inference infrastructure, customer-support and message-delivery services, KYC/AML providers, and payment providers, in each case pursuant to binding data-processing agreements; to independent controllers such as Telegram, Apple, Google, external wallets, and marketplaces in respect of their own processing under their policies; to successors in the context of corporate changes including mergers, acquisitions, financings, or transfers of assets, provided that the recipient upholds privacy commitments consistent with this Policy; and to competent authorities or other parties where required by law, to respond to lawful requests, to enforce our Terms, or to protect rights, property, users, and public safety. GENZA does not sell Personal Data and does not share it for cross-context behavioral advertising within the meaning of the California Privacy Rights Act; if that practice ever changes, this Policy will be updated in advance and legally required choice mechanisms will be provided.


8. International Transfers
Processing may occur in the United States and other countries with privacy laws that differ from those of your jurisdiction. For users in the EEA/UK/Switzerland, international transfers rely on Standard Contractual Clauses with applicable addenda and are protected by appropriate technical and organizational measures during transfer and storage.


9. Security
GENZA maintains administrative, technical, and organizational safeguards appropriate to the nature, scope, context, and purposes of Processing and to the risks to individuals’ rights and freedoms, including access controls, encryption in transit, least-privilege access, and security monitoring. No system can guarantee absolute security; you remain responsible for securing your devices, Telegram account, wallet private keys, and credentials. Where a personal-data incident triggers legal notification duties, GENZA will notify affected users and/or regulators without undue delay and provide available information.


10. Retention and Deletion
Personal Data is retained only for as long as necessary to fulfill the purposes set out in this Policy or to comply with legal obligations, after which it is deleted or de-identified. As a general guideline, Telegram/account data are retained for the life of the account and deleted upon account deletion subject to technical delays for backups and logs; source images for avatar generation are typically retained for up to twenty-four hours after processing, while generated avatar assets persist for as long as the account exists; logs of AI interactions are retained for up to thirty days unless longer retention is necessary for security, investigations, or legal reasons; records associated with wallet addresses and Service activity are retained for up to twelve months after last activity, while on-chain records remain public and immutable; KYC/AML documents and records are retained in accordance with statutory requirements applicable to the relevant provider and jurisdiction; and security logs are typically retained for ninety to one hundred eighty days with extensions for investigations or legal holds. Deletion from active systems may be followed by delayed deletion from backups, and data subject to a legal hold are retained until the hold is lifted.


11. Compliance with Regional Laws (GDPR, ePrivacy, CCPA/CPRA and Others)
GENZA collects, processes, and stores Personal Data in compliance with applicable privacy and data-protection laws. Where the relationship with a user is subject to EU or UK data-protection law, GENZA adheres to GDPR/UK GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Users in the EU/EEA/UK have rights to access, rectification, erasure, restriction, objection (including to Processing based on legitimate interests), portability, and withdrawal of consent without affecting the lawfulness of Processing before withdrawal, and may lodge complaints with their supervisory authorities. GENZA acts as controller for Processing performed through the Service and responds to data-subject requests at compliance@genza.io; where required by law, GENZA will appoint an EU/UK representative and publish its contact details. GENZA also complies with requirements governing electronic communications privacy and the use of cookies and similar technologies, including the ePrivacy Directive and national implementing laws; mechanisms for obtaining valid consent are deployed where required, and users may modify their choices at any time. For California residents, GENZA complies with CCPA/CPRA, including rights to know/access, delete, and correct Personal Information, and rights to opt out of “sale” and “sharing”; GENZA confirms that it does not sell Personal Information and does not share it for cross-context behavioral advertising, and it does not use or disclose Sensitive Personal Information for additional purposes requiring a “limit” right under CPRA. Requests under CCPA/CPRA may be submitted to compliance@genza.io; GENZA will verify identity, respond within statutory timeframes, and will not discriminate for exercising rights. GENZA also takes into account applicable requirements of other jurisdictions, such as Canada’s PIPEDA and Brazil’s LGPD, and implements necessary measures where those laws apply. In the event of conflict between this Policy and mandatory provisions of regional consumer- or data-protection law, the latter prevail; the Policy is interpreted and applied to conform with all applicable laws. If any provision is held invalid or unenforceable in a given jurisdiction, the remaining provisions remain in force and a valid substitute reflecting the original intent will apply.


12. Children and Age Restrictions
The Service is intended solely for individuals eighteen years of age or older, and use by persons under eighteen is prohibited. GENZA does not knowingly collect Personal Data from children under thirteen. If you believe a minor has provided Personal Data, contact compliance@genza.io and we will delete it promptly.


13. Your Rights and Choices
Users in the EEA/UK/Switzerland may exercise rights of access, rectification, erasure, restriction, portability, and objection, and may withdraw consent at any time without affecting prior Processing, and may complain to their supervisory authority. California residents may request to know/access categories and specific pieces of Personal Information, request deletion subject to statutory exceptions, request correction of inaccuracies, and opt out of “sale” and “sharing” (not applicable because GENZA does not engage in those activities), and are protected against discriminatory treatment for exercising their rights. GENZA does not use or disclose Sensitive Personal Information for additional purposes that would trigger a “limit” right. Requests are submitted to compliance@genza.io or via in-Service tools. GENZA may request additional information to verify identity and will respond within one month under GDPR or forty-five days under California law, with permissible extensions. Requests by authorized agents are honored upon proof of authorization and, where required, direct verification by the user. Where state law provides an appeal right for denied requests, GENZA will supply appeal instructions and timelines in its response.


14. Automated Decision-Making and Profiling
GENZA does not perform automated decision-making that produces legal or similarly significant effects on users without human involvement. Limited profiling may be used to personalize features or content in a manner consistent with this Policy and applicable law.


15. Region-Specific Disclosures
Over the preceding twelve months GENZA has collected identifiers (such as Telegram ID and wallet address), internet and electronic activity information (including usage logs and diagnostics), approximate geolocation at the city or region level where provided, audio/visual content consisting of images uploaded for avatars, user-generated content, and limited inferences for personalization that do not constitute sensitive profiling. Categories disclosed for business purposes include those described, and disclosures are made to service providers acting as processors in accordance with this Policy. GENZA does not sell Personal Data and does not share it for cross-context behavioral advertising.


16. Third-Party Services and Links
The Service may link to or integrate with third-party services, including Telegram, app stores, wallets, marketplaces, analytics providers, and AI infrastructure. Their processing is governed by their own privacy policies, and GENZA is not responsible for their practices.


17. Changes to this Policy
GENZA may amend this Policy from time to time. Material changes will be announced at least thirty days in advance via in-app notice and/or email and will take effect on the stated effective date. Continued use of the Service after that date constitutes acceptance of the updated Policy.


18. Contact Us
GENZA Inc. is the controller responsible for Processing under this Policy. Communications concerning privacy may be sent to: GENZA Inc., 1201 N. Orange Street Suite 7587, Wilmington, DE, USA, zip code 19801-1186; email: compliance@genza.io. Where required by law, GENZA will appoint and publish contact details for its EU/UK representative. Electronic notices related to this Policy may be provided electronically; notices are deemed delivered when sent to your registered email address or displayed within the Service.