Spout Finance Inc.
Privacy Policy
How Spout Finance collects, uses, and protects your information, including on-chain data, KYC records, and your rights under GDPR and CCPA.
Effective date: Pending · Last updated: July 13, 2026
This document is published for review and is not yet in force. It takes effect on the date stated above once finalized.
This Privacy Policy describes how Spout Finance Inc. ("Spout," "Company," "we," "us," or "our") collects, uses, discloses, and protects information when you access or use our website at spout.finance, app.spout.finance, docs.spout.finance, or any related services (collectively, the "Interface"). This Privacy Policy should be read together with our Terms of Service.
If you do not agree with this Privacy Policy, you should not access or use the Interface.
1. Information We Collect
We collect information through several channels depending on how you interact with the Interface. This section describes each category of data and the source from which it is collected.
1.1. Wallet and Authentication Data
When you connect your wallet to the Interface, we collect your public wallet address and authentication session data through Privy, our authentication provider. This includes session tokens, connection timestamps, and the wallet provider used (e.g., Phantom, Solflare). We do not collect or have access to your private keys, seed phrases, or wallet passwords.
1.2. Identity Verification Data (KYC)
If you mint spAssets through the Interface, you are required to complete identity verification through Persona, our KYC provider. During this process, the following information is collected:
(a) Full legal name. (b) Date of birth. (c) Residential address. (d) Government-issued photo identification (passport, driver's license, or national ID card). (e) A selfie photograph for liveness verification. (f) The results of sanctions screening against OFAC and other applicable lists.
This information is collected and processed by Persona. Spout receives a verification status (approved, declined, or pending review) along with the underlying identity data (name, date of birth, address, ID document images, and selfie) to maintain compliance records as required by anti-money laundering regulations. Persona retains its own copy of the verification data in accordance with its privacy policy, which governs Persona's independent processing. For GDPR purposes, Persona acts as a data processor when conducting verification on Spout's behalf and as an independent controller for its own regulatory compliance obligations.
1.3. On-Chain Transaction Data
All transactions executed through the Protocol are recorded on the Solana blockchain, including spAsset mints, redemptions, transfers, collateral deposits, borrowing activity, lending deposits, and withdrawals. On-chain data is publicly available by the nature of blockchain technology. The Company indexes and stores a copy of on-chain transactions related to the Protocol for internal analytics, compliance monitoring, and user experience purposes.
1.4. Usage and Analytics Data
We use Plausible Analytics, a privacy-focused, cookieless analytics service. Plausible collects aggregated, non-personally-identifiable usage data including page views, referral sources, browser type, device type, and country-level geographic data. Plausible does not use cookies, does not collect IP addresses, and does not track individual users across sessions.
1.5. Performance Monitoring Data
We use Amazon CloudWatch Real User Monitoring ("RUM") to monitor Interface performance. CloudWatch RUM collects performance metrics such as page load times, navigation timing, and JavaScript errors. CloudWatch RUM is configured without cookies (allowCookies disabled). No persistent identifiers are stored on your device by CloudWatch RUM.
1.6. Newsletter and Waitlist Data
If you sign up for our newsletter or waitlist through the landing page, we collect your email address. This data is stored in Supabase, which is used solely for the landing page and waitlist functionality and is not connected to the core Protocol or Interface.
1.7. Email Communications
We use Resend as our transactional email provider. When we send you emails (account notifications, verification confirmations, or other service-related communications), Resend processes your email address and may collect standard email delivery metadata (open rates, delivery status). Resend's privacy policy governs how Resend processes your data.
1.8. Information We Do Not Collect
We do not collect your name, email address, phone number, or residential address through the Interface itself (these are collected only through the KYC process described in Section 1.2 and the newsletter signup described in Section 1.6). We do not collect IP addresses through our analytics (Plausible is cookieless and does not log IPs). We do not collect financial account information (bank accounts, credit cards). We do not sell personal data.
2. How We Use Your Information
We use the information we collect for the following purposes:
2.1. Providing the Interface. To operate, maintain, and improve the Interface and the user experience.
2.2. Identity Verification and Compliance. To verify your identity for KYC requirements, to screen against sanctions lists, to comply with anti-money laundering regulations, and to maintain required compliance records.
2.3. Transaction Monitoring. To monitor on-chain activity for compliance purposes, to detect and prevent fraud, market manipulation, and other prohibited activities as described in the Terms of Service.
2.4. Performance and Reliability. To monitor and improve the technical performance, stability, and reliability of the Interface using CloudWatch RUM.
2.5. Communications. To send you service-related communications, including verification confirmations, security alerts, and material updates to these Terms or the Privacy Policy.
2.6. Analytics. To understand how users interact with the Interface in aggregate (not individually) through Plausible Analytics, to inform product development and improve the user experience.
2.7. Legal Compliance. To comply with applicable laws, regulations, and legal processes, including responding to subpoenas, court orders, and government requests.
2.8. Safety and Security. To protect against, detect, and prevent fraud, unauthorized activity, security incidents, and other harmful or illegal activity.
3. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, we process your personal data under the following legal bases. GDPR applies to our processing because our infrastructure is hosted in the EU (AWS eu-north-1, Stockholm, Sweden) and because we offer services to individuals located in the EEA.
3.1. Contract Performance (Article 6(1)(b) GDPR). Processing wallet data, authentication data, and on-chain transaction data is necessary to provide the Interface services you have requested by connecting your wallet and using the Protocol.
3.2. Legal Obligation (Article 6(1)(c) GDPR). Processing KYC data, sanctions screening data, and transaction monitoring data is necessary to comply with applicable anti-money laundering, sanctions, and financial regulations.
3.3. Legitimate Interest (Article 6(1)(f) GDPR). Processing performance monitoring data (CloudWatch RUM) and aggregated analytics data (Plausible) is necessary for our legitimate interest in maintaining the security, performance, and reliability of the Interface and understanding usage patterns in aggregate. We have conducted a balancing test and determined that these interests are not overridden by your rights, particularly given the privacy-preserving design of our analytics stack (cookieless Plausible, session-level RUM data).
3.4. Consent (Article 6(1)(a) GDPR). Where we collect your email address for newsletter communications, processing is based on your consent, which you may withdraw at any time by unsubscribing.
4. Subprocessors and Third-Party Service Providers
We share data with the following third-party service providers who process data on our behalf or independently in connection with the Interface:
4.1. Persona (identity verification). Collects and processes KYC data for identity verification and sanctions screening. Persona acts as a data processor on our behalf for verification services and as an independent controller for its own regulatory compliance obligations. Data shared: full name, date of birth, address, government ID, selfie, verification status.
4.2. Privy (authentication). Processes wallet connection and authentication session data. Data shared: public wallet address, session tokens, connection metadata.
4.3. Alpaca Securities LLC (broker-dealer and custodian). Processes trade execution and equity custody data related to spAsset minting and redemption. Alpaca is a FINRA-member broker-dealer and independently regulated. Data shared: trade instructions, custody positions.
4.4. Stork (oracle and Proof of Reserve). Provides price feed data and Proof of Reserve attestations. No personal data is shared with Stork; the oracle interacts with smart contract data, not user data.
4.5. Amazon Web Services (infrastructure). Hosts the Interface infrastructure in the eu-north-1 (Stockholm, Sweden) region. Provides CloudWatch RUM for performance monitoring. Data stored: all Interface data, session-level performance metrics.
4.6. Helius, Alchemy, and Triton (Solana RPC providers). These providers relay Solana blockchain transactions. When you submit a transaction through the Interface, your IP address may be visible to the RPC provider handling the request. We use multiple providers for reliability. The Interface routes RPC requests through a backend relay to minimize direct IP exposure to RPC providers, but we cannot guarantee that your IP address will never be visible to these providers in all circumstances.
4.7. Supabase (landing page database). Stores newsletter and waitlist email addresses. Used exclusively for the landing page and not connected to the core Protocol infrastructure.
4.8. Plausible Analytics (analytics). Processes aggregated, non-personally-identifiable usage data. No personal data is shared. Plausible does not use cookies and does not track individuals.
4.9. Resend (email). Processes email addresses for transactional email delivery. Data shared: email address, message content, delivery metadata.
5. Cookies and Tracking Technologies
5.1. The Interface uses a minimal number of cookies.
The Interface does not set any cookies. CloudWatch RUM is configured with cookies disabled (allowCookies=false), and Plausible Analytics is a cookieless analytics service that does not set any cookies or use any client-side tracking technologies.
5.2. We do not use advertising cookies, retargeting pixels, social media tracking pixels, or any third-party tracking technologies for advertising or marketing purposes.
5.3. Because the Interface does not set cookies, no cookie consent banner or mechanism is required.
6. Data Sharing and Disclosure
6.1. We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
6.2. We may disclose your information in the following circumstances:
(a) Service Providers. To the subprocessors identified in Section 4, solely for the purposes described in this Privacy Policy.
(b) Legal Requirements. When required by applicable law, regulation, legal process, or governmental request. This includes responding to subpoenas, court orders, regulatory inquiries, and requests from law enforcement.
(c) Compliance and Safety. When we believe disclosure is necessary to enforce our Terms of Service, to protect the rights, property, or safety of the Company, our users, or any third party, or to detect, prevent, or address fraud, security, or technical issues.
(d) Business Transfers. In connection with any merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the acquiring or successor entity. We will notify you of any such transfer through the Interface or by email if we have your email address.
(e) With Your Consent. When you have given us explicit consent to share specific information.
7. International Data Transfers
7.1. Our primary infrastructure is hosted on Amazon Web Services in the eu-north-1 region (Stockholm, Sweden). Data stored in this region is subject to EU data protection law.
7.2. Certain subprocessors may process your data outside the EEA. When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:
(a) Standard Contractual Clauses ("SCCs") approved by the European Commission. (b) Adequacy decisions by the European Commission, where applicable. (c) The EU-U.S. Data Privacy Framework, where certified by the recipient.
The Company has executed or will execute Standard Contractual Clauses with each subprocessor that processes EU personal data outside the EEA, including Persona, Privy, Alpaca Securities, and Resend. Where a subprocessor has self-certified under the EU-U.S. Data Privacy Framework, the DPF certification serves as an additional safeguard alongside the SCCs.
7.3. Alpaca Securities LLC is a US-based entity regulated by FINRA and the SEC. Personal data shared with Alpaca (including trade data and any KYC information required for account setup) is processed in the United States.
8. Data Retention
8.1. We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.
8.2. Specific retention periods:
(a) KYC Data. Retained for a minimum of five (5) years after the end of your relationship with the Company, as required by anti-money laundering regulations (U.S. Bank Secrecy Act and, where applicable, EU Anti-Money Laundering Directives).
(b) Wallet and Authentication Data. Retained for as long as your wallet has interacted with the Protocol and for a period of two (2) years after your last interaction with the Interface.
(c) On-Chain Transaction Data. On-chain data exists permanently on the Solana blockchain and cannot be deleted by the Company or any other party. The Company's internal copy of indexed on-chain data is retained for as long as the Protocol is operational.
(d) Performance Monitoring Data. CloudWatch RUM data is retained for thirty (30) days.
(e) Newsletter and Waitlist Data. Retained until you unsubscribe or request deletion, or for two (2) years from your last engagement with our communications, whichever comes first.
(f) Analytics Data. Plausible analytics data is aggregated and non-identifiable. Aggregated data has no retention limit because it cannot be linked to any individual.
9. Your Privacy Rights
9.1. Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under applicable data protection law:
(a) Right of Access. You have the right to request a copy of the personal data we hold about you.
(b) Right to Rectification. You have the right to request correction of inaccurate personal data.
(c) Right to Erasure ("Right to Be Forgotten"). You have the right to request deletion of your personal data, subject to the limitations described in Section 9.3.
(d) Right to Restriction of Processing. You have the right to request that we restrict the processing of your personal data in certain circumstances.
(e) Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
(f) Right to Object. You have the right to object to processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
(g) Right to Withdraw Consent. Where processing is based on consent, you have the right to withdraw your consent at any time.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within thirty (30) days.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. Because our primary data processing infrastructure is located in Sweden, you may also contact the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, "IMY").
9.2. Rights Under CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act ("CCPA") provides you with the following rights:
(a) Right to Know. You have the right to request information about the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share your data.
(b) Right to Delete. You have the right to request deletion of your personal information, subject to the limitations described in Section 9.3.
(c) Right to Opt-Out of Sale. We do not sell your personal information. This right is not applicable, but we include it for transparency.
(d) Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, contact us at [email protected].
9.3. Limitations on Erasure and Deletion
You acknowledge that certain data cannot be deleted due to the nature of blockchain technology and regulatory requirements:
(a) On-Chain Data. Transactions recorded on the Solana blockchain are permanent and immutable. The Company cannot delete, modify, or obscure on-chain transaction records, wallet addresses, or token transfer histories. This is a fundamental characteristic of blockchain technology that you accept by using the Interface.
(b) KYC Records. Identity verification records may be retained for the minimum period required by anti-money laundering regulations (currently five years) even after you request deletion, where retention is required by law.
(c) Transfer Hook Records. Records associated with the Token-2022 transfer hook (KYC verification status linked to wallet addresses) are stored on-chain and cannot be deleted by the Company.
(d) Compliance Records. Records of sanctions screening, suspicious activity monitoring, and regulatory reporting may be retained as required by applicable law.
10. Children's Privacy
The Interface is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information as promptly as possible. If you believe a child has provided us with personal data, please contact us at [email protected].
11. Security
11.1. We implement reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
(a) Encryption of data in transit (TLS/SSL) and at rest (AWS encryption). (b) Access controls limiting employee and contractor access to personal data on a need-to-know basis. (c) Regular security assessments and monitoring. (d) Smart contract security audits by Halborn.
11.2. No method of electronic storage or transmission is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the security of your wallet credentials and private keys.
12. Changes to This Privacy Policy
12.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this Privacy Policy will be updated to reflect the date of the most recent revision.
12.2. If we make material changes to this Privacy Policy, we will notify you through the Interface or by email (if we have your email address) prior to the change becoming effective.
12.3. Your continued use of the Interface after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy, your personal data, or your privacy rights, please contact us at:
Spout Finance Inc. Email: [email protected]
Because Spout Finance Inc. does not have an establishment in the European Union, the Company has appointed an EU representative pursuant to Article 27 of the GDPR. The EU representative can be contacted at: [email protected].
For data protection inquiries, the Company's designated data protection contact is the General Counsel, who can be reached at [email protected].
This Privacy Policy is provided for review by qualified counsel before publication. The GDPR compliance framework, EU representative appointment, and subprocessor data processing agreements require particular attention.