Developers
Contact

Metaplex Foundation Privacy Policy

This Privacy Policy describes how the Metaplex Foundation (together with its affiliates, the “Foundation”, “we”, “us”, or “our”) collects, stores, uses, discloses and protections your Personal Data when you use our Services.

We are committed to processing Personal Data in accordance with applicable data protection laws, including the Cayman Islands Data Protection Act (2021 Revision) ("DPA").  For the purposes of the DPA, Metaplex Foundation is the "data controller" responsible for determining the purposes and means of processing your Personal Data. 

This Policy applies when you:

  • Visit our websites at [insert link to all website], or any other Foundation website that links to this Privacy Policy;

  • Engage with us in other relates ways, including when you contact us or use our Services. 

If have any questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@metaplex.foundation

DEFINITIONS

For the purposes of this Privacy Policy:

  • Personal Data” means any information about an identified or identifiable individual, as defined in the DPA. In practical terms, this is information that can be used on its own or with other information to identify you.

  • Data Controller” means the person or entity who, alone or jointly, determines the purposes and means of processing Personal Data (here, Metaplex Foundation).

  • Data Subject” means an individual whose Personal Data is processed.

  • Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, disclosure, or erasure.

  • Services” means the websites, applications, and other offerings provided by Metaplex Foundation to which this Privacy Policy applies.

1. WHAT INFORMATION DO WE COLLECT?

Metaplex Foundation collects and processes Personal Data only as necessary for specified, explicit, and legitimate purposes in connection with the operation of our Services.

A. Personal Data You Provide to Us

We collect Personal Data that you choose to provide when interacting with our Services. This may include information you submit when creating an account, connecting a digital wallet, complying with Know Your Customer (KYC) or anti-money laundering (AML) checks, communicating with us, or using features that involve inputting content or uploading data. 

The scope of Personal Data collected depends on the nature of your interaction and may include identifiers, contact details, and any other information you voluntarily submit. You are responsible for ensuring that any Personal Data you provide is accurate, complete, and up to date.

B. Information Collected Automatically 

When you access or use our Services, we may automatically collect certain information, including:

  • IP address, browser type, operating system, device identifiers, language preferences, and usage data (such as pages viewed, features used, and dates/times of access).

  • General geographic location inferred from your IP address.

  • Public blockchain data related to actions you take using our Services (e.g., wallet address, transaction history). Please note that blockchain data is public and may be immutable.

  • We and our third-party partners use cookies, pixel tags, and similar technologies to collect information about your interactions with our Services. 

C. Third Party Services and Social Media. 

If you choose to integrate our Services with third-party services, we may receive data from those services. Likewise, if you interact with our Services or content on social media or another site, we may receive basic account information from that platform. We treat this information according to this Policy. Keep in mind that any data collected by external services is subject to their privacy policies.

D. AI Agent Inputs

When you interact with any AI Agent Services we offer, we may collect and process the content you submit (“Inputs”) and the responses generated (“Outputs”). These may include Personal Data if you choose to include such information. We treat these Inputs and Outputs as Personal Data where applicable and process them in accordance with this Privacy Policy.

E. Sensitive Personal Data

We do not intentionally collect or process “sensitive personal data” as defined under the DPA (including data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or health data, sex life, or criminal convictions). If you choose to provide such data, you consent to its processing for the purpose for which it was provided.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your Personal Data only as necessary for the purposes described in this Privacy Policy, and in accordance with applicable law.  We ensure that all processing is fair, lawful and transparent, and that it is carried out for specified, explicit, and legitimate purposes. 

We may process your Personal Data for a variety of purposes, depending on how you interact with our Services, including:

  • To provide, maintain and operate our Services;

  • To improve and enhance our Services, including through analytics and user feedback;

  • To communicate with you, including responding to your inquiries, providing updates, and delivering information you request;

  • To detect, prevent and address fraud, security, or technical issues, and to protect the integrity of our Services; 

  • To enable user-to-user communications where applicable;

  • To comply with our legal and regulatory obligations, including responding to lawful requests from courts, regulators, or other authorities;

  • To protect your vital interests or those of another individual, such as to prevent harm;

  • To enforce our Terms of Service or other legal rights;

  • For any other purpose for which you have consented at the time your Personal Data is collected.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services, to fulfil our contractual obligations, to protect your rights, or to fulfil our legitimate business interests. 

We will only process your Personal Data when at least one of the following conditions is met: 

  • Consent: You have given your consent to the processing of your Personal Data for one or more stated purposes. You can withdraw your consent at any time by contacting us at privacy@metaplex.foundation. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

  • Contractual necessity: Processing your personal information is necessary to fulfil our contractual obligations to you, including providing our Services or at your request before entering into a contract with you.

Legitimate interests: Processing is necessary for our legitimate business interests or those of a third party, except where such interests are outweighed by your interests or fundamental rights and freedoms as a Data Subject.  Our legitimate interests may include, for example, improving our Services, preventing fraud, or ensuring network and information security. 

  • Legal Obligations. Processing is necessary for us to comply with legal or regulatory obligations to which we are subject, including where applicable, to fulfil identity verification requirements such as KYC or AML checks.

  • Vital Interests. Processing is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person. 

  • Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

We do not process your Personal Data for purposes that are incompatible with these lawful bases.  If you have any questions about the legal bases on which we process your Personal Data, or wish to exercise your rights under applicable law, please contact us at privacy@metaplex.foundation.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We may share your Personal Data with third parties as necessary, in accordance with the lawful bases described above and applicable data privacy laws, including the DPA. 

We may share your Personal Data in the following circumstances:

  • Service Providers:  We share Personal Data with trusted third-party service providers who perform processing on our behalf (for example, cloud hosting, email delivery, analytics, customer support, and fraud prevention). These providers are contractually required to process Personal Data only for our specified purposes and to protect it to standards equivalent to this Policy.

  • Affiliates. We may share your Personal Data with related entities within our corporate group, in which case we will require those affiliates to honour this Privacy Policy. 

  • Business Partners. We may share or transfer your Personal Data in connection with our business partners to offer you certain products, services, or promotions. We do not share your Personal Data with third parties for their own direct marketing purposes.

  • Third-Party Integrations: When you explicitly connect our Services with a third-party service or instruct an agent to interact with an external platform, we will share data as needed to fulfil your request. We will only do this when you initiate it, and the data shared is typically what is necessary for the integration. Please note that any information processed by the third-party service is governed by that service’s own privacy policy, not by the Foundation. We recommend reviewing the privacy settings and policies of any third-party services you connect to our Services.

  • Other Users. When you share Personal Data (for example, by posting comments or other content to the Services), such information may be visible to all users and may be made publicly available outside the Services in perpetuity.  Please note that information published on a public blockchain or forum may be immutable and cannot be erased by us.

  • Legal and Regulatory Requirements. We may disclose your Personal Data where required to do so by law, regulation, court order, or other legal process, or in response to lawful requests from public authorities.

  • Corporate Transactions: In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your Personal Data may be transferred as part of that transaction, subject to the safeguards described in this Policy.

We do not share your personal data with third parties for their own marketing purposes without your consent. We also do not give any outside parties direct access to your data except as necessary to operate the service or as required by law. If you have questions about specific third parties that may have access to your information, contact us and we can provide more details about our current service providers.

5. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

Metaplex Foundation is based in the Cayman Islands, but in the course of providing our Services, your Personal Data may be transferred to, stored, or processed in countries outside the Cayman Islands, including countries that may not have data protection laws equivalent to those in the Cayman Islands, such as the United States.

Whenever we transfer your Personal Data internationally, we will take reasonable steps to ensure that your information is treated securely and in accordance with this Privacy Policy and applicable law. 

If you are a resident in the European Economic Area (EEA), United Kington (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Policy and applicable law.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

We keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible, (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. 

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

We employ appropriate technical and organizational measures to protect your personal data from unauthorized access, loss, misuse, or alteration.  Specifically:

  • We ensure that only staff and contractors who need to process your data have access, and they are subject to strict confidentiality obligations. We provide privacy and security training to our team. We also maintain policies and procedures for handling data safely and responding to potential security incidents.

  • Our servers are protected by firewalls and monitoring systems. We regularly update our software and infrastructure to address security vulnerabilities. 

  • We may perform periodic security audits, vulnerability assessments, and penetration testing to evaluate and improve our security posture. We also monitor our systems for suspicious activity and have incident response plans ready.

Despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal or modify your information. Although we do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

In the event of a personal data breach involving your Personal Data, we will notify you and the Cayman Islands Ombudsman and other applicable agencies without undue delay (and no later than five days after becoming aware of the breach), as required by the DPA. We will take all appropriate steps to remedy any security issue and mitigate any potential harm.

8. DO WE COLLECT INFORMATION FROM MINORS?

The Services are not directed to individuals who are under the age of eighteen (18) and we do not solicit nor knowingly collect personal information from children under the age of eighteen (18). If you believe that we have unknowingly collected any personal information from someone under the age of eighteen (18), please contact us immediately at privacy@metaplex.foundation and the information will be deleted.

9. WHAT ARE YOUR PRIVACY RIGHTS?

Under the Cayman Islands DPA,  you have a number of rights regarding your Personal Data. Your rights may include:

  • the right to request confirmation as to whether we process your Personal Data, and to request a copy of the Personal Data we hold about you;

  • the right to request correction of inaccurate or incomplete Personal Data;

  • the right to request deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent (where applicable), subject to legal or regulatory retention requirements and to the limitations described in this Policy;

  • the right to request that we restrict the processing of your Personal Data in certain circumstances (for example, if you contest the accuracy of the data).

  • the right to object to the processing of your Personal Data in certain circumstances, including for direct marketing purposes.

  • the right to receive your Personal Data in a structured, commonly used, and machine-readable format, where practicable; and

  • the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Additionally, if you have signed up to receive updates or newsletters, you may opt out at any time. To unsubscribe from emails, click the ‘Unsubscribe’ link in the footer of the email or contact us at privacy@metaplex.foundation with your request. We will promptly remove you from our marketing list.

You may exercise your rights at any time by contacting us at privacy@metaplex.foundation.  We will consider and act upon any request in accordance with applicable data protection laws. Please note that we may need to verify your identity before fulfilling your request.  Certain rights may be limited in some circumstances, for example, where we are required to retain data for legal or regulatory purposes, or where data has been made public on a blockchain and cannot be erased or altered by us.

If you have concerns about how we process your Personal Data, you may contact us at any time. 

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you have a right to complain to your Member State or UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

You may also have the right to lodge a complaint with the Cayman Islands Ombudsman.

10. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (‘DNT’) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Policy.

11. COOKIE NOTICE

Our Services use cookies and similar technologies to enhance your experience, analyse usage, and support the functionality of our websites. Cookies are small text files placed on your device that help us remember your preferences and understand how you interact with our Services.

You can control or disable cookies through your browser settings. Please note that disabling cookies may affect the availability and functionality of certain features of our Services.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will post any adjustments to this Policy on this page, and the revised version will be effective when it is posted. Your continued use of our Services after any changes are posted constitutes your acceptance of those changes.

Please periodically review this Policy for the latest on the Foundation’s privacy practices. If we materially change the ways in which we use or share Personal Data,  we will provide additional notice as appropriate, which may include a prominent notice on our website or direct communication.

13. CONTACT INFORMATION

If you have any questions, comments, or concerns about our processing activities, please email us at privacy@metaplex.foundation or contact us by post at:

Metaplex Foundation 23 Lime Tree Bay Avenue, P.O. Box 10176Grand Cayman KY1-1002, Cayman Islands

Last updated: 18 July 2025