Privacy Policy

1. Introduction

Valta (“we,” “our,” or “us”) operates the Valta platform at valta.co. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights in relation to it.

This Policy applies to all users of the Valta website, dashboard, API, and SDK. By using the Service, you agree to the collection and use of information in accordance with this Policy.

Valta is committed to compliance with the Nigeria Data Protection Regulation (NDPR) 2019, and where applicable, the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Information We Collect

2.1 Account and Registration Information

• —Full name and email address
• —Password (stored as a cryptographic hash — we cannot read it)
• —Company or organisation name (if applicable)
• —Country of residence or operation
• —Profile information you choose to provide

2.2 Financial and Transaction Data

• —Your Valta wallet balance and internal transaction history
• —Your unique on-chain deposit address on the Base blockchain network
• —On-chain USDC transfer records associated with your deposit address (amounts, transaction hashes, timestamps)
• —Spending policy configurations you create for your agents
• —Agent freeze and unfreeze events
• —Audit trail entries generated by your agents
• —Approval request history

Note: blockchain transactions are publicly visible on the Base network. Your deposit address and any transfers to or from it are permanently recorded on a public ledger and are accessible to anyone. Valta cannot make on-chain data private.

2.3 Technical and Usage Data

• —IP address and approximate geolocation
• —Browser type, version, and operating system
• —Pages visited, features used, and time spent on the platform
• —API request logs including endpoints called, response codes, and latency
• —Error logs and crash reports
• —Referral source (how you found Valta)

2.4 Communications Data

• —Messages you send to us via email or support channels
• —Feedback and suggestions you submit through the platform
• —Survey responses, if you choose to participate

3. How We Use Your Information

We use the information we collect to:

• —Create and manage your account and provide access to the Service
• —Process and record transactions initiated through the platform
• —Enforce spending policies and governance rules you have configured
• —Generate and maintain immutable audit trails
• —Send transactional emails — account verification, security alerts, transaction notifications, and important service updates
• —Respond to your support requests and communications
• —Detect, investigate, and prevent fraud, abuse, money laundering, and other illegal or prohibited activities
• —Comply with our legal obligations including anti-money laundering (AML), know-your-customer (KYC), and sanctions screening requirements
• —Improve the platform through analysis of aggregated, anonymised usage patterns
• —Send product updates, release notes, and feature announcements (you may opt out at any time)
• —Enforce these Terms of Service and protect our rights and the rights of other users

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• —Contract performance — processing necessary to provide the Service under our Terms of Service
• —Legal obligation — processing required to comply with AML, sanctions, tax, and other applicable laws
• —Legitimate interests — fraud detection, security, platform improvement, and direct marketing to existing users
• —Consent — where you have explicitly opted in, such as for marketing communications

5. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party providers who help us operate the Service. These include:

• —Supabase — database hosting and authentication
• —Vercel — application hosting and edge infrastructure
• —Alchemy — blockchain transaction monitoring (detects incoming USDC deposits to your on-chain address)
• —PostHog — anonymised product analytics
• —Resend — transactional email delivery
• —Stripe — card payment processing (if you use the card deposit option)

All service providers are contractually bound to process data only for the purpose of providing services to us and to maintain appropriate security standards.

5.2 Legal Requirements

We may disclose your information to law enforcement agencies, regulatory authorities, courts, or other government bodies where required by applicable law, regulation, legal process, or governmental request. We will notify you of such disclosures where legally permitted to do so.

5.3 Fraud and Security

We may share information with third parties to detect, investigate, or prevent fraud, money laundering, sanctions violations, or other illegal activity that we reasonably believe poses a risk to Valta, our users, or the public.

5.4 Business Transfer

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your personal information may be transferred to the acquiring entity. We will notify you before your information is subject to a materially different privacy policy.

6. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfil the purposes described in this Policy, unless a longer retention period is required by law.

• —Account data — retained for the duration of your account plus 7 years after closure for legal and compliance purposes
• —Transaction and audit trail records — retained for a minimum of 7 years as required under applicable financial regulations
• —API access logs — retained for 90 days for security and debugging
• —Support communications — retained for 3 years
• —Marketing preferences — retained until you withdraw consent

7. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These measures include:

• —Encryption of data in transit using TLS 1.2 or higher
• —Encryption of sensitive data at rest
• —API keys stored as one-way cryptographic hashes
• —Passwords hashed using bcrypt with appropriate work factors
• —Role-based access controls limiting employee access to user data
• —Audit logging of all administrative access to production systems
• —Regular security reviews and vulnerability assessments

No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to security@valta.co.

8. Cookies and Analytics

Valta uses cookies and similar tracking technologies to operate and improve the Service. We use:

• —Essential cookies — required for authentication, session management, and core platform functionality. Cannot be disabled.
• —Analytics cookies — PostHog collects anonymised usage data to help us understand how the platform is used. No personally identifiable information is shared.
• —Preference cookies — to remember your dashboard settings and preferences.

You can control non-essential cookies through your browser settings. Disabling cookies may affect certain platform features. See our Cookie Policy at valta.co/cookie-policy for more detail.

9. International Data Transfers

Valta is based in Nigeria. Your data is processed and stored using infrastructure operated by our service providers, some of whom are located outside Nigeria. Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent protections recognised under applicable law.

By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.

10. Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

• —Access — request a copy of the personal information we hold about you
• —Correction — request correction of inaccurate or incomplete information
• —Deletion — request deletion of your personal information, subject to legal retention requirements
• —Portability — receive your data in a structured, machine-readable format
• —Objection — object to processing based on legitimate interests
• —Restriction — request that we limit how we use your data in certain circumstances
• —Withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@valta.co. We will respond within 30 days. We may need to verify your identity before processing your request. Note that certain data — particularly transaction and audit trail records — may be subject to mandatory legal retention periods and cannot be deleted on request.

11. Children's Privacy

The Service is not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will take steps to terminate that account and delete the associated data. If you believe a minor has provided us with personal information, please contact us at privacy@valta.co.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes we will:

• —Update the 'Last updated' date at the top of this page
• —Notify you by email where we have your address on file
• —Display a notice in the dashboard

Your continued use of the Service after any changes take effect constitutes acceptance of the updated Policy.

13. Contact and Complaints

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact our Privacy team:

If you are not satisfied with our response and are located in Nigeria, you have the right to lodge a complaint with the Nigeria Data Protection Bureau (NDPB) at ndpb.gov.ng. EU residents may lodge a complaint with their local data protection authority.