Logo

OPIN.ART / PRIVACY & DATA PROTECTION POLICY

THE DATA MINIMISATION DOCTRINE

Effective Date: 14 April 2026

Entity: MONOLITH LABS LTD (Co. No. 17154388)

ICO Registration Number: ZC126753

Registered Address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

Contact: info@monolithlabs.uk

Preamble: The Web3 Privacy Ethos

MONOLITH LABS LTD (the “Company”, “we”, or “us”) operates the OPIN.ART platform (the “Platform”) on a strict principle of cryptographic anonymity and absolute data minimisation. We are a non-custodial Web3 interface. We do not know who you are, we do not want to know who you are, and our systems are architected to avoid the collection of personally identifiable information to the maximum extent technically possible.

This Policy explains how the Company complies with the UK General Data Protection Regulation (UK GDPR) as incorporated into UK law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR), in the limited instances where technical data is necessarily processed. This Policy forms part of the OPIN.ART Legal Framework and should be read alongside the Codex (Terms of Service) available at https://opin.art/legal/terms.

Article 1. The Zero-KYC Principle — What We Do Not Collect

Unlike traditional Web2 platforms or centralised exchanges, the Platform does not utilise user accounts. You are not required to provide, and the Company strictly does not collect, request, or store:

  • Your legal name, physical address, or date of birth.
  • Your email address or telephone number, unless you voluntarily initiate a communication with our legal or support team via email — in which case your email address is processed solely for the purpose of responding to your enquiry and is not retained beyond that purpose.
  • Government-issued identification documents or KYC materials of any kind.
  • Passwords, private keys, seed phrases, or recovery phrases.

The Company will never request your private key, seed phrase, or recovery phrase through any communication channel whatsoever. Any communication purporting to be from the Company that requests such information should be treated as a phishing attempt and reported to info@monolithlabs.uk immediately.

Article 2. Technical Data We Necessarily Process

To maintain the security, integrity, and legal compliance of the Platform, the Company is technically required to process certain limited categories of network and session data when you access the interface.

2.1. IP Addresses and Geo-Fencing.

We collect and process your Internet Protocol (IP) address strictly at the network edge via our Cloudflare infrastructure. This processing is technically mandatory to:

  • Enforce the absolute jurisdictional prohibitions set out in Articles 6 and 7 of the Codex against users from the United States, the United Kingdom, and comprehensively sanctioned jurisdictions, in compliance with applicable international trade and sanctions law; and
  • Defend our infrastructure against Distributed Denial of Service (DDoS) attacks, bot activity, and malicious automated scraping as defined in Article 37 of the Codex.

IP addresses processed for geo-fencing and security purposes are held in volatile memory or short-term security logs and are purged within 30 to 90 days, after which they are automatically overwritten or deleted. We do not maintain persistent off-chain databases linking your IP address to your public wallet address.

2.2. Public Wallet Address.

When you connect a non-custodial wallet to the Platform, we process your public wallet address (for example, your Solana public key) solely to render your balances, NFT holdings, and transaction history within the user interface. We do not link your public wallet address to any real-world identity or personally identifiable information. Session data relating to your wallet connection is held only for the duration of your active session and is not retained thereafter in any identifiable form.

2.3. Usage and Performance Telemetry.

The Company may process anonymised, aggregated telemetry data — including error logs, crash reports, and interface interaction patterns — strictly for the purposes of maintaining Platform stability and resolving technical issues. This data is processed in a form that does not permit identification of individual users and is not linked to wallet addresses or IP addresses.

Article 3. The Blockchain Paradox — Public Ledger Acknowledgment

You acknowledge and accept that the Solana blockchain is a public, immutable, and permanently accessible distributed ledger. When you use the Platform to broadcast a transaction, your public wallet address, transaction amounts, asset types, and cryptographic signatures are permanently recorded on-chain. This data is publicly visible to anyone in the world.

The Company is not a data controller in respect of any data broadcast to the public blockchain ledger. The Company has no technical ability to erase, alter, or obscure any data written to the Solana blockchain. You transact on public blockchains at your own absolute risk regarding on-chain privacy.

Article 4. Legal Bases for Processing

Where the Company acts as a Data Controller under UK GDPR and, where applicable, EU GDPR, processing activities are conducted on the following legal bases:

Legal Obligation (Article 6(1)(c) UK/EU GDPR): Processing of IP addresses to enforce jurisdictional blocks and comply with applicable international sanctions regimes and trade laws, including OFSI, OFAC, UN, and EU sanctions frameworks.

Legitimate Interests (Article 6(1)(f) UK/EU GDPR): Processing of technical telemetry and security logs to maintain network security, prevent automated API abuse and unauthorised data extraction as defined in Articles 36 to 38 of the Codex, and ensure Platform uptime and integrity. The Company has assessed that these legitimate interests are not overridden by your rights and freedoms, given the minimal and non-identifiable nature of the data processed.

Contractual Necessity (Article 6(1)(b) UK/EU GDPR): Processing of your public wallet address to provide the routing, display, and aggregation services you request upon connecting your wallet to the Platform.

Article 5. Data Retention

The Company does not retain data beyond the period strictly necessary for the purposes described in this Policy.

  • IP Addresses and Security Logs: Purged within 30 to 90 days of collection, solely for security forensics and abuse prevention.
  • Public Wallet Address Session Data: Held only for the duration of your active wallet connection. Not retained in identifiable form after session termination.
  • Anonymised Telemetry: Retained in aggregated, non-identifiable form for up to 12 months for performance analysis, after which it is permanently deleted or anonymised beyond recovery.
  • Voluntary Email Communications: Retained only for as long as necessary to resolve your enquiry, typically no longer than 12 months.

Article 6. Infrastructure and Cross-Border Data Transfers

The Company is incorporated in England and Wales. Our primary server infrastructure is located in Helsinki, Finland, within the European Union. Technical telemetry data is routed through EU-based infrastructure operated by Hetzner and processed via Cloudflare’s global edge network.

Transfers of data between the United Kingdom and the European Union are conducted on the basis of the UK’s adequacy regulations recognising the EU as providing an equivalent level of data protection. Where data is processed in jurisdictions outside the UK and EU — including by Cloudflare’s global infrastructure — the Company ensures appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses, as applicable.

Article 7. Third-Party Processors

The Company utilises the following enterprise-grade infrastructure partners, each bound by data processing agreements that prohibit the use of your technical data for any purpose other than delivering services to the Company:

Cloudflare, Inc.: DNS routing, edge security, Web Application Firewall, DDoS protection, and geo-IP enforcement.

Hetzner Online GmbH / EU Hosting Providers: Physical server hosting in Helsinki, Finland.

RPC Node Providers: Third-party Solana RPC node providers used to fetch on-chain data for display within the Platform interface. Your public wallet address and transaction requests are transmitted to these providers as a technical necessity of blockchain architecture.

Third-Party Marketplace APIs: Where the Platform aggregates data from third-party NFT marketplaces including Magic Eden and Tensor, technical request data is necessarily transmitted to those providers’ APIs. Your use of any such third-party service is governed by that provider’s own terms and privacy policy.

A full and current list of data processors is available upon request at info@monolithlabs.uk.

Article 8. Your Data Subject Rights

Under UK GDPR and, where applicable, EU GDPR, you have the following rights in respect of personal data processed by the Company:

  • The right to access personal data held about you (Subject Access Request).
  • The right to rectification of inaccurate personal data.
  • The right to erasure of personal data (“right to be forgotten”) in certain circumstances.
  • The right to restriction of processing.
  • The right to data portability.
  • The right to object to processing based on legitimate interests.
  • The right not to be subject to solely automated decision-making that produces legal or similarly significant effects.

The Web3 Caveat: Because the Company does not link technical data to a real-world identity, it may not be possible to identify which specific log entries relate to you without additional information provided by you. Furthermore, the Company cannot comply with any erasure or rectification request in respect of data that has been broadcast to and recorded on the public Solana blockchain, as such data is cryptographically immutable. Compliance with any erasure request is strictly limited to technical logs within the Company’s direct possession and control.

To exercise any of the above rights, please contact: info@monolithlabs.uk

Article 9. Automated Decision-Making and Geo-Fencing

The Platform utilises automated geo-IP lookup systems to enforce the jurisdictional prohibitions set out in Articles 6 and 7 of the Codex. This constitutes automated processing which may result in access to the Platform being denied. If you believe you have been erroneously blocked by this automated mechanism as a result of an incorrect IP geolocation determination, you may contact info@monolithlabs.uk to raise the issue. The Company will review such cases in good faith. However, the use of a VPN or proxy to bypass this automated mechanism constitutes a material breach of the Codex as set out in Article 8 thereof, and is not a permissible method of circumventing a geo-block determination.

Article 10. Supervisory Authority

If you are a UK resident and believe the Company has mishandled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

Website: www.ico.org.uk

ICO Registration Number: ZC126753

If you are an EU resident, you may also lodge a complaint with the supervisory authority in your EU member state of habitual residence.

The Company would welcome the opportunity to address your concerns directly before you approach a supervisory authority. Please contact info@monolithlabs.uk in the first instance.

Article 11. Children’s Privacy

The Platform is strictly intended for individuals who are of the legal age of majority in their jurisdiction of residence, being a minimum of eighteen (18) years of age, as set out in Article 9 of the Codex. The Company does not knowingly collect or process personal data from any person under the age of 18. If the Company becomes aware that it has inadvertently processed data from a minor, it will take immediate steps to delete such data from its systems.

Article 12. Updates to This Policy

The Company reserves the right to update this Policy from time to time to reflect changes in applicable law, regulatory guidance, or the Company’s technical infrastructure. Material changes will be notified via an in-platform alert in accordance with Article 3 of the Codex. The Effective Date at the head of this document will be updated to reflect any amendments. Your continued use of the Platform following notification of any material change constitutes your acknowledgment of the revised Policy.

© 2026 MONOLITH LABS LTD. All rights reserved.

OPIN.ART, OPINDEX, OPINCUR, MONOLITH, and the OPIN- prefix are trademarks of MONOLITH LABS LTD.

Registered in England and Wales. Company Number: 17154388. ICO Registration: ZC126753.

Registered Address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

Contact: info@monolithlabs.uk