Naba Web3 Wallet — Privacy Policy

Version 1.2, effective from 2026-05-15

Changes from 1.1: Added Section 12 (Data Deletion) explaining how users can remove locally stored data and clarifying the immutability of on-chain records.

This Privacy Policy for Devnull FZCO, a free zone company organized and existing under the laws of the United Arab Emirates, holding commercial license No. 30069 issued by the Dubai Integrated Economic Zones Authority (DIEZ) and registered in the IFZA free zone, having its registered office at Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates (“Company”, “we”, “our” or “us”), describes how and why we might collect, store, use, and/or share (“process”) your information when you use services related to the Naba Web3 Wallet (“Service(s)”, “Wallet” or “Naba Wallet”).

If there are any terms in this Privacy Policy that you do not agree with, please discontinue access and use of our Services.

Please read this Privacy Policy carefully as it will help you make informed decisions about sharing your personal information with us. If you have any questions or concerns about our policy or our practices with regards to your personal information, please contact us at the email mentioned in the “CONTACT US” section.

This Privacy Policy is designed to comply with the United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”) and related implementing regulations, as well as other applicable data protection and privacy laws.

0. Privacy by Design — Summary

Naba Wallet is engineered to minimise the personal data we process about you. In particular:

The Wallet is non-custodial and seedless: we do not generate, hold, or have access to your private keys, recovery credentials, seed phrases, or digital assets;
The Wallet uses zero-knowledge (“ZK”) cryptography for identity verification through UAE Pass: we do not receive or store your Emirates ID number, full name, date of birth, address, photograph, or other identity attributes held by UAE Pass. We only receive a cryptographic proof confirming that a unique, real, eligible person has authenticated;
Transactions are settled directly on the blockchain. We do not have the technical ability to monitor, block, or reverse your transactions;
The client-side Wallet software is open-source and available for independent review.

The remainder of this Privacy Policy explains the limited categories of personal data we do process (for example, where you contact us, sign up for updates, or where automatically-collected technical data is involved).

1. What Information Do We Collect?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us while using our Services, express an interest in obtaining information about us or our Services, when you participate in activities on the Services, or otherwise when you contact us.

Personally identifiable information may include:

Email address (for example, when you sign up for early access, support, or notifications);
Phone number (only if you choose to provide it for support purposes);
Any information you choose to include in correspondence with us.

We do not process special categories of personal data within the meaning of Article 15 of the PDPL (such as data revealing health, biometric data used for unique identification by us, racial or ethnic origin, political opinions, religious beliefs, or criminal records). Biometric authentication (such as fingerprint or face recognition) used to unlock the Wallet is processed exclusively on your device by your operating system; we never receive or store your biometric data.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

When you authenticate via UAE Pass, the verification is performed using zero-knowledge cryptography. We do not collect, receive, or store:

your Emirates ID number;
your full name, gender, date of birth, or nationality;
your photograph;
your residential or postal address;
your UAE Pass username or any other identifying attribute held by UAE Pass.

We only receive a cryptographic proof and a derived, non-reversible identifier confirming that a unique, real and eligible person has authenticated. This proof allows us to enforce one-account-per-person guarantees and bot/sybil resistance, without disclosing your identity to us.

For information about how UAE Pass itself processes your personal data, please refer to the UAE Pass privacy notice at https://uaepass.ae.

Information collected from third parties

We may receive information about you from third parties. We may access and process publicly available information, including blockchain wallet addresses, publicly available blockchain transaction data, and information made publicly available on social media platforms, where relevant for security, integrity, fraud prevention, or analytics purposes.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not, by itself, reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

We also collect information through cookies and similar technologies (where applicable to the web interface).

Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports — sometimes called “crash dumps”), and hardware settings.
Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
Approximate Location Data. Where applicable, we may infer approximate location (such as country or region) from your IP address for security, fraud-prevention, and compliance purposes (for example, to enforce eligibility under sanctions regimes). We do not collect precise GPS location data through the Wallet without your explicit consent.

Information we do NOT collect

For the avoidance of doubt, and consistent with the architecture of the Wallet, we do not collect, store, or have access to:

your private keys, recovery credentials, seed phrases (the Wallet is seedless), or PIN/biometric authentication factors;
your digital assets or balances thereof (other than what is publicly observable on-chain);
the contents of your transactions beyond what is recorded on the public blockchain;
your Emirates ID number or other identity attributes verified through UAE Pass;
camera images, video frames, or any other camera-derived data (the camera is used only on-device for QR-code decoding — see Section 3).

2. How Do We Process Your Information?

The Company may use Personal Data for the following purposes:

To provide and maintain our Service, including to monitor the usage of our Service.
To manage your account: to manage your registration as a user of the Service. The Personal Data you provide can give you access to different functionalities of the Service that are available to you as a registered user.
For the performance of a contract: the development, compliance and undertaking of any contract with us through the Service.
To contact you: to contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already used or enquired about, unless you have opted not to receive such information.
To manage your requests: to attend and manage your requests to us.
For business transfers: We may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganisation, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by us about our Service users is among the assets transferred.
For security and fraud prevention: to detect, prevent, investigate, and respond to fraud, abuse, security incidents, sanctions screening obligations, and other harmful or illegal activity.
For legal and regulatory compliance: to comply with our obligations under Applicable Laws, including the PDPL, anti-money-laundering and counter-terrorist-financing requirements, sanctions regimes, and lawful requests from competent authorities.
For other purposes: We may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.

3. Device Permissions (Mobile App)

The Naba Wallet mobile application requests the following device-level permissions on Android and iOS. Each is used only for the in-app feature described and is processed entirely on-device.

Camera (android.permission.CAMERA on Android, NSCameraUsageDescription on iOS)

Used solely to scan QR codes that encode wallet addresses, and only when the user explicitly opens the QR scanner from the Send screen. The camera feed is decoded locally on the device. No images, video frames, scanner output, or any other camera-derived data is recorded, transmitted to Devnull FZCO’s servers, retained beyond the duration of the active scan, or shared with any third party.

The user may deny or revoke this permission at any time through the operating system’s settings. If denied, the rest of the application continues to function normally and the user can paste recipient addresses manually instead of scanning.

4. What Legal Bases Do We Rely On to Process Your Personal Information?

In accordance with Article 4 of the PDPL and other applicable data protection laws, we may rely on the following legal bases to process your personal information:

Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
Performance of a Contract. We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests (such as maintaining the security and integrity of the Services, fraud prevention, network and information security, and improving our Services) and those interests do not outweigh your interests and fundamental rights and freedoms.
Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

In legal terms, we are generally the “data controller” under the PDPL of the personal information described in this Privacy Policy, since we determine the means and/or purposes of the data processing we perform. This Privacy Policy does not apply to the personal information we process as a “data processor” on behalf of third parties. In those situations, the third party is the “data controller” responsible for your personal information, and we merely process your information on their behalf in accordance with your instructions. If you want to know more about our customers’ privacy practices, you should read their privacy policies and direct any questions you have to them.

For users located in the European Economic Area (EEA) or the United Kingdom, the legal bases above mirror those set forth in the General Data Protection Regulation (GDPR) and the UK GDPR.

With Data Processors: We may share your personal information with Data Processors to monitor and analyse the use of our Service, to contact you, to provide infrastructure and hosting services, customer support, communications, and analytics. Such Data Processors are bound by written agreements and are required to process personal data only on our documented instructions and in accordance with the PDPL.

To access certain functions of the Service, you may be prompted to provide your personal data directly to third-party providers of payment services, identity verification services (including UAE Pass), and/or KYC/AML services providers. This shall not be deemed a transfer of your Personal Data by Company, as you will directly provide your personal data to the respective companies under their privacy terms which you shall separately accept. The Company will not be responsible for processing the personal information you so provide.

We may need to share your personal information in the following situations:

For business transfers: We may share or transfer your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
With Affiliates: We may share your information with our affiliates, in which case we will require those affiliates to abide by this Privacy Policy. Affiliates include any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.
With business partners: We may share your information with our business partners to offer you certain products, services or promotions.
With other users: When you share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If you interact with other users or register through a Third-Party Social Media Service, your contacts on the Third-Party Social Media Service may see your name, profile, pictures and description of your activity. Similarly, other users will be able to view descriptions of your activity, communicate with you and view your profile.
With law enforcement and competent authorities: Where required by Applicable Laws or in response to a lawful request by a competent UAE or foreign authority, we may share information to comply with our legal obligations, protect our rights, or protect the safety of users or the public.
With your consent: We may disclose your personal information for any other purpose with your consent.

For the avoidance of doubt, we do not sell your personal information.

6. Do We Use Cookies and Other Tracking Technologies?

We may use cookies and similar tracking technologies (like web beacons and pixels) on our website at https://wallet.naba.ae to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

We also may permit third parties and service providers to use online tracking technologies on our Services for analytics and, where applicable, advertising, including to help measure traffic, tailor content, or send abandoned-action reminders (depending on your communication preferences). The third parties and service providers use their technology to provide services tailored to your interests which may appear either on our Services or on other websites.

We may use Google Analytics or similar privacy-respecting analytics to understand and improve usage of the Services.

You can control cookies through your browser settings. If you disable cookies, certain functions of the Services may be limited.

7. Is Your Information Transferred Internationally?

Please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information (see “WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?” above), in different countries.

The Company is located in the United Arab Emirates. Where personal data is transferred outside the UAE, such transfer is conducted in accordance with Article 22 and Article 23 of the PDPL and any decisions of the UAE Data Office regarding adequacy or appropriate safeguards. We will take all necessary measures to protect your personal information in accordance with this Privacy Policy and applicable law.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Policy and applicable law, including through the use of standard contractual clauses or equivalent safeguards where required.

8. How Long Do We Keep Your Information?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, anti-money-laundering, or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

9. How Do We Keep Your Information Safe?

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process, including encryption in transit, encryption at rest where appropriate, access controls, and the principle of data minimisation by design (see Section 0). However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

We remind you that the safety of your private keys, devices, and authentication factors is your responsibility as the sole holder of those credentials. We do not store, back up, or have access to your private keys, recovery credentials, or authentication factors.

10. Do We Collect Information from Minors?

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us by email mentioned in the “CONTACT US” section.

11. What Are Your Privacy Rights?

You have the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; (v) not to be subject to automated decision-making; and (vi) to object to the processing of your personal information. These rights are afforded to you under the PDPL of the United Arab Emirates (Articles 13 to 19) and equivalent provisions under other applicable laws.

You can make such a request by contacting us by email mentioned in the “CONTACT US” section. We will consider and act upon any request in accordance with applicable data protection laws and within the time periods prescribed by such laws.

If you are located in the UAE, you may also have the right to lodge a complaint with the UAE Data Office in accordance with the PDPL. If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by email mentioned in the “CONTACT US” section.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using email mentioned in the “CONTACT US” section.

You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.

If you have questions or comments about your privacy rights, you may email us by email mentioned in the “CONTACT US” section.

12. Data Deletion

Because Naba Wallet is non-custodial, we do not create user accounts or persist wallet credentials, identity material, transaction caches, contacts, or preferences on our servers. All such data lives exclusively on your device.

How to delete your device data

Open Settings → Sign out within the Wallet application. This immediately clears all locally stored data, including cached transaction history, contact book entries, and preferences.
To additionally remove the hardware-backed encryption keys generated by the Wallet, uninstall the application from your device.

Blockchain data

Transactions that you have signed and broadcast to the blockchain are recorded on the public ledger permanently. This data is outside our control and cannot be deleted — it is part of the immutable, decentralised record-keeping architecture that underpins all public blockchains. This is an inherent property of blockchain technology and is not specific to Naba Wallet.

Server-side personal data

Where you have provided us with personal information (for example, an email address for early-access sign-ups or support correspondence), you may request erasure of that information by contacting us at privacy@naba.ae as described in Section 11 above. We will process such requests in accordance with the PDPL and within the time periods prescribed by applicable law.

13. Do We Make Updates to This Policy?

We may update this Privacy Policy from time to time. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information. The updated version will be indicated by a revised “effective” date and the updated version will be effective as soon as it is accessible at https://wallet.naba.ae/privacy.

14. Contact Us

If you have questions or comments about this notice, you may email us at privacy@naba.ae or contact us by post at:

Devnull FZCO Building A1, Dubai Digital Park, Dubai Silicon Oasis Dubai, United Arab Emirates Commercial License No. 30069 (DIEZ)

E-mail: privacy@naba.ae Website: https://wallet.naba.ae