Skip to main content

Privacy Policy - English

Pedro Furtado
Updated

Last updated: February 12, 2026

This Privacy Policy ("Policy") outlines the terms and conditions under which Defi Basket Labs ("We", "Company"), a company incorporated in the British Virgin Islands (BVI), processes information and data related to the Picnic platform.

CLAUSE 1. Picnic is a decentralized software interface. BY USING PICNIC, YOU ACKNOWLEDGE THAT WE ARE ONLY TECHNOLOGY PROVIDERS FACILITATING YOUR DIRECT INTERACTION WITH THE BLOCKCHAIN. WE DO NOT HOLD CUSTODY OF YOUR ASSETS NOR DO WE CONTROL OR INTERMEDIATE TRANSACTIONS MADE ON THE NETWORK.

THIS POLICY SHOULD BE READ IN CONJUNCTION WITH THE PICNIC TERMS OF USE. BY ACCEPTING THIS POLICY, YOU CONSENT TO THE DATA PROCESSING NECESSARY FOR THE TECHNOLOGICAL OPERATION OF THE INTERFACE AND ACKNOWLEDGE AUTOMATIC ACCEPTANCE OF THE PRIVACY POLICIES OF OUR INFRASTRUCTURE PARTNERS.

CLAUSE 2. Given the decentralized nature of Picnic's software, which resides on the blockchain and not on a centralized server, the processing of your personal data will be governed by the data protection laws of the country where you, the user, are located at the time of access. We are committed to respecting the principles of the LGPD (Brazil), CCPA (USA), GDPR (Europe), and DPA (BVI) as applicable to your specific case.

CLAUSE 3. For the platform's operation, we collect the following categories of data:

3.1. Data collected directly by Picnic:

  • Registration Data: email and phone number

  • On-chain Identifiers: Public wallet address.

  • Purpose: Basic user identification, support communication, account security, and technical facilitation of the interface for reading balances and network history.

3.2. Data collected by/for Infrastructure Partners:

  • KYC/Compliance Data: Full name, identification documents (RG/CPF/CNH), proof of residence, and facial biometrics (selfie).

  • Purpose: Compliance with legal "Know Your Customer" (KYC) obligations, anti-money laundering (AML) prevention, and counter-terrorism financing, as required by infrastructure partners.

  • Wallet Integration: For certain specific partners, we share your specific wallet address for technical integration and asset settlement purposes.

3.3. Technical and Navigation Data

  • Log Data: IP address (temporarily processed for geofencing and security), device type, browser version, and operating system.

  • Purpose: Performance optimization, error debugging, and access restriction in sanctioned jurisdictions.

CLAUSE 4. We use the collected data to: (1) provide services: maintain, customize, and improve the interface and software, (2) security and protection: investigate and prevent fraudulent, illegal, or unauthorized activities, (3) legal compliance: fulfill legal obligations, government requests, and Anti-Money Laundering (AML) regulations, (4) communications: send legal notices, terms updates, security alerts, and technical support via electronic means.

CLAUSE 5. The User acknowledges and accepts that the sharing of personal and transactional data between Picnic and its partners is strictly necessary to enable the chosen products (such as cards and fiat ramps). By using these services, you provide data that will be processed by partners as independent controllers.

CLAUSE 6. The User acknowledges that transactions made through Picnic are recorded on public blockchains. By technological design, data recorded on the blockchain (including wallet addresses and transfer amounts) are immutable, transparent, and PUBLIC BY NATURE. The exercise of privacy rights, such as deletion or rectification, is not technically possible for on-chain records.

CLAUSE 7. We may share data under the following circumstances:

  • We share wallet addresses with infrastructure and blockchain analysis providers to detect and mitigate financial crimes, in case of a founded suspicion of crime involving specific wallets or users.
  • The sharing of personal and transactional data is strictly necessary to enable the Picnic Card, fiat currency conversion, and other operations.
  • To prevent harm to the Company or users, or in case of a substantiated request from one of our regulated partners.
  • In the event of a merger, acquisition, or asset sale, data may be transferred under the same privacy standards established here.

CLAUSE 8Picnic uses strict security protocols to ensure the integrity and confidentiality of data during communication with external partners. Our architecture is divided into two security pillars:

  1. For most services, communication occurs exclusively between Picnic's backend and partners, so the user's browser or app does not directly interact with these services. All transmission is protected by conventional transport encryption (TLS).
  2. In the case of the Magic authentication provider, to ensure maximum privacy, Picnic's backend does not access, at any time, communications between the user's device and Magic's servers. This interaction occurs end-to-end via TLS encryption, ensuring that access keys and sensitive authentication data remain isolated from our infrastructure. For more information, users can consult Magic's security documentation.

CLAUSE 9. As a BVI entity, we guarantee users the right to request access to personal data the Company may hold. Under applicable law, users have the right to confirmation, correction, and, when legally permitted, anonymization or deletion of unnecessary data. Requests should be made to legal@usepicnic.com.

CLAUSE 10. INFORMATION FOR DATA SUBJECTS IN BRAZIL (LAW NO. 13,709/2018 - LGPD). We process your personal data based on the following legal grounds: (i) with your consent (e.g., for marketing communications); (ii) for the execution of a contract or preliminary procedures (e.g., to enable the use of the interface and the Picnic Card); (iii) to comply with a legal obligation (e.g., KYC and Anti-Money Laundering regulations of our partners); and (iv) to meet our legitimate interests or those of third parties, provided that your fundamental rights and freedoms are respected. Under the LGPD, you have the following rights:

  1. Confirmation and Access: Right to confirm the existence of processing and access your data.
  2. Correction: Right to request the correction of incomplete, inaccurate, or outdated data.
  3. Anonymization or Deletion: Right to request the anonymization, blocking, or deletion of unnecessary data or data processed in non-compliance with the law.
  4. Portability: Right to request the portability of data to another service provider, subject to ANPD regulations.
  5. Revocation of Consent: Right to revoke your consent at any time and be informed about the consequences of refusal.

Note on Blockchain: The User acknowledges that due to the immutable nature of blockchain technology, data recorded on-chain (such as transaction history and wallet addresses) cannot be deleted, rectified, or altered by the Company, which limits the exercise of certain deletion rights over public and distributed records.

CLAUSE 11. INFORMATION FOR DATA SUBJECTS IN THE EUROPEAN UNION. We process personal data for the purposes described in CLAUSE 4 above. Our legal bases for processing your data include: (i) you have given consent for processing to us or our service providers for one or more specific purposes; (ii) processing is necessary for the performance of a contract with you; (iii) processing is necessary for compliance with a legal obligation; and/or (iv) processing is necessary for the purposes of legitimate interests pursued by us or third parties, provided that your interests and fundamental rights do not override such interests.

Your rights under the General Data Protection Regulation ("GDPR") include the right to: (i) request access and obtain a copy of your personal data; (ii) request the rectification or deletion of your personal data; (iii) object to or restrict the processing of your data; and (iv) request the portability of your data. Additionally, you may withdraw your consent at any time. However, we cannot edit or delete information stored on a specific blockchain. Information such as transaction data, blockchain wallet address, and assets held by your address, which may be related to the data we collect, are beyond our control.

To exercise any of your rights under the GDPR, contact us at legal@usepicnic.com.

CLAUSE 12. INFORMATION FOR USERS IN THE UNITED STATES. For users residing in the United States who use fiat currency conversion services (fiat ramps), data processing is carried out in accordance with applicable US federal and state laws. The User acknowledges and accepts that: (1) Infrastructure Partner: Noah US Inc. acts as the partner responsible for the technological and regulatory enablement of financial operations in the US. (2) Compliance and KYC: To use these services, the User must provide data directly to Noah for identity verification (KYC) and Anti-Money Laundering (AML) purposes. (3) Third-Party Privacy Policy: The processing of these data, as well as rights of access and deletion (subject to mandatory legal retentions), is governed exclusively by Noah's Privacy Policy, available at https://noah.com/en/privacy-notice.

CLAUSE 13. The user expressly agrees to receive all communications, contracts, and legal notices electronically, including updates to terms, security alerts, and support notices.

CLAUSE 14. In the event of a merger or sale of Defi Basket Labs, data may be transferred to the new entity under the same privacy standards. This Policy may be updated periodically; continued use of the platform after updates constitutes acceptance of the new terms.

CLAUSE 15. If we make material changes to this Policy, we will notify you through the Services. However, your continued use of the Services reflects your periodic review of this Policy and other Company terms, and indicates your consent to them.

If you have any questions about this Policy or how we collect, use, or share your information, contact us at legal@usepicnic.com.

Related articles