Legal

Terms and Conditions PROMOTION 5 YEARS PICNIC

Last updated: April 1, 2026 1. General Information 1.1. The "5 YEARS PICNIC" campaign ("Campaign") is a global promotional initiative offered by DeFiBasket Labs Inc., a company incorporated under the laws of the British Virgin Islands (registration number 2085144) ("Company"), operator of the Picnic platform, aimed at encouraging users to request the Picnic Card and use it to subscribe to eligible paid artificial intelligence tools. 1.2. The Campaign is valid from the date of publication of these Terms for a period of 7 (seven) calendar days, or until the exhaustion of the 100 (one hundred) available promotional codes, whichever occurs first. 1.3. The Company reserves the right to modify, suspend, reduce the number of available codes, or terminate the Campaign at any time, at its sole discretion and without prior notice, without generating any acquired rights, expectations of rights, or obligations for compensation in favor of Participants. The mere use of the promotional code does not guarantee the receipt of the Refund until all requirements of this Clause and Clause 3 are met. 1.4. By participating in the Campaign, the Participant declares that they have read and fully agreed to these Terms and Conditions. 2. Eligibility 2.1. Individuals who meet the following criteria may participate in the Campaign: - Have or create an active account on the Picnic platform; - Have completed the identity verification process (KYC) required by the platform; - Request the Picnic Card using the promotional code “IA” during the Campaign period; - Have no restrictions or pending issues on their account; - Comply with the general Terms of Use of Picnic. 2.2. Each user may participate in the Campaign only once. Duplicate accounts or accounts created for fraudulent purposes will be automatically disqualified. 2.3. Promotional codes have limited availability of 100 (one hundred) units and will be distributed on a first-come, first-served basis until exhausted. 3. Promotion Mechanics 3.1. To participate in the Campaign, the Participant must follow the following steps, cumulatively: - Request the Picnic Card by entering the promotional code "IA" in the designated field during the card order process and be approved in the KYC process to use the card; - Make a paid subscription to one of the eligible artificial intelligence services (as per Clause 4) using the Picnic Card, within 30 (thirty) calendar days from the date of the card order. 3.2. Once all requirements set forth in Clause 3.1 are verified and validated by the Company, the Company will credit the Participant with the amount of USDC 20.00 directly to the Picnic Card account as a refund ("Refund"). The credit is conditioned upon the Participant's account being active, without blocks or pending issues, at the time of processing. The Company is the sole and final authority to determine compliance with the requirements of this Campaign. 3.3. The Refund will be processed within 15 (fifteen) business days from the confirmation of eligibility by the platform's system. The period is suspended while there is any pending verification, KYC, compliance, or incomplete registration information, restarting after regularization. The Company has no obligation to notify the Participant about pending issues that prevent processing. 3.4. The Refund is characterized as cashback and does not constitute a raffle, lottery, or contest of any kind. 3.5. The identification of the 100 (one hundred) Participants awarded will be strictly defined by the chronological order of use of the promotional code "IA" at the time of the card request (card order), provided that the other requirements set forth herein are met. 4. Eligible AI Services 4.1. For the purposes of this Campaign, eligible paid subscription contracts, on an individual monthly plan, or the renewal of an existing subscription (using the Picnic card as a payment method), for the following services, made within the period specified in Clause 3.1(b): - ChatGPT Plus or ChatGPT Pro — OpenAI (only paid individual monthly plans; business, educational, or bundle plans are not eligible) - Claude Pro or Claude Max — Anthropic (only paid individual monthly plans; business, educational, or bundle plans are not eligible) 4.2. Only the first paid subscription to one of the above services, made within the period specified in Clause 3.1(b), will be considered for the Refund. 4.3. The following are not eligible for the Refund: free plans or trial periods; subscriptions contracted outside the period of Clause 3.1(b); subscriptions whose payment was processed through means other than the Picnic Card; and subscriptions that were refunded, canceled, or reversed for any reason after contracting. 4.4. The Company is not responsible for any failure, unavailability, or price changes of the AI services listed in this clause, which are third-party services not controlled by the Company. 5. Refund Amount and Conditions 5.1. The Refund corresponds to the lesser amount between: (a) USDC 20.00; and (b) the amount actually charged and settled for the eligible subscription. If the subscription amount exceeds USDC 20.00, the excess will not be covered by the Campaign and will not generate any additional obligation for the Company. The Refund is granted per Participant, regardless of the number of subscriptions made. 5.2. The Refund is not cumulative: each Participant may receive the benefit only once, even if they subscribe to more than one eligible service. 6. Loss of Benefit and Disqualification 6.1. The Company reserves the right to revoke the Refund at any time and without prior notice if it identifies: - Violation of any clause of these Terms and Conditions; - Unauthorized use of the promotional code, in a third-party account, or through collusion between users; - Creation of multiple accounts or use of false data to improperly obtain the benefit; - Use of automated means, emulators, among others to bypass restrictions or automation scripts; - Suspicious activity of fraud, money laundering, or any other unlawful conduct; - Chargeback of the AI subscription charge that generated the Refund. - Any type of fraud against the system or the objectives of the Campaign, at the sole discretion of the Company. 6.2. In the event of revocation, the credited amount may be reversed from the Participant's account. The notified Participant may contact support for clarification via email at oi@usepicnic.com. 7. Responsibilities 7.1. The Company is not responsible, under any circumstances, for: - Technical failures in the systems of eligible AI services that prevent the charging or processing of the subscription; - Exchange rate fluctuations between the date of subscription and the date of Refund credit; - Failures in providing the promotional code due to Participant error; - Delays caused by pending compliance or KYC verification processes. - Refusal, blocking, or unavailability of the Picnic Card for the purpose of processing the subscription, including delays in card activation after the card order; - Refusal or rejection of the transaction by eligible AI services, payment networks, or the infrastructure for issuing the Picnic Card; - Indirect damages, lost profits, loss of opportunity, or moral damages resulting from the non-granting, delay, or revocation of the Refund. 7.2. The Participant is solely responsible for: - Verifying the eligibility of the contracted subscription before making it; - Declaring and paying any taxes that may be due on the Refund received, according to the tax legislation applicable in their jurisdiction; - Keeping their registration data updated on the platform. 7.3. In any case, the Company's total liability to the Participant arising from this Campaign is limited to a maximum amount of USDC 20.00 per Participant. The Company is not liable for any amount beyond this limit, for any reason. 8. Privacy and Data Processing 8.1. Participation in the Campaign implies the processing of the Participant's personal data by the Company strictly for the purposes of verifying eligibility, processing the Refund, and preventing fraud, based on the legitimate interest of the Company and the fulfillment of contractual obligations. 8.2. Data processing will comply with Picnic's Privacy Policy, available on the platform, and applicable data protection laws. 9. General Provisions 9.1. This Campaign is a global initiative and is not restricted to any specific jurisdiction or country. 9.2. This Campaign constitutes a voluntary commercial performance reward program conditioned on the fulfillment of objective requirements, without any random element, raffle, or free prize distribution, not qualifying as a commercial promotion subject to prior government authorization of any kind. The Refund is a conditional contractual benefit, not a gratuitous advantage, and does not generate an autonomous consumer relationship distinct from the Terms of Use of Picnic. 9.3. These Terms and Conditions are governed exclusively by the laws of the British Virgin Islands. By accepting these Terms, the Participant expressly waives any other jurisdiction that may be competent due to their domicile or nationality, electing the jurisdiction of the British Virgin Islands as the only competent forum to resolve any disputes arising from this Campaign. 9.4. The Company's tolerance regarding any non-compliance with these Terms does not constitute a waiver of rights. 9.5. Any questions or disputes should be directed first to Picnic support, via email at oi@usepicnic.com. For formal extrajudicial notifications: legal@usepicnic.com. 9.6. By participating in the Campaign, the Participant declares that they are aware of and agree to all the terms above. DeFiBasket Labs Inc. BVI Company No. 2085144 legal@usepicnic.com

Terms and Conditions - Protected Vault

PICNIC TERMS AND CONDITIONS OF USE PROTECTED VAULT Variable Yield Product in USDC with Protocol Coverage (Vault Cover — OpenCover x Nexus Mutual) Last Updated: March 2026 READ CAREFULLY BEFORE DEPOSITING. BY PROCEEDING, YOU DECLARE THAT YOU HAVE READ, UNDERSTOOD, AND FULLY ACCEPT THESE TERMS. IMPORTANT NOTICE — MANDATORY PRIOR DISCLOSURE Before making any deposit in the Protected Vault, the User must acknowledge the following essential points: A. THE PROTECTED VAULT IS NOT A BANK PRODUCT, NOT A SAVINGS ACCOUNT, AND DOES NOT OFFER CAPITAL OR YIELD GUARANTEE BY THE FGC OR ANY OTHER GOVERNMENT FUND. B. THE YIELD IS VARIABLE, DYNAMIC, AND NOT GUARANTEED. Composed of the DSR from the Sky/Maker protocol minus coverage costs (OpenCover). It can change at any time without prior notice. Historical rates do not guarantee future returns. C. COVERAGE IS EXCLUSIVELY PART B (DEPEG OF sDAI). The only covered event is the market price of sDAI falling 10% or more below its reference value for 7 or more consecutive days. Coverage is DISCRETIONARY and DOES NOT CONSTITUTE INSURANCE regulated by SUSEP. D. ONLY OPENCOVER (CVM) CAN TRIGGER A CLAIM. The User has no direct contractual relationship with Nexus Mutual. Any attempt to trigger by third parties renders the Cover immediately UNENFORCEABLE. E. CRITICAL DEPEG PARAMETERS: Depeg Time = 7 consecutive days. Depeg Percentage = 10% of Reference Value. Unit of Claim = 0.975 USDC/sDAI. Depeg below 10% or lasting less than 7 days DOES NOT trigger coverage. Submission deadline = 30 days after the end of the Depeg Time. F. UNCOVERED RISKS INCLUDE (without limitation): smart contract bugs not resulting in depeg as per Part B, phishing, private key loss, market drop without qualified depeg, depeg below thresholds or lasting less than 7 days, bridge failure, rug pull, failure in the Picnic app or Deframe API, Material Change in Risk by OpenCover. G. THE USER IS SOLELY RESPONSIBLE FOR DECLARING AND PAYING TAXES ON THE YIELDS OBTAINED. 0. HOW THE PROTECTED VAULT WORKS — PRODUCT OVERVIEW 0.1. Product structure — three independent layers The Protected Vault is a feature of the PICNIC app that allows the User to deposit USDC into a Covered Vault managed by OpenCover, which allocates the assets in the Designated Vault (sDAI/Sky/Maker DSR) on the Gnosis Chain and maintains coverage with Nexus Mutual. The product operates in three independent layers: LAYER 1 — VARIABLE YIELD (Designated Protocol: Sky/Maker DSR) The Sky/Maker protocol generates variable yield on sDAI. The DSR rate is set by the protocol's decentralized governance and can be changed at any time, including to zero. PICNIC has no control over the DSR. LAYER 2 — SELF-CUSTODIAL The User keeps their assets in their own self-custodial wallet throughout the deposit period. PICNIC does not hold custody at any time. LAYER 3 — ON-DEMAND VAULT COVER (Nexus Mutual via OpenCover CVM) OpenCover acquires Part B coverage (depeg of sDAI) with Nexus Mutual proportionally to the total value deposited in the Covered Vault (Proof of Cover on-demand). Part A does not apply to this product. The cost of coverage is automatically deducted from the gross yield. 0.2. What risk the coverage protects — depeg of sDAI The current coverage for the Protected Vault is exclusively Part B of the Vault Cover Terms: depeg coverage of sDAI. This was a deliberate choice by OpenCover when structuring this product. Why only Part B? OpenCover chose to use a single trigger based on market outcome instead of listing specific technical events (as Part A does). The logic is: any serious failure in the Covered Components — whether a bug, an oracle failure, a governance takeover — that is severe enough to harm users would be reflected in the market price of sDAI as a depeg. The single trigger is simpler and practically encapsulates the main loss scenarios. What this means for the User: • COVERED: depeg of sDAI ≥ 10% for ≥ 7 consecutive days — regardless of the cause. • NOT COVERED by this coverage: any event that does not result in a depeg of sDAI according to the above parameters, including smart contract bugs that do not cause qualified depeg, isolated oracle failure, governance takeover without price impact, bridge failure, rug pull, phishing. • The coverage does not protect against yield losses, only against principal loss via qualified depeg. ATTENTION: A serious bug in the Sky/Maker protocol that DOES NOT result in a depeg of sDAI ≥ 10% for ≥ 7 days DOES NOT trigger coverage. The user may lose capital without any compensation. 0.3. Yield — variable and dynamic Net yield = DSR (Sky/Maker) minus OpenCover cost The DSR can be changed by Sky/Maker governance at any time, including to zero. The cost of coverage may vary according to the conditions of the Nexus Mutual underwriting market. The current yield is displayed in real-time in the app. No historical rate constitutes a guarantee. 0.4. Proof of Cover — on-demand and proportional coverage The underwriting capital is acquired ON-DEMAND by OpenCover proportional to the total value deposited in the Covered Vault. The Cover Amount rises and falls as deposits come in and out. The Deductible (5% × Cover Amount) also varies according to the total deposited. IMPORTANT: If the Exposed Funds (total deposited in the vault) exceed the acquired Cover Amount, the Claim Amount will be proportionally reduced. PICNIC does not control the Cover Amount or the volume of Exposed Funds. 0.5. What are the Covered Components The Vault Cover protects the Covered Components: (a) the Covered Vault (OpenCover contract); (b) the Designated Vault (sDAI/Sky/Maker); and (c) the Designated Protocol (Sky/Maker DSR code). User interfaces — including the PICNIC app and the Deframe API — are expressly excluded. NOT COVERED COMPONENTS and therefore NOT covered: • The PICNIC app and any user interface. • The Deframe API. • The Gnosis Chain bridge (the current Annex does not provide this coverage). • PICNIC's internal systems. 0.6. Participants and their roles PICNIC: Non-custodial software interface. Does not hold custody, does not generate yield, is not part of the coverage contract, and CANNOT trigger claims. DEFRAME: Transaction generation and routing API. Not a custodian. Not a Covered Component. SKY/MAKER PROTOCOL (DSR / DESIGNATED PROTOCOL): Generates yield. Is a Covered Component. DESIGNATED VAULT / COVERED VAULT: OpenCover and sDAI contracts on the Gnosis Chain. Are Covered Components. Covered Vault: 0x0AC34fe133BdE3A2eF589a18A4E10b6a7d253829 Covered Token (sDAI): 0xaf204776c7245bF4147c2612BF6e5972Ee483701 OPENCOVER (CVM): ONLY party with legitimacy to trigger claims. Attempt to trigger by third parties renders the Cover void. NEXUS MUTUAL: DAO providing discretionary coverage. Approval subject to Claim Assessors' vote. Not a regulated insurer. 0.7. What PICNIC is not and does not do PICNIC IS NOT a bank, financial institution, broker, investment manager, fund administrator, insurer, or PSAV under Law 14.478/2022. PICNIC DOES NOT HOLD CUSTODY of the User's assets at any time. PICNIC DOES NOT GUARANTEE yield, claim approval, or product continuity. PICNIC IS NOT A PARTY to the coverage contract (Vault Cover Terms). PICNIC CANNOT TRIGGER CLAIMS — only OpenCover can, as CVM. 1. PARTIES AND IDENTIFICATION 1.1. Platform operator DeFiBasket Labs Inc., a company incorporated under the laws of the British Virgin Islands (BVI), No. 2085144, with registered address at Intershore Chambers, Geneva Place, 3rd Floor, Road Town, Tortola, BVI (‘PICNIC’, ‘we’ or ‘Platform’). 1.2. User Individual or legal entity accessing the Protected Vault feature through the PICNIC app interface (‘User’ or ‘you’). By activating the Protected Vault or making any deposit, the User declares to have read, understood, and fully accepted these Terms, which are complementary and integrated with the General Terms of Use of PICNIC. 2. NATURE OF THE PRODUCT AND OPERATION 2.1. General description The Protected Vault is a technological interface feature that allows the User to deposit USDC into the OpenCover Covered Vault, deployed on the Gnosis Chain, whose assets are allocated in the Designated Vault (sDAI/Sky/Maker DSR). The yield is generated by the Designated Protocol. The current protocol coverage is exclusively Part B (depeg of sDAI), governed by the Vault Cover Terms — OpenCover x Nexus Mutual. 2.2. How to participate 1. Have a self-custodial wallet compatible with the Gnosis Chain and available balance in USDC. 2. Read and accept these Terms in the PICNIC interface. 3. Authorize the deposit transaction, which will send your USDC to the Covered Vault on the Gnosis Chain. 4. Monitor the accumulated yield in the PICNIC interface. 5. Request redemption at any time, subject to the protocol's liquidity conditions. By confirming the deposit, the User forwards their transaction to the Covered Vault. PICNIC does not hold, retain, or control the User's assets at any time. 2.3. Yield and cost — variable nature The yield of the Protected Vault is variable and dynamic. Composed of the DSR from the Sky/Maker protocol minus the coverage costs. The current net yield is always displayed in the app and may vary daily. No historical rate constitutes a guarantee or promise of future return. 2.4. PICNIC's fees and commission PICNIC may charge a commission on the generated yield, informed in advance in the interface before any deposit. The total cost to the User will always be displayed on the summary screen before confirmation. 2.5. Contract addresses - Covered Vault (OpenCover Savings xDAI Insured Vault): 0x0AC34fe133BdE3A2eF589a18A4E10b6a7d253829 - Covered Token (Savings xDAI / sDAI): 0xaf204776c7245bF4147c2612BF6e5972Ee483701 2.6. Infrastructure and involved third parties - Sky/Maker Protocol (DSR / Designated Protocol): generates yield on sDAI. - Gnosis Chain: blockchain network where contracts are deployed. - OpenCover (CVM): manager of the Covered Vault, holder of the coverage position with Nexus Mutual. - Nexus Mutual: discretionary coverage pool governed by the Vault Cover Terms. - Deframe: transaction generation and routing API. Not a custodian. Not a Covered Component. 3. NATURE OF PROTOCOL COVERAGE 3.1. Vault Cover — discretionary coverage. Not insurance. The current coverage is governed by the Vault Cover Terms — OpenCover x Nexus Mutual, with exclusive application of Part B (depeg of sDAI). The specific Annex for this product expressly states: ‘Part A Terms — Not applicable for OpenCover Savings xDAI (sDAI) Vault Cover.’ Therefore, Part A (protocol risks: smart contract bugs, oracle failure, governance takeover, liquidation failure) DOES NOT apply. The coverage is DISCRETIONARY and DOES NOT CONSTITUTE INSURANCE regulated by Decree-Law No. 73/1966 or supervised by SUSEP. EXCLUSIVE LEGITIMACY OF OPENCOVER: The Vault Cover can only be triggered by OpenCover as CVM. Any attempt to trigger by third parties — including PICNIC or the User themselves — renders the Cover UNENFORCEABLE (Vault Cover Specific Terms). The User is an INDIRECT beneficiary. Their recovery depends entirely on OpenCover's action. 3.2. Part B — Only covered event: depeg of sDAI Covered event (cl. 4 of the Vault Cover Terms): OpenCover can trigger a claim if, during the Cover Period, the Reference Value of sDAI and the Market Value differ by more than 10% for a continuous period of at least 7 consecutive days. Parameters of the Annex sDAI Vault Cover (prevail over the Cover Terms in case of conflict): Covered Token: Savings xDAI (sDAI) on the Gnosis Chain Covered Vault Address: 0x0AC34fe133BdE3A2eF589a18A4E10b6a7d253829 Depeg Percentage: 10% of Reference Value Depeg Time: 7 (seven) consecutive days Unit of Claim: 0.975 USDC per covered sDAI Approved Covered Token Derivative: not applicable Part B Process (cl. 5.1): OpenCover must transfer a Covered Token to Nexus Mutual BEFORE submitting the claim. If approved, tokens are exchanged for the Claim Amount. If denied, tokens are returned to OpenCover. Holding requirement (cl. 6.3): OpenCover must have held the Covered Tokens for at least 72h before the start of the depeg event. If not met, the claim will be denied. CRITICAL PARAMETERS — READ CAREFULLY: • Depeg < 10% of Reference Value: DOES NOT trigger coverage. • Depeg that recovers before 7 consecutive days: DOES NOT trigger coverage. • Technical failure (bug, oracle, governance) that DOES NOT cause depeg ≥ 10% for ≥ 7 days: DOES NOT trigger coverage. • Unit of Claim = 0.975: 2.5% haircut per token, applied before the Deductible. • Cool Down Period Part B = Depeg Time (7 days): OpenCover can only submit the claim AFTER this period. • Submission deadline: 30 days after the END of the Depeg Time — not after the start. • PICNIC does not control OpenCover's compliance with these deadlines. 3.3. Coverage table — what is and is not covered All scenarios below are evaluated based on the Vault Cover Terms and the Annex sDAI Vault Cover. The Annex prevails in case of conflict. | Loss scenario | Covered? | Note | | --- | --- | --- | | Depeg sDAI ≥ 10% for ≥ 7 consecutive days (Part B, cl. 4) | YES | Unit of Claim 0.975/token + Deductible 5%. OpenCover must have held tokens ≥ 72h (cl. 6.3). | | Depeg < 10% or < 7 consecutive days | NO | Below the Annex thresholds. Does not trigger a claim. | | Smart contract bug/exploit that DOES NOT cause qualified depeg | NO | Part A not applicable. Only covered if it results in depeg ≥ 10% for ≥ 7 days. | | Bug/exploit that CAUSES depeg ≥ 10% for ≥ 7 days | YES* | Covered via Part B (depeg). *Subject to all conditions and exclusions of Part B. | | Oracle failure/manipulation that DOES NOT cause qualified depeg | NO | Part A not applicable. Only covered if it results in qualified depeg. | | Governance takeover that DOES NOT cause qualified depeg | NO | Part A not applicable. | | Phishing/private key loss | NO | Exclusion Part B cl. 6.1 (covered components continue functioning). | | Market drop without qualified depeg | NO | Not an event covered by Part B. | | Rug pull by controllers | NO | Explicit exclusion. May not result in qualified depeg. | | Gnosis Chain bridge failure | NO | Current Annex does not provide this coverage. | | Failure in the Picnic app or Deframe API | NO | Interfaces are not Covered Components. | | Depeg of an asset other than sDAI | NO | Exclusion cl. 6.2. | | Material Change in Risk by OpenCover | RISK | Nexus Mutual may deny claim (cl. 14). Beyond PICNIC's control. | 3.4. Part B exclusions — uncovered events The User acknowledges that Part B coverage DOES NOT apply in the following situations: - (i) Technical issues in the Covered Token or Approved Covered Token Derivative that do not specifically result in depeg as per cl. 4 (cl. 6.1). - (ii) Depeg of any asset other than sDAI (cl. 6.2). - (iii) OpenCover not having held the Covered Tokens for at least 72h before the depeg event (cl. 6.3). - (iv) Events occurring before the start of the Cover Period (cl. 3.4, applicable by analogy). - (v) Cover triggered by a third party without the User's knowledge and consent, or whose recovery is not intended for the User — Cover is void (cl. 3.10). - (vi) Material Change in Risk: Nexus Mutual may deny claim if OpenCover has materially altered its activities or terms (cl. 14). 3.5. Coverage limit, Deductible, and Claim Amount calculation FORMULA Part B (depeg — Explanatory Note 1, Vault Cover Terms): 1st Apply the Unit of Claim: reference value = 0.975 USDC per covered sDAI. 2nd Apply the Deductible: Claim Amount = min [ Loss Amount − (5% × Cover Amount), Cover Amount ] Illustrative example: Deposit = 1,000 USDC | Cover Amount = 1,000 USDC | Total depeg Loss Amount after Unit of Claim = 975 USDC Deductible = 5% × 1,000 = 50 USDC Claim Amount = min[975 − 50, 1,000] = 925 USDC maximum If the Exposed Funds (total in the vault) exceed the Cover Amount, the Claim Amount will be proportionally reduced. The aggregate Claim Amount is limited to the total Cover Amount (cl. 7.4). The indication of ‘up to 97.5% of capital’ is a maximum estimate before the Deductible and in a total depeg scenario. In adverse scenarios, recovery may be significantly lower. It does not constitute a contractual guarantee by PICNIC. 3.6. Claim deadlines, Cool Down, and redemption PART B — Depeg (only current coverage): Cool Down Period: equal to Depeg Time = 7 days (no claim can be submitted during this period). Submission deadline: 30 days after the END of the Depeg Time (cl. 7.1.5.2). NOT after the start of the depeg. Redemption deadline: 30 days after claim approval (cl. 7.3). Failure to redeem within this period implies LOSS of the claim. Total estimate: approximately 14 to 44 days from the start of the depeg. PICNIC DOES NOT CONTROL THESE DEADLINES AND IS NOT RESPONSIBLE FOR DELAYS, DENIAL, OR FAILURE IN THE COVERAGE PROCESS. If OpenCover does not submit the claim within the deadline, the right is permanently lost. If the claim is approved but not redeemed within 30 days, the right is equally lost. 4. LEGAL NATURE 4.1. Software interface — non-custodial PICNIC acts exclusively as a non-custodial software interface provider. It is not a bank, financial institution, broker, investment manager, fund administrator, insurer, or PSAV. PICNIC does not hold, at any time, custody, control, or access over the User's assets. 4.2. On-chain yield operation - (i) the yield is generated by an autonomous on-chain protocol (Sky/Maker DSR), without active management by PICNIC; - (ii) the sDAI is a native token of the protocol, not issued by PICNIC; and - (iii) each User's position does not represent participation in a collective enterprise. 4.3. Coverage PICNIC does not offer, distribute, or intermediate insurance. The terms ‘coverage’, ‘protocol coverage’, and ‘Vault Cover’ refer exclusively to the Nexus Mutual product governed by the Vault Cover Terms. PICNIC does not use the terms ‘insurance’, ‘insured’, ‘policy’, or equivalents in any communication to the User. 4.4. Tax responsibility The User is solely responsible for calculating, declaring, and paying all taxes on the yields obtained. PICNIC does not provide tax advice. 5. RISK FACTORS The User declares full awareness of the risks associated with the Protected Vault, including but not limited to: 5.1. Protocol risks - Vulnerability or bug in the smart contracts of the Covered Components that DOES NOT result in qualified depeg — no coverage. - Failure, manipulation, or attack on the Gnosis Chain protocol or related bridge — no coverage. - Depeg of sDAI below 10% or for a period less than 7 consecutive days — no coverage. - Bad debt resulting from liquidation mechanism failure that does not cause qualified depeg — no coverage. - Governance attack or malicious upgrade that does not cause qualified depeg — no coverage. 5.2. Yield risks - Reduction or zeroing of the DSR by Sky/Maker governance. - Increase in coverage cost (OpenCover + Pods) reducing net yield. - Absence of minimum yield guarantee in any period. 5.3. Coverage risks - Claim denial by Nexus Mutual's Claim Assessors (discretionary and sovereign decision). - Loss of claim right due to OpenCover's failure to meet the 30-day deadline after the END of the Depeg Time. - Loss of approved claim for not redeeming within 30 days of approval. - Deductible of 5% of the Cover Amount reducing the Claim Amount. - Unit of Claim of 0.975 (2.5% haircut) per covered token. - 72h holding requirement of Covered Tokens by OpenCover — if not met, claim denied. - Material Change in Risk allowing Nexus Mutual to deny claim. - Insolvency or operational failure of OpenCover as CVM. - Exposed Funds exceeding the Cover Amount, limiting recovery proportionally. - Absence of coverage for any event that does not constitute depeg sDAI ≥ 10% for ≥ 7 consecutive days. 5.4. Custody and security risks - Loss of access to the wallet due to loss of passkey, seed phrase, or device. - Phishing, social engineering, or malware attacks. - Irreversibility of on-chain transactions. 5.5. Infrastructure risks - Failure or unavailability of the Deframe API. - Hack or vulnerability in PICNIC's internal systems (not covered by the Vault Cover). - Interruption of the PICNIC app or access interface. 6. PICNIC'S DISCLAIMER AND LIMITATION OF LIABILITY To the maximum extent permitted by applicable law, PICNIC, its directors, employees, partners, and affiliates are not liable for: - Capital losses arising from any risk listed in Clause 5. - Non-payment or reduction of claim by Nexus Mutual. - OpenCover's failure to trigger or redeem the claim within the stipulated deadlines. - Failures, bugs, exploits, or attacks on any Covered Component or third-party protocol. - Losses arising from events not covered by Part B (including bugs that do not cause qualified depeg). - Loss of access to the User's wallet. - Yield variations or zeroing. - User's tax obligations. - Indirect, consequential, lost profits, or moral damages. - Loss of approved claim for not redeeming within 30 days. 7. USER OBLIGATIONS AND DECLARATIONS By using the Protected Vault, the User declares and guarantees that: 6. They have read, understood, and fully accept these Terms and the General Terms of Use of PICNIC. 7. They have the legal capacity to enter into contracts and use virtual assets in their jurisdiction. 8. The deposited funds have a lawful origin. 9. They understand that the coverage is exclusively for depeg sDAI ≥ 10% for ≥ 7 consecutive days. 10. They understand and accept the specific parameters: Depeg Time 7 days, Depeg Percentage 10%, Unit of Claim 0.975/sDAI, Deductible 5%. 11. They will not use the Protected Vault for illegal purposes. 12. They are responsible for safeguarding their credentials and the security of their device. 13. They are responsible for their tax obligations. 14. They will check the current yield in the app before each deposit. 15. They acknowledge that they have no direct contractual relationship with Nexus Mutual and that only OpenCover can trigger claims. 16. They will monitor communications from PICNIC and OpenCover and, in the event of a depeg claim, will take necessary actions within the deadlines (such as transferring assets to multisig, if applicable). 17. They will consult a qualified professional for legal, financial, or tax advice. 8. DEPOSIT, YIELD, AND REDEMPTION CONDITIONS 8.1. Deposit Deposits are made exclusively in USDC, from a self-custodial wallet. There is no guarantee of immediate processing. PICNIC may set minimum and/or maximum values, displayed in the interface before confirmation. 8.2. Yield The yield is accumulated in sDAI on-chain. The displayed rate is the current net rate at the time of consultation and may vary. No previously displayed rate constitutes a guarantee of future yield. 8.3. Redemption The User can request redemption at any time, subject to the liquidity conditions of the sDAI protocol and the Gnosis Chain. In the event of an ongoing claim, redemption may be temporarily suspended. 8.4. Exceptional conditions - Temporary suspension: during the Cool Down Period (7 days after the start of the depeg), redemptions may be suspended or affected by the coverage process conditions. - Redemption during depeg: the User may be instructed to transfer assets to multisig instead of redeeming directly. Failure to comply may result in loss of the right to compensation. - Redemption after approved claim: remaining funds available after distribution. 9. THIRD PARTIES, ON-CHAIN PROTOCOLS, AND LACK OF CONTROL - Sky/Maker Protocol: operates autonomously; PICNIC has no influence over DSR, governance, or security. - OpenCover (CVM): PICNIC does not control its operational decisions, claim outcomes, or deadline compliance. - Nexus Mutual: sovereign DAO; decisions of the Claim Assessors cannot be contested by PICNIC. - Deframe: PICNIC is not responsible for failures in the API. 10. USER SUPPORT PICNIC provides dedicated support through official channels in the app and at usepicnic.com. PICNIC is committed to actively communicating to the User the occurrence of depeg events that may trigger the claim process — especially when User action is required. PICNIC does not guarantee resolution of issues related to on-chain protocols or Nexus Mutual decisions. 11. CHANGES TO THE PRODUCT AND THESE TERMS PICNIC reserves the right to modify, suspend, or discontinue the Protected Vault at any time without liability beyond the funds already deposited on-chain, which remain under the User's custody. These Terms may be changed with a minimum notice of 10 (ten) business days, except in cases of urgency. Continued use implies tacit acceptance. 12. APPLICABLE LAW AND DISPUTE RESOLUTION These Terms are governed by the laws of the British Virgin Islands (BVI). Any dispute will first be submitted to an attempt at amicable resolution within 30 days and, if persisting, to arbitration under the General Terms of Use of PICNIC. 13. GENERAL PROVISIONS - These Terms complement the General Terms of Use of PICNIC. In case of conflict, these provisions prevail. - The nullity of any clause does not compromise the others. - Failure to enforce compliance does not imply waiver of future rights. - These Terms constitute the entire agreement between the parties regarding the Protected Vault. - The Vault Cover Terms and its Annexes do not formally integrate these Terms, but the User is encouraged to read them directly. GLOSSARY Vault Cover Terms — OpenCover x Nexus Mutual Document governing protocol coverage. For the Protected Vault, only Part B (depeg) is applicable. In case of conflict with these Terms, the Vault Cover Terms prevail. Part A Section of the Vault Cover Terms covering protocol risks (bugs, oracle failure, governance takeover, liquidation failure). NOT APPLICABLE for the Protected Vault, as per the Annex. Part B Section of the Vault Cover Terms covering depeg of the Covered Token. ONLY current coverage for the Protected Vault. Covered Components Set of: (a) Covered Vault (OpenCover contract); (b) Designated Vault (sDAI/Sky/Maker); and (c) Designated Protocol (Sky/Maker DSR code). User interfaces, including the PICNIC app and the Deframe API, are expressly excluded. Covered Vault Manager (CVM) OpenCover, the only entity with legitimacy to trigger claims. Attempt to trigger by third parties renders the Cover void. DSR (DAI Savings Rate) Variable yield rate of the Sky/Maker protocol. Can be changed at any time, including to zero. Proof of Cover Mechanism by which underwriting capital is acquired on-demand by OpenCover proportional to the total in the Covered Vault. Not a fixed pool. Deductible 5% of the Cover Amount. Formula: Claim Amount = min[Loss Amount − (5% × Cover Amount), Cover Amount]. Unit of Claim 0.975 USDC per sDAI for Part B claims. 2.5% haircut per token, applied before the Deductible. Reference Value Reference value of sDAI for calculating the Depeg Percentage, as defined in the Vault Cover Terms. Cover Amount Total coverage amount acquired by OpenCover, proportional to the total deposited in the Covered Vault. Exposed Funds Total value of assets exposed in the Covered Components. If they exceed the Cover Amount, the Claim Amount will be proportionally reduced. Cool Down Period Part B: equal to Depeg Time (7 days). No claim can be submitted before the end. Depeg Time 7 (seven) consecutive days — minimum uninterrupted price deviation period for Part B coverage. Depeg Percentage 10% of Reference Value — minimum deviation required, combined with Depeg Time, for Part B coverage. Material Loss Loss whose Claim Amount, after subtracting the Deductible, exceeds the gas costs involved in approval. Material Change in Risk Material change in OpenCover's activities or terms affecting the risk profile, giving Nexus Mutual the right to deny claims (cl. 14). Rug Pull Intentional confiscation of funds by controllers. May not result in qualified depeg and, therefore, may not trigger coverage. Claim Assessors Nexus Mutual evaluators responsible for approving or rejecting claims. Discretionary and sovereign decision. Discretionary Coverage Protection granted by Claim Assessors' decision, without legal obligation to pay. Not regulated insurance by SUSEP. By depositing funds in the Protected Vault, the User declares to have read, understood, and fully accepted these Terms. DeFiBasket Labs Inc. | PICNIC | usepicnic.com

Terms of Use - English

PICNIC TERMS OF USE Last Updated: March 10, 2026 These Terms of Use constitute a binding agreement between you (the “User”) and DeFi Basket Labs Inc., the company that owns the PICNIC brand, incorporated under the laws of the British Virgin Islands (BVI). DeFi Basket is a company incorporated under No. 2085144 whose registered address is Intershore Chambers, Geneva Place, 3rd Floor, Road Town, Tortola, British Virgin Islands. For the purposes of this agreement, “PICNIC” refers to the website usepicnic.com, the set of software protocols, the technological interfaces that make up the PICNIC Platform, the PICNIC Card, and the associated mobile applications. By using our technology, the user acknowledges that PICNIC is a self-custodial and distributed technology software. UNLIKE TRADITIONAL FINANCIAL INSTITUTIONS, THE PICNIC SOFTWARE IS NOT “LOCATED” OR HEADQUARTERED IN A SINGLE PHYSICAL JURISDICTION. IT OPERATES THROUGH A DECENTRALIZED CLOUD INFRASTRUCTURE, EXECUTING LOCALLY ON THE USER'S DEVICE AND DIRECTLY ON PUBLIC BLOCKCHAIN NETWORKS. The software functions as an interface for the user to interact directly with the blockchain. DeFi Basket Labs does not have access to, control over, or custody of the user’s private keys, recovery phrases (seeds), or digital assets. READ CAREFULLY BEFORE PROCEEDING: PICNIC IS NOT A BANK, IS NOT A FINANCIAL INSTITUTION, IS NOT A CUSTODIAL EXCHANGE, NOR DOES IT INTERMEDIATE ANY TRANSACTION. PICNIC IS EXCLUSIVELY AN INTERFACE SOFTWARE PROVIDER. BY USING THIS PLATFORM, YOU ACKNOWLEDGE THAT THE OPERATING MODEL IS SELF-CUSTODY. THIS MEANS THAT: THE POSSESSION, SECURITY, AND CONTROL OF YOUR PRIVATE KEY AND YOUR RECOVERY PHRASE (SEED PHRASE) ARE YOUR SOLE AND ENTIRE RESPONSIBILITY. WE DO NOT STORE, DO NOT HAVE A COPY OF, AND DO NOT HAVE ACCESS TO YOUR PRIVATE KEYS OR YOUR ASSETS ON THE BLOCKCHAIN. IMPOSSIBILITY OF RECOVERY: IF YOU LOSE ACCESS TO YOUR PRIVATE KEY OR YOUR RECOVERY PHRASE, PICNIC'S TECHNICAL SUPPORT DOES NOT HAVE THE TECHNICAL CAPACITY TO RECOVER WALLET PASSWORDS, REVERSE TRANSACTIONS, OR REFUND LOST VALUES, AS WE DO NOT HOLD CUSTODY OF THE FUNDS. USER RISK: BY ACCEPTING THESE TERMS, YOU FULLY ASSUME THE TECHNOLOGICAL RISK OF SELF-CUSTODY AND RELEASE PICNIC FROM ANY LIABILITY REGARDING THE LOSS OF ACCESS TO YOUR DIGITAL WALLET. By registering or connecting your wallet to use PICNIC's graphical interface (the “Site” or “App”), you agree that you have read, understood, and accept all terms and conditions contained in this Agreement, including our Privacy and Compliance Policies, which are an integral part of these Terms of Use. INFRASTRUCTURE PARTNERS AND THIRD-PARTY SERVICES: By accepting these Terms of Use and utilizing the products and features provided through the Picnic software, you acknowledge and agree that certain operations are enabled by external infrastructure partners. Accordingly, when using specific services, you declare that you are aware of and fully agree to our partners' specific terms of use, including but not limited to: - Asset Conversion: Operations involving the conversion of crypto assets to fiat currency and vice versa; - Picnic Card: The use of the Picnic card; - Custody and Settlement: Other payment processing services and network infrastructure. The continued use of these features implies automatic acceptance of the terms and conditions established by such partners, over which Picnic has no direct control. The operation of the entry and exit ramps is the sole responsibility of the respective third-party companies, and Picnic is exempt from any liability in this regard. 1. ELIGIBILITY AND JURISDICTIONAL SCOPE 1.1. Nature of Software and Location. The User acknowledges that PICNIC is technology software of a self-custodial and distributed nature. Unlike traditional institutions, PICNIC's software is not “located” or headquartered in a single physical jurisdiction but operates through decentralized cloud infrastructure and runs locally on the User's device and on the public blockchain network. 1.2. Due to its global nature, PICNIC is not necessarily subject to the governing laws of a specific country, except regarding the direct obligations of its developers. (A) Local Compliance: This does not imply legal immunity. PICNIC complies with all standards applicable to its operating model in the countries where it operates. The User is responsible for ensuring that access to and use of the Platform are permitted by the laws of the jurisdiction in which the User resides, is domiciled, or from which they access the services. (B) Illicit Use: It is strictly prohibited to use PICNIC software for purposes that are considered illicit in the User's jurisdiction or under international standards, including but not limited to: money laundering, currency evasion, terrorist financing, fraud, or purchase of illegal goods. 1.3. Anti-Money Laundering (AML) and Control. Although PICNIC is a technology provider and not a financial custodian, we maintain proprietary monitoring and control policies and tools to prevent the use of the tool for illicit purposes (Anti-Money Laundering – AML and Combating the Financing of Terrorism – CFT), further detailed in Appendix 2 - Compliance Policy. Shared Responsibility: The existence of these internal control tools by PICNIC does not transfer legal responsibility to the company, nor does it exempt the User from their civil and criminal obligations. The User must cooperate with the proper use of the Platform, providing truthful information when requested. 1.4. The legal relationship established between the user and Picnic is a software license agreement, whereby the technological tool allows the user to exercise financial sovereignty, maintaining exclusive control over their private keys and the final execution of any transaction. Technologically, PICNIC operates under a non-custodial software architecture. This means that our platform acts strictly as a graphical interface for interaction with the Blockchain, intermediating or holding possession of the assets.  1.5. "Trader" Status – European Union (DSA). For the exclusive purposes of complying with Regulation (EU) 2022/2065 (Digital Services Act - DSA) and consumer protection standards applicable in the European Union: (A) PICNIC declares itself as a "Trader" strictly in the sense of a provider of a technological tool and digital software. (B) This designation MUST NOT be interpreted as a statement that PICNIC acts as a financial intermediary, broker, or payment service provider. The "product" marketed by PICNIC is the license to use the interface and the aggregated technology services, and not the purchase and sale of financial assets, which occurs directly between the User and the blockchain network. 2. SERVICES 2.1. Nature of Services: Technology Provider. PICNIC acts exclusively as a provider of Technology Services, making available to users a software usage license (the “Platform”) intended to facilitate the user's direct interaction with decentralized blockchain networks. By using PICNIC, the user expressly acknowledges and agrees that: (A) PICNIC solely makes available the software infrastructure and digital tools that allow the viewing, reading, and transmission of instructions directly to the blockchain; (B) PICNIC does not hold, store, keep, process, or control the User's Virtual Assets at any time; and (C) All transactions are executed directly by the user on the respective blockchain network, without any intervention, approval, or financial settlement by PICNIC. 2.2. Non-Existence of Financial Management or Brokerage. Unlike centralized exchanges, PICNIC DOES NOT perform the purchase, sale, or transfer of virtual assets on behalf of third parties. For the avoidance of doubt, it is established that: (i) Strictly Technological Role: PICNIC does not acquire or sell assets in its own name on behalf of the user; (ii) Absence of Powers: PICNIC does not possess powers to represent the user or make decisions regarding their assets; (iii) Direct Relationship: The user transacts directly with the decentralized protocol or with other users of the network (P2P/DeFi), with PICNIC being responsible only for providing the connection software; (iv) Self-Custody: PICNIC does not maintain possession of the user's private keys or funds. Responsibility for safeguarding access credentials and private keys lies exclusively with the user. 2.3. Operation of Technology Services. The PICNIC Platform functions as an access portal (“Gateway”) that translates user commands into language compatible with the blockchain. Thus: (i) The user connects their own wallet or generates new access credentials through the provided technology; (ii) The user signs transactions with their own private key; (iii) PICNIC only transmits this signed transaction to the public blockchain network for processing by network validators. Furthermore, the User understands that the "PICNIC Interface" (the web software/app) is distinct from the underlying "Decentralized Protocols" (the Smart Contracts running on the Blockchain). (A) PICNIC provides the Interface, which is merely a visual tool. (B) PICNIC does not control, does not operate, and cannot halt the Decentralized Protocols with which the Interface interacts. If there is a failure in the Protocol (e.g., calculation error in the Pool's Smart Contract), PICNIC has no liability, as it is not the owner of the decentralized network. 2.4. Limitation of Liability regarding Execution. Since PICNIC provides only Technology Services and not financial settlement: (A) PICNIC does not guarantee the execution, settlement, or immutability of transactions, which depend exclusively on the functioning of the underlying blockchain network; (B) PICNIC does not have the technical capacity to reverse, cancel, or modify transactions once they have been transmitted by the user to the blockchain network; (C) Network fees (“Gas Fees”) are paid directly by the user to the network validators and do not constitute revenue for PICNIC. 2.5. Integrations, Web3 Browser, and Third-Party Services. The PICNIC interface may include virtual asset browser functionalities (“Web3 Browser”) or direct links allowing the user to access Decentralized Applications (“dApps”) and Decentralized Exchanges (“DEXs”) operated by third parties. (A) Browser Nature: By using the Web3 Browser, the user understands they are navigating outside the environment controlled by PICNIC. The software acts only as a connection bridge. PICNIC does not control, endorse, audit, or guarantee the security, legitimacy, or functionality of any dApp or DEX accessed. (B) If the user interacts with a malicious dApp, falls for phishing scams, or suffers losses due to failures in third-party smart contracts accessed via the PICNIC interface, responsibility lies exclusively with the user. PICNIC has no power to reverse such interactions. 2.6. Additional Services. In addition to the main Technology Services, PICNIC may develop and make available additional functionalities or integrations with third-party systems (the “Additional Services”), aimed at expanding the Platform's utility. 2.6.1. The PICNIC Card and Partnerships. Should the user choose to use functionalities such as the debit or prepaid card integrated into the Platform (the “PICNIC Card”): (A) Issuance by Third Parties: The user acknowledges that the card is issued and administered by a partner financial or payment institution, duly regulated, and not by PICNIC. (B) Technological Connection: PICNIC's role is limited to providing the technology that allows the user to connect their self-custodial wallet to the issuing partner's system. (C) Subjection to Third-Party Terms: The use of Additional Services require the user to accept terms and conditions of the issuing partners. 2.7. Fees and Remuneration. For the use of the Platform and Additional Services, PICNIC may charge software licensing or service fees, which will always be presented transparently on the Platform. (A) Distinction of Fees: The user declares awareness that fees charged by PICNIC (for the use of Technology Services) are distinct from network fees (Gas Fees) and distinct from any financial fees charged by third-party partners. (B) Responsibility: The user agrees to be responsible for the payment of all applicable fees presented on the Platform at the time of the transaction. 2.8. Non-Existence of Fiduciary Duty. This Agreement is not intended to create, and does not create, any fiduciary duties on the part of PICNIC towards the User. To the maximum extent permitted by law, the User acknowledges and agrees that PICNIC owes no loyalty, duty of financial care, or asset management to the User. Our only obligations are the strictly technical ones described in these Terms (software provision). 2.9. Routing and Price Execution. PICNIC's smart routing technology seeks to find efficient routes for User trades. However: (A) No Guarantee of Best Execution: Due to Blockchain volatility and speed, PICNIC does not guarantee that the price displayed in the simulation will be exactly the executed price, nor that it will be the best price available in the entire global market at that millisecond. (B) Slippage: The User acknowledges that the final price may vary between the time of signing and the time of the transaction. 3. ACCOUNT CONFIGURATION AND IDENTITY 3.1. Access Account Registration. To use PICNIC's Technology Services, it may be necessary to register a user profile on the Platform (a “PICNIC Account”). Registration involves providing data such as name, email address, and creating software access credentials. 3.1.1. Nature of the Account. The PICNIC Account is intended exclusively to: (i) manage software settings; (ii) allow technological access to Additional Services; and (iii) store activity history. The PICNIC Account is not a bank, payment, or deposit account. Creating a PICNIC Account does not imply, under any circumstances, the transfer of possession of the user's assets to PICNIC. 3.2. Identity Verification (KYC) for Software Security. Although PICNIC acts strictly as a Technology Provider, digital environment security and compliance with global standards require user identification, especially to enable integrations with regulated partners (e.g., card issuers). Thus, the user agrees to provide requested information for identity verification, risk analysis, and anti-money laundering policies (KYC / AML). 3.2.1. Use of Information. The user authorizes PICNIC to use their data to validate their identity and, when the user chooses to use the PICNIC Card, to share such data with partner financial institutions, strictly to enable the service provision by the partner. 3.3. Critical Distinction: Account Password vs. Private Key. It is fundamental that the user understands the difference between PICNIC Account credentials and their Wallet credentials: (A) PICNIC Account Credentials: (Login/Password). Allow access to the software/application. (B) Private Key or Recovery Phrase (Seed Phrase): These are the mathematical codes that control Virtual Assets on the blockchain. PICNIC HAS NO ACCESS, DOES NOT STORE, AND CANNOT RECOVER YOUR PRIVATE KEY. PICNIC's operating model is self-custodial. If the user loses their Private Key, they will lose access to their assets, without PICNIC being able to intervene. The use of the platform and the technology services provided imply total and unrestricted awareness of this aspect of the provided technology. 4. TRANSACTIONS AND INTERACTION WITH THE BLOCKCHAIN 4.1. The technology made available by PICNIC allows the user to manage their own funds and interact directly with public blockchain networks. By initiating a transaction through the Platform (whether sending, receiving, swapping, or interacting with smart contracts), the user acknowledges that: (A) The transaction is signed exclusively by the User's Private Key, stored locally on the user's device (or in an encrypted personal cloud solution), without PICNIC having access to this signature; (B) PICNIC does not act as a counterparty in the transaction. Buying and selling occur between the user and decentralized protocols (Smart Contracts) or other network users (P2P); (C) PICNIC's software acts only as a transmitter of the message signed by the user to the blockchain network nodes. 4.2. Integration with Fiat Currency (Fiat On-Ramp/Off-Ramp). PICNIC does not receive, custody, or process fiat currency (Reais, Dollars, etc.). To facilitate conversion between fiat currency and Virtual Assets, the Platform may technologically integrate services provided by third parties (“Liquidity Partners”). (A) By choosing to buy or sell cryptoassets using Reais (BRL), the user establishes a direct contractual relationship with the Liquidity Partner. (B) PICNIC only provides the viewing window (widget) for access to the Partner's service. Financial settlement, exchange, and regulatory compliance of this operation are the sole responsibility of the Liquidity Partner. (C) The user understands that any bank transfer made to a Liquidity Partner is intended for the purchase of digital assets that will be delivered directly to the user's self-custodial wallet address, without passing through PICNIC's possession. 4.3. Unlike traditional banking systems or centralized exchanges, transactions on the blockchain are, by nature, irreversible. (A) Once the user signs and transmits a transaction through PICNIC technology to the network, it cannot be canceled, reversed, or modified. PICNIC has no technical capability to refund transactions, even in cases of error, theft, or fraud. (B) It is the user's sole responsibility to verify the destination address, selected network, and values before signing the transaction. 4.4. Network Fees (Gas Fees) and Service Fees. (A) Network Fees (Miners/Validators): Every blockchain transaction incurs a processing fee (Gas Fee) paid to the network validators. The User acknowledges that PICNIC may, at its sole discretion and for greater convenience, facilitate the payment of this fee through fee abstraction mechanisms. In such cases, PICNIC may advance the payment of the network fee on behalf of the User, being fully reimbursed by withholding the corresponding amount in the specific token used for the transaction. (B) Fee Independence: In cases where the facilitation mentioned in item (A) is not provided, the fee fluctuates according to network demand and is not defined or controlled by PICNIC. (C) Technology Fees: For the use of the technological solution that facilitates interaction (such as intelligent swap routing or the convenience of fee payment), PICNIC may charge a service fee, which will be added to the transaction and clearly displayed to the User prior to signing. 4.5. As a non-custodial wallet, the user's address on the blockchain can technically receive any asset compatible with that network. However, the PICNIC Platform filters and displays only a selected list of Virtual Assets (“Viewable Assets”) to ensure a better user experience and security. (A) Sending Unlisted Assets: If the user sends an asset to their address that is not visually supported by PICNIC software, the asset is not lost (as it is on the blockchain) but may not appear in the graphical interface. The user may need to import their Recovery Phrase into other compatible software to view/move this asset. (B) Termination of Support: PICNIC may stop displaying certain assets on the interface at any time. This does not affect the user's ownership of the asset, only the visualization through the PICNIC tool. 4.6. Specific Risks of DeFi Protocols and DEXs. PICNIC technology allows access to Decentralized Finance (DeFi) protocols and DEXs for asset exchange or liquidity provision. Unlike centralized exchanges that curate listed assets, DEXs are open environments. (A) High-Risk Assets: The user acknowledges that DEXs and dApps may list assets without any prior verification. This includes assets with high risk of illiquidity, extreme volatility, blocking risk, or fraudulent tokens (scam tokens/rug pulls). It is the user's sole responsibility to verify the asset's contract address before trading. (B) Third-Party Prices and Fees: The user may incur fees imposed by the dApps or DEXs themselves (in addition to network fees). PICNIC neither receives nor controls these third-party fees. 4.7. Blockchain networks may undergo protocol changes (“Forks”). PICNIC does not control these changes. (A) Discretion: PICNIC reserves the right to decide whether to update its software to support a specific Fork. (B) No Obligation: PICNIC has no obligation to support new chains resulting from forks, nor to guarantee that the user receives tokens generated in forks (Fork Airdrops). 4.8. (A) All Virtual Assets associated with the user's wallet address are the exclusive property and direct possession of the user. (B) PICNIC DOES NOT hold, does not keep title, has no custody, and does not manage user assets. Assets remain off PICNIC's balance sheet. (C) Only the holder of the Private Key (the user) can move the assets. PICNIC has no technical means to freeze, confiscate, or move user funds, even under court order (as technology does not permit such access). 4.9. Since PICNIC does not have access to private keys, PICNIC cannot recover wallets whose passwords or Recovery Phrases have been lost by the user. Backup management is the user's full responsibility. 4.10. It is strictly prohibited to use the PICNIC interface to perform or attempt to perform: (A) Market Manipulation: Practices violating market integrity, including but not limited to tactics known as Rug Pulls, Pump and Dump, and Wash Trading; (B) Cyber Attacks: Any activity seeking to interfere, intercept, or compromise the integrity of Smart Contracts, including reentrancy attacks, malicious front-running, or exploitation of protocol bugs; (C) Securities Violation: Offer or trading of assets that may be characterized as unregistered securities or prohibited derivatives in the User's jurisdiction. 5. SOFTWARE OPERATIONAL LIMITS 5.1. The use of PICNIC Technology Services and, especially, Additional Services (such as fiat currency conversion or PICNIC Card use), is subject to operational limits. Such limits may restrict financial volume, transaction frequency, or access to certain Platform functionalities within a given period. 5.2. Limits are established based on security criteria, fraud prevention, and regulatory compliance, and may vary according to: (i) The level of Identity Verification (KYC) completed by the user; (ii) Requirements imposed by operational Partners and card issuers; (iii) Software usage history and risk assessment. 6. SUSPENSION AND TERMINATION OF ACCESS 6.1. Without prejudice to other rights provided in these Terms, PICNIC, as the software license provider, may: (A) Refuse to process or transmit any technical instruction from the user to the blockchain network (e.g., if the transaction is identified as malicious, fraud, or destined for internationally sanctioned addresses); (B) Temporarily or permanently block the user's login to the PICNIC Platform; (C) Restrict access to specific Additional Services (such as suspending PICNIC Card use) without necessarily blocking wallet viewing access. 6.2. Grounds for Suspension or Termination. Such measures may be taken, including with immediate effect, if: (i) The user violates any provision of these Terms; (ii) There is reasonable suspicion that the PICNIC Account is being used for illicit activities, money laundering, fraud, or currency evasion; (iii) A court order or determination by a competent authority requires blocking access to the software; (iv) The user's use of technology puts the Platform's technical stability at risk. Any suspension or termination of the user's account on the PICNIC platform does not confer upon PICNIC the ability to access or transfer user funds. The user's wallet remains accessible on the blockchain through other platforms. 6.3. Consequences of Termination/Suspension: As PICNIC does not hold custody of assets, termination of Platform access does not imply confiscation of assets on the blockchain, provided the user possesses their self-custody credentials. (A) Should PICNIC terminate the user's access to the software, the user may access and move their Virtual Assets using their Private Key or Recovery Phrase (Seed Phrase) in any other compatible wallet software available on the market (e.g., hardware wallets or other open-source applications). (B) Termination of the PICNIC Account will result in loss of access to transaction history, custom settings, and data stored on PICNIC servers, but will not affect the immutable record of transactions on the blockchain. © Should the user have financial obligations related to Additional Services (e.g., outstanding card balance or unpaid service fees), the user remains legally obligated to settle them, even after access suspension. 6.4. Impossibility of Reversion. The user acknowledges that, due to the immutable nature of the blockchain, PICNIC lacks the technical capacity to reverse, cancel, or refund transactions already transmitted to the network, even in cases of account suspension. Service suspension only prevents the initiation of new transactions through the PICNIC interface. 6.5. Whenever possible and provided it does not violate applicable laws or compromise security investigations, PICNIC will notify the user regarding suspension or termination of access, presenting the general reasons for the decision. 6.6. PICNIC may, at its sole discretion, discontinue, modify, or alter the Platform architecture or any Technology Service at any time. In case of total discontinuity of PICNIC operations, the user will continue to have full control over their assets through their Recovery Phrase, regardless of the PICNIC platform's existence, reinforcing the uncensorable nature of self-custody. 7. LIABILITY AND LIMITATIONS 7.1. If the user has a dispute with third parties, including but not limited to: (i) other users; (ii) smart contract developers; (iii) token issuers; (iv) liquidity partners or card issuers; (v) blockchain network validators; (vi) hackers, the user expressly agrees to release PICNIC, directors, and employees from any claims, demands, and damages of any nature arising from or related to such disputes. PICNIC provides only the access tool (interface); it is not a party to transactions performed on the blockchain. 7.2.The user agrees to indemnify and hold harmless PICNIC and its technological partners against any costs, losses, liabilities, and expenses (including reasonable attorney's fees) arising from: (A) Misuse of Technology Services or violation of these Terms by the user; (B) Violation of any applicable law or regulation by the user. 7.3. Limitation of Financial Liability (Indemnity Cap). CONSIDERING THAT PICNIC IS A SOFTWARE PROVIDER AND NOT AN ASSET CUSTODIAN: Except in cases of willful misconduct or proven gross negligence, PICNIC's total and cumulative liability for any damages or losses suffered by the user shall be strictly limited to the total amount of service fees paid by the user to PICNIC (excluding gas fees and partner fees) in the 12 (twelve) months prior to the event generating the claim. Under no circumstances shall PICNIC's liability be calculated based on the value of Virtual Assets held by the user on the blockchain, as PICNIC does not hold possession or control of such assets. 7.4. Specific Exclusion of Damages (Technology Risks). In addition to the limitations above, PICNIC SHALL NOT be liable for losses arising from: (A) Loss of Keys: Loss, theft, forgetting, or compromise of the Recovery Phrase (Seed Phrase), Private Key, or user passwords. PICNIC does not hold a copy of this data and cannot recover it; (B) Blockchain Failures: Network congestion, high transaction fees, consensus failures, 51% attacks, or bugs in the underlying blockchain protocol; (C) User Errors: Sending assets to incorrect addresses, incompatible networks, or interaction with malicious contracts (Honeypots, Phishing); (D) Third-Party Risks: Bankruptcy, insolvency, or technical failures of Liquidity Partners, card issuers, or DeFi protocols accessed through the interface; (E) Lost Profits: Loss of profit opportunity, loss of expected revenue, or damages arising from market volatility. 7.5. PICNIC Technology Services are provided "as is" and "as available". (A) PICNIC does not guarantee that transactions transmitted to the blockchain will be mined/validated on time or at a specific cost. (B) No information displayed on the Platform constitutes investment advice, legal, or tax consultancy. The user operates at their own risk. (C) Like any software, the PICNIC Platform may contain errors (bugs) or undergo instabilities. PICNIC does not guarantee that the service will be uninterrupted or error-free, although it will use best efforts to correct flaws promptly. 7.6. The User acknowledges and agrees that any yield-generating functionality available on the Platform is based on interactions with third-party decentralized protocols and variable digital assets. PICNIC does not, under any circumstances, guarantee any profit, fixed yield, or specific financial return. 7.7. Any rates of return displayed on the interface are mere estimates based on historical data or real-time data from underlying protocols. These rates are subject to drastic and immediate fluctuations due to market volatility, changes in DeFi protocol rules, or blockchain network conditions. The actual return may be significantly lower than estimated and may, in some cases, be zero or negative. 7.8. By using any yield strategy, the User expressly declares to be fully aware that: (A) Autonomous Decision: The choice of asset and strategy is the User's sole responsibility; (B) Market Risks: The value of the underlying assets may drop sharply, impacting the total value invested, regardless of the yield generated; (C) Technological Risks: The User accepts the risks of software "bugs," cyberattacks, or the loss of parity (de-peg) of stablecoins within the protocols where the assets are allocated. 7.9. Limitation of Liability. PICNIC, as a software provider, does not act as an investment advisor or wealth manager. The User hereby releases PICNIC from any liability for financial losses, direct or indirect damages  arising from price variations, or the performance of the assets chosen within the platform. 7.10. Force Majeure and Network Events. PICNIC shall not be liable for delays or failures in fulfilling its obligations resulting from events beyond its reasonable control, including but not limited to: governmental acts, wars, terrorism, pandemics, global internet infrastructure failures, or critical blockchain network events (such as contentious forks or network halts). 8. AVAILABILITY AND ACCURACY OF TECHNOLOGY SERVICES 8.1. Access and Software Availability. Access to PICNIC Technology Services may suffer degradation, slowness, or temporary unavailability due to technical maintenance, third-party server failures, or periods of high congestion on supported blockchain networks. (A) Although PICNIC is dedicated to maintaining Platform stability, we do not guarantee that the technological solution will be available uninterruptedly or error-free. (B) The user acknowledges that delays in transaction confirmation or failures in order transmission may occur due to instabilities in the blockchain network itself (miners/validators), factors totally beyond PICNIC's technical control. (C) PICNIC emphasizes that, due to the non-custodial nature of the services, any unavailability of the PICNIC Platform DOES NOT prevent the user from accessing their Virtual Assets. Should PICNIC software be unavailable, the user may, at any time, use their Recovery Phrase (Seed Phrase) or Private Key to access and move their funds through other compatible software or wallets available on the market. For this reason, PICNIC shall not be liable for any damages, loss of opportunity, or asset devaluation resulting from temporary impossibility to use the Platform, since access to assets on the blockchain is independent of PICNIC software availability. 8.2. Accuracy of Information and Network Data. The PICNIC Platform acts as a viewer of public data recorded on the blockchain and third-party price sources (Oracles or market APIs). (A) Although PICNIC seeks to present information (such as balances, history, and quotes) accurately and up-to-date, there may be latency (delay) between data recording on the blockchain and its visualization on the Platform. (B) The user acknowledges that the "source of truth" regarding their balances and transactions is the immutable record on the blockchain network, not the cached visualization presented by PICNIC software. In case of divergence, blockchain network data prevails. (C) Displayed Virtual Asset price quotes are estimates based on third-party data. PICNIC does not guarantee the accuracy of these quotes and is not liable for purchase or sale decisions made by the user based on this visual information. 8.3. Content and Third-Party Links. The Platform may display links, news, or integrations with third-party services (including block explorers, DeFi protocols, and liquidity partners). The user acknowledges and agrees that PICNIC does not control, endorse, and assumes no responsibility for the content, accuracy, policies, or practices of these third-party services. Access to such external resources is at the user's sole responsibility and risk. 9. PROMOTIONAL CAMPAIGNS, BONUSES AND REWARDS 9.1. PICNIC may, at its sole discretion, offer promotions, referral programs, sign-up bonuses, or other rewards ("Promotions"). User participation in any Promotions is conditioned upon acceptance and compliance with the specific terms of each campaign, as well as eligibility rules, regional restrictions, and account verification in force at the time of participation. 9.2. PICNIC reserves the right to, at any time and without prior notice, modify, suspend, or terminate any Promotion, as well as alter eligibility criteria or reward value, creating no acquired right for the User regarding future bonuses or discontinued campaigns. 9.3. PICNIC reserves the right to disqualify the User, block the account, and revoke, refund, or cancel any rewards (even if already credited) if it identifies, at its sole discretion: a) Creation of multiple accounts or use of false data; b) Use of robotic means, emulators, VPNs to bypass geographical restrictions, or automation scripts; c) Self-referral or collusion between accounts to manipulate the rewards system; d) Any violation of the acceptable use policy or suspicion of fraud. 9.4. The User acknowledges that rewards paid in cryptoassets are subject to market volatility. PICNIC is not responsible for value fluctuations, technical failures preventing immediate participation, or manifest material errors in bonus configuration, reserving the right to correct such failures and adjust balances as necessary. 10. CUSTOMER SERVICE, FEEDBACK AND DISPUTE RESOLUTION 10.1. Should the user have questions, suggestions, feedback, or encounter technical difficulties in using the Platform, they must contact the PICNIC Technical Support team via email oi@usepicnic.com or official channels indicated on the usepicnic.com page. For purposes of receiving judicial citations or formal extrajudicial notifications, PICNIC indicates the following physical/electronic address: legal@usepicnic.com 10.2. Support Scope and Limitations. The user acknowledges that support offered by PICNIC is strictly limited to the functioning of technology and software interface. (A) What we cover: Login problems in PICNIC Account, viewing errors in the app, difficulties integrating with partner services (Card), and interface bugs. (B) What we CANNOT cover: PICNIC support has no technical means to recover funds sent to wrong addresses, reverse transactions on the blockchain, recover Private Keys lost by the user, or accelerate pending transactions on the network. Complaints of this nature will be technically impossible to be solved by PICNIC. 10.3. Amicable Dispute Resolution. Except where prohibited by applicable law, before initiating any judicial or administrative proceeding against PICNIC, the user agrees to first contact our support team to try to resolve the issue amicably. The user agrees to grant PICNIC a period of up to 30 (thirty) days, counting from the formal receipt of the complaint with all necessary information, to analyze the case and propose a technical solution or clarification. Should the user initiate a dispute without first exhausting this attempt at amicable resolution, PICNIC reserves the right to request suspension of the process until the support procedure is concluded. 10.4. These Terms are governed by the laws of the British Virgin Islands. 11. DATA PROTECTION AND PRIVACY 11.1. Personal Data Processing. By using PICNIC Technology Services, the user acknowledges that PICNIC may collect and process personal data, in compliance with PICNIC's Privacy Policy, an integral part of these Terms. Data processing is performed for the purposes of: (i) Providing the software usage license and personalizing the user experience; (ii) Complying with legal and regulatory obligations (including fraud prevention and money laundering); (iii) Enabling integration with Additional Services (such as fiat currency conversion or PICNIC Card issuance with banking partners). 11.2. Data on Blockchain (Public Data). The user understands and accepts a fundamental characteristic of blockchain technology: Transparency and Immutability. By performing a transaction through the PICNIC interface, the user's public wallet address and transaction details are permanently recorded on the blockchain. (A) Public Data: This data is public, decentralized, and not controlled or stored on PICNIC servers. (B) Impossibility of Deletion: The user acknowledges that PICNIC lacks the technical capacity to alter, anonymize, or delete data already recorded on the blockchain. Therefore, rights of deletion or forgetting provided in data protection legislation are not applicable to immutable blockchain records, but only to data kept in PICNIC's internal databases (such as email registration and name). 11.3. Sharing with Partners. For the provision of Additional Services (especially connected financial services, such as the PICNIC Card), the user authorizes PICNIC to share their registration and identification data with partner institutions (card issuers, banks, or liquidity partners), strictly for contract execution and compliance with regulatory standards (Compliance) of those institutions. 11.4. User Declarations. The user declares that all information provided to PICNIC is true and current. The user commits to keeping their data updated on the Platform and acknowledges that reading and accepting the Privacy Policy is an indispensable condition for using the services. 12. SECURITY AND USER PROTECTION 12.1. Responsibility for Credentials and Devices. To use PICNIC software, the user must create Platform access credentials (Login and Password). The user is solely and fully responsible for their electronic device security and for maintaining proper control of their security data. 12.2. Critical Security Distinction (App vs. Blockchain). The user must understand the difference between two security levels: (A) PICNIC Account Security: Refers to access to the application interface. PICNIC can assist in app password recovery (password reset via email), should the user forget it. (B) Wallet Security (Self-Custody): Refers to the Private Key or Recovery Phrase (Seed Phrase) controlling funds on the Blockchain. PICNIC NEVER requests, stores, or has access to your Private Key. ATTENTION: If the user loses, forgets, or has their Private Key/Seed Phrase stolen, PICNIC CANNOT recover access to funds, nor reverse transactions. Private Key security is the user's sole responsibility. 12.3. Phishing and Scam Prevention. Picnic is not liable for damages arising from access to external links, third-party ads (on search engines or social networks), or fraudulent sites simulating the official service interface. It is the User's duty to verify URL authenticity and ensure they are in an official environment before entering any data or performing transactions. 12.4. Security Breach. If the user suspects their PICNIC Account (app access) has been compromised: (A) The user must IMMEDIATELY notify PICNIC Support for temporary interface access blocking; (B) The user must IMMEDIATELY use their Recovery Phrase (Seed Phrase) in another secure interface to transfer their funds to a new secure wallet, since PICNIC has no power to "freeze" funds on the blockchain. 12.5. Picnic declares that it adopts technical, organizational, and administrative information security measures strictly aligned with standards required by the General Data Protection Law (Law No. 13.709/2018 - LGPD) and applicable regulatory standards. Such measures aim to protect personal data against unauthorized access and accidental or illicit situations of destruction, loss, or alteration. 13. INTEGRATION WITH NOAH SERVICES 13.1. By using the functionalities for conversion between fiat currency and cryptoassets available on the platform, the User acknowledges and agrees that these services are provided directly by Noah Savings Inc. ("Noah") and its banking partners, and not by Picnic. Thus: 13.2. Acceptance of Third-Party Terms: To use these services, the User automatically adheres to and must observe Noah's Terms of Service and Privacy Policy. 13.3. Data Sharing: The User authorizes Picnic to share their registration data, KYC (Know Your Customer) information, and wallet details with Noah for identity validation and anti-money laundering purposes, as required by applicable regulation. 13.4. Geographical Restrictions and Sanctions: The service is not available to Users residing in, citizens of, or attempting to access the platform from jurisdictions classified as "Prohibited Countries" by Noah. The User declares having no ties to the following locations: Afghanistan, Albania, Algeria, Bangladesh, Belarus, Qatar, China, Congo (Democratic Republic of the), North Korea, Cuba, Eritrea, Ethiopia, Gaza Strip, Yemen, Iran, Iraq, Kosovo, Lebanon, Libya, North Macedonia, Mali, Morocco, Myanmar, Nepal, Nicaragua, Niger, Pakistan, Central African Republic, Russia, Syria, Somalia, Sudan, South Sudan, Ukraine, Venezuela, West Bank, and Zimbabwe. 13.5. Limitation of Liability: Picnic acts only as a technological integrator. Any failure, delay, custody of values, or dispute related to currency conversion or financial settlement is the sole responsibility of Noah, with Picnic being exempt from liability for losses arising from these specific services. 14. PASSKEYS 14.1. As of April 6, 2026, the use of passkeys is mandatory for all accounts created via email on Picnic. Accounts created via external wallets remain subject to their original access conditions and are not affected by this Clause. 14.2. The Passkey is generated and stored exclusively within the secure hardware of the User's device. Picnic does not have access to the User's Private Key under any circumstances and cannot request it. Picnic stores only the Public Key, which is required to verify the authenticity of cryptographic signatures. 14.3. Passkeys implemented by Picnic follow the WebAuthn (FIDO2) standard, the same adopted by Apple, Google, and Microsoft for passwordless authentication. Biometric authentication occurs locally on the user's device. No biometric data is transmitted to Picnic or any third party. 14.4. Each transaction requires individual and direct biometric approval by the User on their device. There is no persistent session; every action requires confirmation at the moment it is performed. 14.5. By design of the WebAuthn standard, the User's Passkey is bound to the origin usepicnic.com. The Passkey will not function on any other domain or application, even if visually identical to Picnic. Picnic will never ask the User to provide, export, or share their Passkey or any biometric data. - ℹ NOTE: Biometric authentication (Face ID, Touch ID, fingerprint) occurs locally on your device. Your biometric data is never sent to Picnic, the blockchain, or any third party. The network receives only the cryptographic signature produced by your device. 14.6. USER RESPONSIBILITIES 14.6.1. The User is solely responsible for the custody, security, and control of the device on which the Passkey is stored. Picnic bears no responsibility for losses resulting from theft, loss, unauthorized access, or compromise of the User's device. 14.6.2. The User is responsible for controlling who has access to the biometrics registered on their device. Any individual whose face or fingerprint is registered on the User's device may authenticate transactions on Picnic. Picnic has no means of distinguishing between the User and authorized third parties on the device. 14.6.3. The User is responsible for managing their account within the Passkey Manager of the platform they utilize (Apple ID, Google Account, or compatible manager). Passkey synchronization across devices is a third-party functionality over which Picnic has no control. 14.6.4. The User is strongly encouraged to configure their Passkey before April 6, 2026. After this date, account access will be contingent upon the completion of this setup. Assets remain secure on the blockchain regardless, but access to the Picnic interface will require an active Passkey. 14.6.5. The User is responsible for monitoring notifications sent by Picnic during the Protection Period of a recovery process. Picnic will send daily notifications during the 7-day Protection Period. The User must immediately cancel any recovery process they did not initiate. 14.6.6. The User acknowledges and accepts that the Passkey is the sole mechanism for authorizing transactions in their Smart Wallet. The definitive loss of access to the Passkey, without the possibility of recovery via the Recovery Guard, entails the permanent loss of access to assets. Picnic cannot intervene in this situation. USER RESPONSIBILITY: You are the sole guardian of your Passkey. Picnic has no way to recover your access outside of the process described in Clause 14.6. If you lose your device and your Recovery Guard simultaneously, without access to a Passkey Manager, access to your assets may be permanently lost. 14.7. TECHNICAL LIMITATIONS AND EXCLUSION OF LIABILITY 14.7.1. Picnic does not have access to, does not store, and cannot recover the User’s Private Key under any circumstances. This is a structural technical component, not an operational policy. 14.7.2. Picnic has no control over third-party Passkey Managers (Apple, Google, 1Password, Bitwarden, or others). Picnic is not liable for failures, unavailability, policy changes, or discontinuation of these services that affect the User's access to their Passkey. 14.7.3. Picnic is not responsible for failures in secure hardware (Secure Enclave or equivalent), operating system updates that affect passkey functionality, or any other technical limitations of the User's devices. 14.7.4. Picnic is not liable for transactions performed by third parties who have obtained access to the User's device, to the biometrics registered on the device, or to the User's Passkey Manager, except in cases of proven exclusive fault by Picnic. 14.8. ACCOUNT RECOVERY 14.8.1. The only account recovery mechanism available on Picnic is the process described in this Clause 14.8. Picnic does not offer any other recovery channel, whether through human support, administrative reset, or any other means. 14.8.2. The Recovery Guard is the Magic wallet previously linked to the User's email. Following the adoption of passkeys, the Recovery Guard does not have signing powers in the primary transaction flow—it acts exclusively as a recovery mechanism within the Smart Wallet's social recovery module. 14.8.3. To initiate a recovery, the User must: (i) Access Picnic on a new device; (ii) Authenticate with the email associated with the Account, activating the Recovery Guard; (iii) Register a new Passkey on the new device; (iv) Wait for the Protection Period of 7 (seven) calendar days; (v) Confirm the activation of the new Passkey at the end of the Protection Period. 14.8.4. The 7-day Protection Period is a security safeguard and not an operational limitation. It exists to ensure that any unauthorized recovery attempt—such as one initiated by someone with access to the User's email—can be detected and canceled by the legitimate User before it takes effect. 14.8.5. During the 7-day Protection Period, Picnic will send the User: (a) Immediate notification at the start of the recovery; (b) Daily reminder notifications while the process is active; (c) A final notification when the new Passkey is ready to be activated. 14.8.6. If the User receives notification of a recovery they did not initiate, they must cancel it immediately through the channel indicated in the notification. Picnic is not responsible for recoveries completed during the Protection Period where the User received notifications and failed to take action to cancel. 14.8.7. If the User simultaneously loses: (a) access to the Passkey; (b) access to the Passkey Manager; and (c) access to the email associated with the Recovery Guard—the account may be permanently unrecoverable. Assets will remain on the blockchain, but no technical mechanism will be available to authorize transactions. Picnic has no capacity to intervene in this situation. - CRITICAL ATTENTION: The email associated with your account is your safety net. Maintain access to it. If you lose your Passkey and email access at the same time, without the possibility of recovery via a Passkey Manager, your assets may become permanently inaccessible. 14.9. CROSS-DEVICE SYNCHRONIZATION 14.9.1. Passkey synchronization between devices is a feature provided exclusively by the User's Passkey Manager, not by Picnic. Picnic has no control over the synchronization process, its availability, or its technical requirements. 14.9.2. Picnic's passkey implementation is compatible with the following Passkey Managers, without guarantee of future availability or compatibility: (a) Apple iCloud Keychain; (b) Google Password Manager; (c) WebAuthn-compliant password managers (e.g., 1Password, Bitwarden, Dashlane); (d) Cross-platform authentication via QR Code and Bluetooth proximity. 14.9.3. In the event of migration between ecosystems (e.g., from Android to iPhone), the Passkey may not transfer automatically. In such cases, the User must use the recovery process described in Clause 14.8 to register a new Passkey on the new platform. 14.9.4. The User is responsible for ensuring that Passkey synchronization is correctly configured on their devices. Picnic is not responsible for access failures resulting from improper configuration of the Passkey Manager. 14.10. TECHNOLOGICAL UPDATES AND SYSTEM CHANGES 14.10.1. Picnic reserves the right to update, modify, or replace the passkey system described in this Clause 14 due to technological evolutions, security requirements, or regulatory changes, provided adequate prior notice is given to the User. 14.10.2. Material changes to the authentication and signing system will be communicated to the User at least 30 (thirty) days in advance, except in cases of security emergencies requiring an immediate response. 14.10.3. Picnic commits to maintaining compatibility with the WebAuthn (FIDO2) standard as long as it remains the industry standard for passwordless authentication. Any change in technological standards will be communicated pursuant to Clause 14.10.2. 14.11. The User's use of the passkey functionality constitutes express acceptance of all terms in this Clause 14, including the responsibilities assigned to the User and Picnic’s limitations of liability. 14.12. This Clause 14 must be read in conjunction with the other clauses of these Terms of Use, especially those relating to Picnic's nature as a software interface, the self-custody of assets, and general limitations of liability. 15. GENERAL PROVISIONS 15.1.The user agrees to use PICNIC Technology Services in strict compliance with applicable laws, including anti-money laundering standards. The user declares that funds moved through the interface have a lawful origin. 15.2. All content, design, source code, logos, graphics, and interfaces made available by PICNIC (“Content”) are the exclusive property of PICNIC or its licensors. Use of the Platform grants the user only a limited, revocable, non-exclusive, and non-transferable license for personal software use. Copying, reverse engineering, or redistributing Content without express authorization is prohibited. 15.3. These Terms do not create any partnership, joint venture, mandate, franchise, or employment relationship between the user and PICNIC. 15.4. Tax Aspects. Due to the non-custodial nature, PICNIC does not withhold taxes at source on cryptoasset transactions. The user is solely responsible for calculating, declaring, and collecting any taxes applicable to their capital gains arising from transactions facilitated by the Platform. PICNIC does not provide tax advice. 15.5. Inapplicability of "Unclaimed Property". Unlike banks or custodial exchanges, PICNIC does not hold possession of assets. Therefore, the concept of "dormant account" or "unclaimed property" subject to appropriation or transfer to the State by PICNIC does not exist. If the user stops using the Platform for years, their assets will remain safe on the blockchain, accessible only by whoever holds the Private Key. 15.6. Succession and Death. PICNIC warns that, due to blockchain encryption, it is not possible to transfer the deceased user's funds to heirs if they do not possess the Recovery Phrase (Seed Phrase). (A) Account Access: Upon presentation of a valid Inventory or Court Order, PICNIC may transfer ownership of the PICNIC Account (login/interface access) to the executor or heir. (B) Access to Funds: Transferring the login DOES NOT guarantee access to funds if the deceased has not left the Private Key/Password accessible to heirs. PICNIC has no technical means to "break" wallet encryption to deliver values to the estate. It is the user's sole responsibility to carry out their digital estate planning. 15.7. Entire Agreement and Assignment. These Terms constitute the entire agreement between the parties. PICNIC may assign or transfer its rights and obligations under this contract (in case of merger, acquisition, or asset sale) without prior user consent, provided notification is ensured. 15.8. Changes to Terms. PICNIC may alter these Terms at any time. Alterations will take effect on the date of their publication on the Platform. Continued use of services after alteration implies tacit acceptance. Should the user not agree, they must cease using the interface immediately. APPENDIX 1: COMMUNICATIONS AND NOTIFICATIONS POLICY 1. Considering the exclusively digital nature of services provided by PICNIC, the user agrees and expressly authorizes the receipt of all communications, contracts, documents, legal notifications, and disclosures (collectively, “Communications”) by electronic means. Communications may include, but are not limited to: (A) Terms and Policies: Updates to these Terms of Use, Privacy Policy, and other security guidelines; (B) Account Activity: Confirmations of actions performed in the interface, viewed transaction history, security alerts, and receipts related to Additional Services (e.g., PICNIC Card use); (C) Legal Reports: Notifications required by fiscal, tax, or anti-money laundering regulation, when applicable to operation with partners; (D) Support: Responses to technical support tickets and updates on Platform maintenance status. 1.1. Communications will be considered delivered and valid when: (i) published on the Platform or PICNIC Site; (ii) sent to the email registered in the user profile; (iii) sent via push notification in the mobile app; or (iv) transmitted via support chat or SMS. 2. PICNIC does not support communications via physical mail or paper. If the user revokes their authorization to receive electronic Communications, this will make the provision of Technology Services unfeasible. Consequently, PICNIC reserves the right to immediately terminate user access to the interface and PICNIC Account, reserving the user's right to continue accessing their assets directly on the blockchain (without using PICNIC software). 3. It is the user's sole responsibility to keep their email address and phone number updated and accessible. (A) The user understands and agrees that if PICNIC sends an electronic Communication to the email address on file, the communication will be considered received and delivered, even if: (i) the user's email is incorrect or outdated; (ii) the inbox is full; or (iii) the user's spam filter or firewall blocks the message. (B) The user can update their contact details at any time through the settings menu in the app or by contacting support via official channels. 4. Picnic communicates with the User exclusively through the official channels identified within the application and on the website usepicnic.com. Picnic will never, through any channel, request from the User: (a) The export, sharing, or disclosure of their Passkey or Private Key; (b) Biometric data of any nature; (c) Confirmation of transactions outside of the official application; (d) Remote access to the User's device. 4.1. Any request received by the User—whether via email, messaging apps, social media, telephone calls, or any other channel—must be treated as a fraudulent attempt. The User must report it immediately to Picnic’s official support. APPENDIX 2: COMPLIANCE POLICY 1. Although PICNIC is a non-custodial technology provider, we have an ethical and legal commitment to prevent our software from being used to facilitate illicit activities. Our policy is based on community protection and respect for global standards of anti-money laundering (AML), combating the financing of terrorism (CFT), and economic sanctions. 2. PICNIC's operation is performed through integration with licensed and regulated financial infrastructure and payment providers (including, but not limited to, electronic money issuers and fiat currency payment processors). PICNIC performs rigorous due diligence on its providers ("Know Your Partner" or KYP), exclusively selecting partners that provenly adopt strict controls for anti-money laundering (AML), combating the financing of terrorism (CFT), and fraud prevention, in compliance with global standards (including FATF guidelines). 2.1. The User acknowledges and agrees that the PICNIC platform reflects, in real-time, security policies and restrictions imposed by these infrastructure partners. Consequently, access to the interface or order execution may be automatically blocked or suspended in the following hypotheses: (A) transaction execution will be prevented if involved wallets or identities are flagged by our partners' monitoring systems as appearing on official sanctions lists. (B) access to services may be restricted if the User's IP address or fiscal residence originates from embargoed jurisdictions or those classified as high-risk by our partners. Use of VPNs to bypass such restrictions constitutes a serious violation of these terms. (C) transactions may be rejected if blockchain analysis tools used by our settlement partners identify interaction with high-risk addresses. 2.2. Regardless of the automated restrictions above, PICNIC reserves the right to suspend, block, or terminate the User's account upon express request from any of its financial partners, arising from suspicion of fraud, platform abuse, larceny, or scams. The merit analysis performed by regulated partners will be considered valid and sufficient for decision-making by PICNIC. 3. SERVICES REQUIRING IDENTIFICATION (KYC). For functionalities connecting the crypto world to the traditional financial system (the "Additional Services"), such as the PICNIC Card, fiat currency to Crypto conversion, user identification is mandatory. In these cases: (A) The user must send documents (ID/CNPJ photo, selfie, etc.) directly to PICNIC's regulated partners. (B) If the partner refuses user registration due to compliance issues, PICNIC will automatically revoke access to this specific functionality in the app. 4. USER OBLIGATIONS. By using PICNIC software, you declare, under penalty of law, that: (A) You are not on any international sanctions or trade restriction lists; (B) Your funds have a lawful origin and do not derive from criminal activities; (C) You will not use the platform to conceal assets, evade currency, or finance illegal activities. 5. CONSEQUENCES OF VIOLATION. Should our systems identify a violation of this Policy or of the Terms of Use, PICNIC will block access to our website and application. You will no longer be able to use our visual tool. PICNIC reserves the right to report suspicious activities to competent authorities, if illicit use of our technology is proven.

Terms of Use - English

PICNIC TERMS OF USE Last Updated: March 10, 2026 These Terms of Use constitute a binding agreement between you (the “User”) and DeFi Basket Labs Inc., the company that owns the PICNIC brand, incorporated under the laws of the British Virgin Islands (BVI). DeFi Basket is a company incorporated under No. 2085144 with its registered address at Intershore Chambers, Geneva Place, 3rd Floor, Road Town, Tortola, British Virgin Islands. For the purposes of this agreement, "PICNIC" refers to the website usepicnic.com, the suite of software protocols, the technological interfaces that make up the PICNIC Platform, the PICNIC Card, and associated mobile applications. By using our technology, the user acknowledges that PICNIC is a self-custodial and distributed technology software. UNLIKE TRADITIONAL FINANCIAL INSTITUTIONS, PICNIC SOFTWARE IS NOT “LOCATED” OR BASED IN A SINGLE PHYSICAL JURISDICTION. IT OPERATES THROUGH A DECENTRALIZED CLOUD INFRASTRUCTURE, RUNNING LOCALLY ON THE USER'S DEVICE AND DIRECTLY ON PUBLIC BLOCKCHAIN NETWORKS. The software functions as an interface for the user to interact directly with the blockchain. DeFi Basket Labs does not have access, control, or custody over the user's private keys, recovery phrases (seeds), or digital assets. READ CAREFULLY BEFORE PROCEEDING: PICNIC IS NOT A BANK, NOT A FINANCIAL INSTITUTION, NOT A CUSTODIAL EXCHANGE, AND DOES NOT INTERMEDIATE ANY TRANSACTION. PICNIC IS EXCLUSIVELY A SOFTWARE INTERFACE PROVIDER. BY USING THIS PLATFORM, YOU ACKNOWLEDGE THAT THE OPERATIONAL MODEL IS SELF-CUSTODIAL. THIS MEANS THAT: THE POSSESSION, SECURITY, AND CONTROL OF YOUR PRIVATE KEY AND YOUR RECOVERY PHRASE ARE YOUR SOLE AND FULL RESPONSIBILITY. WE DO NOT STORE, HAVE COPIES, OR HAVE ACCESS TO YOUR PRIVATE KEYS OR YOUR ASSETS ON THE BLOCKCHAIN. RECOVERY IMPOSSIBILITY: IF YOU LOSE ACCESS TO YOUR PRIVATE KEY OR RECOVERY PHRASE, PICNIC TECHNICAL SUPPORT DOES NOT HAVE THE TECHNICAL CAPABILITY TO RECOVER WALLET PASSWORDS, REVERSE TRANSACTIONS, OR REFUND LOST AMOUNTS, AS WE DO NOT HOLD CUSTODY OF THE FUNDS. USER RISK: BY ACCEPTING THESE TERMS, YOU FULLY ASSUME THE TECHNOLOGICAL RISK OF SELF-CUSTODY AND RELEASE PICNIC FROM ANY LIABILITY FOR LOSS OF ACCESS TO YOUR DIGITAL WALLET. By registering or connecting your wallet for the use of PICNIC's graphical interface (the “Site” or “App”), you agree that you have read, understood, and accept all the terms and conditions contained in this Agreement, including our Privacy and Compliance Policies, which are an integral part of these Terms of Use. INFRASTRUCTURE PARTNERS AND THIRD-PARTY SERVICES: By accepting these Terms of Use and using the products and features made available through Picnic software, you acknowledge and agree that certain operations are enabled by external infrastructure partners. Thus, by using specific services, you declare that you are aware of and fully agree with the terms of use of our partners, including but not limited to: - Asset Conversion: Operations of converting crypto assets to fiat currency and vice versa; - Picnic Card: Use of the physical or virtual card; - Custody and Settlement: Other payment processing services and network infrastructure. Continued use of these features implies automatic acceptance of the conditions established by such partners, over which Picnic has no direct control. The operation of on-ramps and off-ramps is the sole responsibility of the respective third-party companies, with Picnic being exempt from any liability in this regard. 1. ELIGIBILITY AND JURISDICTIONAL SCOPE 1.1. Nature of Software and Location. The User acknowledges that PICNIC is a self-custodial and distributed technology software. Unlike traditional institutions, PICNIC software is not “located” or based in a single physical jurisdiction but operates through decentralized cloud infrastructure and runs locally on the User's device and on the public blockchain network. 1.2. Due to its global nature, PICNIC is not necessarily subject to the governing laws of a specific country, except regarding the direct obligations of its developers. (A) Local Compliance: This does not imply legal immunity. PICNIC complies with all applicable regulations to its operational model in the countries where it operates. The User is responsible for ensuring that access and use of the Platform are permitted by the laws of the jurisdiction where the User resides, is domiciled, or from which they access the services. (B) Illegal Use: It is strictly prohibited to use PICNIC software for purposes considered illegal in the User's jurisdiction or under international norms, including but not limited to: money laundering, currency evasion, terrorism financing, fraud, or purchasing illegal goods. 1.3. Anti-Money Laundering (AML) and Control. Although PICNIC is a technology provider and not a financial custodian, we maintain our own monitoring and control policies and tools to prevent the use of the tool for illicit purposes (Anti-Money Laundering – AML and Combating the Financing of Terrorism – CFT), further detailed in appendix 2 - compliance policy. Shared Responsibility: The existence of these internal control tools at PICNIC does not transfer legal responsibility to the company, nor does it exempt the User from their civil and criminal obligations. The User must cooperate with the proper use of the Platform by providing truthful information when requested. 1.4. The legal relationship established between the user and Picnic is a software use license, where the technological tool allows the user to exercise their financial sovereignty, maintaining exclusive control over their private keys and the final execution of any transaction. Technologically, PICNIC operates under a non-custodial software architecture. This means that our platform acts strictly as a graphical interface for interaction with the Blockchain, never intermediating or holding possession of the assets. 1.5. "Trader" Status – European Union (DSA). For the exclusive purpose of complying with Regulation (EU) 2022/2065 (Digital Services Act - DSA) and applicable consumer protection standards in the European Union: (A) PICNIC declares itself as a "Trader" strictly in the sense of a technology tool and digital software provider. (B) This designation SHOULD NOT be interpreted as a statement that PICNIC acts as a financial intermediary, broker, or payment service provider. The "product" marketed by PICNIC is the license to use the interface and the aggregated technology services, not the purchase and sale of financial assets, which occurs directly between the User and the blockchain network. 2. SERVICES 2.1. Nature of Services: Technology Provider. PICNIC acts exclusively as a Technology Services provider, offering users a software use license (the “Platform”) intended to facilitate the user's direct interaction with decentralized blockchain networks. By using PICNIC, the user expressly acknowledges and agrees that: (A) PICNIC only provides the software infrastructure and digital tools that allow the visualization, reading, and transmission of instructions directly to the blockchain; (B) PICNIC does not hold, store, keep, process, or control the user's Virtual Assets at any time; and (C) All transactions are executed directly by the user on the respective blockchain network, without any intervention, approval, or financial settlement by PICNIC. 2.2. Absence of Financial Management or Brokerage. Unlike centralized exchanges, PICNIC DOES NOT buy, sell, or transfer virtual assets on behalf of third parties. To avoid doubt, it is established that: (i) Strictly Technological Role: PICNIC does not acquire or sell assets on its own behalf for the user; (ii) Absence of Powers: PICNIC does not have the power to represent the user or make decisions about their assets; (iii) Direct Relationship: The user transacts directly with the decentralized protocol or with other network users (P2P/DeFi), with PICNIC only providing the connection software; (iv) Self-Custody: PICNIC does not hold possession of private keys or user funds. The responsibility for safeguarding access credentials and private keys is solely the user's. 2.3. The PICNIC Platform functions as an access portal (“Gateway”) that translates the user's commands into a language compatible with the blockchain. Thus: (i) The user connects their own wallet or generates new access credentials through the provided technology; (ii) The user signs transactions with their own private key; (iii) PICNIC only transmits this signed transaction to the public blockchain network for processing by network validators. Additionally, the User understands that the "PICNIC Interface" (the web/app software) is distinct from the underlying "Decentralized Protocols" (the Smart Contracts running on the Blockchain). (A) PICNIC provides the Interface, which is only a visual tool. (B) PICNIC does not control, operate, or can halt the Decentralized Protocols with which the Interface interacts. If there is a failure in the Protocol (e.g., calculation error in the Pool's Smart Contract), PICNIC is not responsible, as it is not the owner of the decentralized network. 2.4. Since PICNIC only provides Technology Services and not financial settlement: (A) PICNIC does not guarantee the execution, settlement, or immutability of transactions, which depend solely on the functioning of the underlying blockchain network; (B) PICNIC does not have the technical capability to reverse, cancel, or modify transactions once they have been transmitted by the user to the blockchain network; (C) Network fees (“Gas Fees”) are paid directly by the user to the network validators, not constituting revenue for PICNIC. 2.5. Integrations, Web3 Browser, and Third-Party Services. The PICNIC interface may include virtual asset browser functionalities (“Web3 Browser”) or direct links that allow the user to access Decentralized Applications (“dApps”) and Decentralized Exchanges (“DEXs”) operated by third parties. (A) Browser Nature: By using the Web3 Browser, the user understands that they are navigating outside the environment controlled by PICNIC. The software acts only as a connection bridge. PICNIC does not control, endorse, audit, or guarantee the security, legitimacy, or functionality of any dApp or DEX accessed. (B) If the user interacts with a malicious dApp, falls for phishing scams, or suffers losses due to failures in third-party smart contracts accessed via the PICNIC interface, the responsibility is solely the user's. PICNIC has no power to reverse such interactions. 2.6. Additional Services. In addition to the main Technology Services, PICNIC may develop and provide additional functionalities or integrations with third-party systems (the “Additional Services”), aiming to expand the Platform's utility. 2.6.1. The PICNIC Card and Partnerships. If the user chooses to use functionalities such as the debit or prepaid card integrated into the Platform (the “PICNIC Card”): (A) Issuance by Third Parties: The user acknowledges that the card is issued and managed by a partner financial or payment institution, duly regulated, and not by PICNIC. (B) Technological Connection: PICNIC's role is limited to providing the technology that allows the user to connect their self-custodial wallet to the partner issuer's system. (C) Subject to Third-Party Terms: The use of Additional Services requires the user to accept the terms and conditions of the partner issuers. 2.7. Fees and Compensation. For the use of the Platform and Additional Services, PICNIC may charge software or service licensing fees, which will always be transparently presented on the Platform. (A) Fee Distinction: The user acknowledges that the fees charged by PICNIC (for the use of Technology Services) are distinct from network fees (Gas Fees) and distinct from any financial fees charged by third-party partners. (B) Responsibility: The user agrees to be responsible for paying all applicable fees presented on the Platform at the time of the transaction. 2.8. Absence of Fiduciary Duty. This Agreement is not intended to create, and does not create, any fiduciary duties on the part of PICNIC to the User. To the maximum extent permitted by law, the User acknowledges and agrees that PICNIC owes no loyalty, financial care duty, or asset management to the User. Our only obligations are the strictly technical ones described in these Terms (software provision). 2.9. Price Routing and Execution. PICNIC's smart routing technology seeks to find efficient routes for User swaps. However: (A) Due to the volatility and speed of the Blockchain, PICNIC does not guarantee that the price displayed in the simulation will be exactly the executed price, nor that it will be the best price available in the global market at that millisecond. (B) The User acknowledges that the final price may vary between the time of signing and the time of the transaction. 3. ACCOUNT SETUP AND IDENTITY 3.1. Access Account Registration. To use PICNIC's Technology Services, it may be necessary to register a user profile on the Platform (a “PICNIC Account”). Registration involves providing data such as name, email address, and creating access credentials to the software. 3.1.1. Nature of the Account. The PICNIC Account is intended exclusively to: (i) manage software settings; (ii) allow technological access to Additional Services; and (iii) store activity history. The PICNIC Account is not a bank, payment, or deposit account. Creating the PICNIC Account does not imply, under any circumstances, the transfer of the user's asset ownership to PICNIC. 3.2. Identity Verification (KYC) for Software Security. Although PICNIC acts strictly as a Technology Provider, the security of the digital environment and compliance with global standards require user identification, especially to enable integrations with regulated partners (e.g., card issuers). Thus, the user agrees to provide the requested information for identity verification, risk analysis, and anti-money laundering policies (KYC / AML). 3.2.1. Use of Information. The user authorizes PICNIC to use their data to validate their identity and, when the user chooses to use the PICNIC Card, to share such data with partner financial institutions, strictly to enable the service provision by the partner. 3.3. Account Password vs. Private Key. It is essential that the user understands the difference between PICNIC Account credentials and their Wallet credentials: (A) PICNIC Account Credentials: (Login/Password). Allow access to the software/application. (B) Private Key or Recovery Phrase (Seed Phrase): These are the mathematical codes that control the Virtual Assets on the blockchain. PICNIC DOES NOT HAVE ACCESS, DOES NOT STORE, AND CANNOT RECOVER YOUR PRIVATE KEY. PICNIC's operational model is self-custodial. If the user loses their Private Key, they will lose access to their assets, without PICNIC being able to intervene. The use of the platform and the technology services provided implies full and unrestricted awareness of this aspect of the technology provided. 4. TRANSACTIONS AND INTERACTION WITH THE BLOCKCHAIN 4.1. The technology provided by PICNIC allows the user to manage their own funds and interact directly with public blockchain networks. By initiating a transaction through the Platform (whether sending, receiving, swapping, or interacting with smart contracts), the user acknowledges that: (A) The transaction is signed exclusively by the user's Private Key, stored locally on the user's device (or in a personal encrypted cloud solution), without PICNIC having access to this signature; (B) PICNIC does not act as a counterparty in the transaction. The purchase and sale occur between the user and decentralized protocols (Smart Contracts) or other network users (P2P); (C) PICNIC software acts only as a transmitter of the message signed by the user to the blockchain network nodes. 4.2. Integration with Fiat Currency (Fiat On-Ramp/Off-Ramp). PICNIC does not receive, hold, or process fiat currency (Reais, Dollars, etc.). To facilitate the conversion between fiat currency and Virtual Assets, the Platform may technologically integrate services provided by third parties (“Liquidity Partners”). (A) By choosing to buy or sell crypto assets using Reais (BRL), the user establishes a direct contractual relationship with the Liquidity Partner. (B) PICNIC only provides the viewing window (widget) for access to the Partner's service. The financial settlement, exchange, and regulatory compliance of this operation are the sole responsibility of the Liquidity Partner. (C) The user understands that any bank transfer made to a Liquidity Partner is intended for the purchase of digital assets that will be delivered directly to the user's self-custodial wallet address, without passing through PICNIC's possession. 4.3. Unlike traditional banking systems or centralized exchanges, blockchain transactions are, by nature, irreversible. (A) Once the user signs and transmits a transaction through PICNIC technology to the network, it cannot be canceled, reversed, or modified. PICNIC does not have the technical capability to refund transactions, even in cases of error, theft, or fraud. (B) It is the user's sole responsibility to verify the destination address, selected network, and amounts before signing the transaction. 4.4. Network Fees (Gas Fees) and Service Fees. (A) Network Fees (Miners/Validators): Every transaction on the blockchain incurs a processing fee (Gas Fee) paid to the network validators. The User acknowledges that PICNIC may, at its sole discretion and for greater convenience, facilitate the payment of this fee through fee abstraction mechanisms. In these cases, PICNIC may advance the payment of the network fee on behalf of the User, being fully reimbursed by retaining the corresponding amount in the token used in the transaction. (B) Fee Independence: In cases where the facilitation mentioned in item (A) does not occur, the fee fluctuates according to network demand and is not defined or controlled by PICNIC. (C) Technology Fees: For using the technological solution that facilitates interaction (such as smart swap routing or fee payment convenience), PICNIC may charge a service fee, which will be added to the transaction and clearly displayed to the User before signing. 4.5. As a non-custodial wallet, the user's address on the blockchain can technically receive any asset compatible with that network. However, PICNIC's Platform filters and displays only a selected list of Virtual Assets (“Viewable Assets”) to ensure a better user experience and security. (A) Sending Unlisted Assets: If the user sends an asset to their address that is not visually supported by PICNIC software, the asset is not lost (as it is on the blockchain) but may not appear in the graphical interface. The user may need to import their Recovery Phrase into another compatible software to view/move that asset. (B) Support Termination: PICNIC may stop displaying certain assets in the interface at any time. This does not affect the user's ownership of the asset, only the visualization through PICNIC's tool. 4.6. Specific Risks of DeFi Protocols and DEXs. PICNIC technology allows access to Decentralized Finance (DeFi) protocols and DEXs for asset exchange or liquidity provision. Unlike centralized exchanges that curate listed assets, DEXs are open environments. (A) High-Risk Assets: The user acknowledges that DEXs and dApps may list assets without any prior verification. This includes assets with high illiquidity risk, extreme volatility, lock-up risk, or fraudulent tokens (scam tokens/rug pulls). It is the user's sole responsibility to verify the asset's contract address before trading. (B) Third-Party Prices and Fees: The user may incur fees imposed by the dApps or DEXs themselves (in addition to network fees). PICNIC does not receive or control these third-party fees. 4.7. Blockchain networks may undergo protocol changes (“Forks” or splits). PICNIC does not control these changes. (A) Discretion: PICNIC reserves the right to decide whether to update its software to support a specific Fork. (B) No Obligation: PICNIC is not obligated to support new chains resulting from forks, nor to ensure that the user receives tokens generated in forks (Fork airdrops). 4.8. (A) All Virtual Assets associated with the user's wallet address are the exclusive property and direct possession of the user. (B) PICNIC DOES NOT hold, store title, have custody, or manage the user's assets. The assets are not on PICNIC's balance sheet. (C) Only the Private Key holder (the user) can move the assets. PICNIC has no technical means to freeze, seize, or move the user's funds, even under judicial request (as the technology does not allow such access). 4.9. Since PICNIC does not have access to private keys, PICNIC cannot recover wallets whose passwords or Recovery Phrases have been lost by the user. Backup management is the user's sole responsibility. 4.10. It is strictly prohibited to use PICNIC's interface to perform or attempt to perform: (A) Market Manipulation: Practices that violate market integrity, including but not limited to tactics known as Rug Pulls, Pump and Dump, and Wash Trading; (B) Cyber Attacks: Any activity that seeks to interfere, intercept, or compromise the integrity of Smart Contracts, including reentrancy attacks, malicious front-running, or protocol bug exploitation; (C) Securities Violation: Offering or trading assets that may be characterized as unregistered securities or prohibited derivatives in the User's jurisdiction. 5. OPERATIONAL LIMITS OF THE SOFTWARE 5.1. The use of PICNIC's Technology Services and, in particular, the Additional Services (such as fiat currency conversion or use of the PICNIC Card), is subject to operational limits. Such limits may restrict the financial volume, transaction frequency, or access to certain Platform functionalities within a given period. 5.2. The limits are established based on security criteria, fraud prevention, and regulatory compliance, and may vary according to: (i) The level of Identity Verification (KYC) completed by the user; (ii) The requirements imposed by operational partners and card issuers; (iii) The software usage history and risk assessment. 6. SUSPENSION AND TERMINATION OF ACCESS 6.1. Without prejudice to other rights provided in these Terms, PICNIC, as the software license provider, may: (A) Refuse to process or transmit any technical instruction from the user to the blockchain network (for example, if the transaction is identified as malicious, fraudulent, or intended for internationally sanctioned addresses); (B) Temporarily or permanently block the user's login to the PICNIC Platform; (C) Restrict access to specific Additional Services (such as suspending the use of the PICNIC Card) without necessarily blocking wallet viewing access. 6.2. Reasons for Suspension or Termination. Such measures may be taken, including with immediate effect, if: (i) The user violates any provision of these Terms; (ii) There is reasonable suspicion that the PICNIC Account is being used for illicit activities, money laundering, fraud, or currency evasion; (iii) A judicial or competent authority order requires blocking access to the software; (iv) The user's use of the technology jeopardizes the technical stability of the Platform. Any suspension or termination of the user's account on the PICNIC platform does not grant PICNIC the ability to access or transfer the user's funds. The user's wallet remains accessible on the blockchain through other platforms. 6.3. Consequences of Termination/Suspension: Since PICNIC does not hold custody of the assets, terminating access to the Platform does not imply confiscation of the assets on the blockchain, provided the user has their self-custody credentials. (A) If PICNIC terminates the user's access to the software, the user can access and move their Virtual Assets using their Private Key or Recovery Phrase in any other compatible wallet software available on the market (e.g., hardware wallets or other open-source applications). (B) Termination of the PICNIC Account will result in the loss of access to transaction history, personalized settings, and data stored on PICNIC's servers, but will not affect the immutable record of transactions on the blockchain. (C) If the user has outstanding financial obligations related to Additional Services (e.g., card debt or unpaid service fees), the user remains legally obligated to settle them, even after access suspension. 6.4. Irreversibility. The user acknowledges that, due to the immutable nature of the blockchain, PICNIC does not have the technical capability to reverse, cancel, or refund transactions that have already been transmitted to the network, even in cases of account suspension. The suspension of the service only prevents the initiation of new transactions through the PICNIC interface. 6.5. Whenever possible and provided it does not violate applicable laws or compromise security investigations, PICNIC will notify the user about the suspension or termination of access, presenting the general reasons for the decision. 6.6. PICNIC may, at its sole discretion, discontinue, modify, or alter the Platform's architecture or any Technology Service at any time. In the event of a complete discontinuation of PICNIC's operations, the user will continue to have full control over their assets through their Recovery Phrase, regardless of the existence of the PICNIC platform, reinforcing the uncensorable nature of self-custody. 7. LIABILITY AND LIMITATIONS 7.1. If the user has a dispute with third parties, including but not limited to: (i) other users; (ii) smart contract developers; (iii) token issuers; (iv) liquidity partners or card issuers; (v) blockchain network validators, (vi) hackers, the user expressly agrees to hold PICNIC, its directors, and employees harmless from any claims, demands, and damages of any kind arising from or related to such disputes. PICNIC only provides the access tool (interface); it is not a party to transactions conducted on the blockchain. 7.2. The user agrees to indemnify and hold harmless PICNIC and its technology partners against any costs, losses, liabilities, and expenses (including reasonable attorney fees) arising from: (A) Misuse of Technology Services or violation of these Terms by the user; (B) Violation of any applicable law or regulation by the user. 7.3. Financial Liability Limitation (Indemnity Cap). CONSIDERING THAT PICNIC IS A SOFTWARE PROVIDER AND NOT AN ASSET CUSTODIAN: Except in cases of proven willful misconduct or gross negligence, PICNIC's total and cumulative liability for any damages or losses suffered by the user will be strictly limited to the total amount of service fees paid by the user to PICNIC (excluding gas fees and partner fees) in the 12 (twelve) months preceding the event giving rise to the claim. Under no circumstances will PICNIC's liability be calculated based on the value of Virtual Assets held by the user on the blockchain, as PICNIC does not hold possession or control of such assets. 7.4. Specific Exclusion of Damages (Technology Risks). In addition to the above limitations, PICNIC WILL NOT be liable for losses arising from: (A) Key Loss: Loss, theft, forgetting, or compromise of the user's Recovery Phrase, Private Key, or passwords. PICNIC does not have copies of these data and cannot recover them; (B) Blockchain Failures: Network congestion, high transaction fees, consensus failures, 51% attacks, or bugs in the underlying blockchain protocol; (C) User Errors: Sending assets to incorrect addresses, incompatible networks, or interacting with malicious contracts (Honeypots, Phishing); (D) Third-Party Risks: Bankruptcy, insolvency, or technical failures of Liquidity Partners, card issuers, or DeFi protocols accessed through the interface; (E) Lost Profits: Loss of profit opportunity, loss of expected revenue, or losses due to market volatility. 7.5. PICNIC's Technology Services are provided "as is" and "as available." (A) PICNIC does not guarantee that transactions transmitted to the blockchain will be mined/validated in time or at a specific cost. (B) No information displayed on the Platform constitutes investment advice, legal advice, or tax advice. The user operates at their own risk. (C) Like all software, PICNIC's Platform may contain bugs or experience instabilities. PICNIC does not guarantee that the service will be uninterrupted or error-free, although it makes its best efforts to promptly correct failures. 7.6. No Profit Guarantee. The User acknowledges and accepts that any yield functionality available on the Platform is based on interactions with third-party decentralized protocols and variable digital assets. PICNIC does not guarantee, under any circumstances, any profit, fixed return, or specific financial return. 7.7. Any return rates displayed on the interface are mere estimates based on historical or real-time data from underlying protocols and may undergo drastic and immediate variations due to market volatility, changes in DeFi protocol rules, or blockchain network conditions. The final return may be significantly lower than estimated, and may even be zero or negative. 7.8. By using any yield strategy, the User declares to be fully aware that: (A) Autonomous Decision: The choice of asset and strategy is the sole responsibility of the User; (B) Market Risks: The value of underlying assets may drop drastically, impacting the total invested value, regardless of the yield generated; (C) Technological Risks: The User accepts the risks of bugs, cyber attacks, or loss of parity (de-peg) of stablecoins in the protocols where the assets are allocated. 7.9. PICNIC, as a software provider, does not act as an investment advisor or asset manager. The User holds PICNIC harmless from any financial losses, direct or indirect damages arising from price variations or the performance of assets chosen within the platform. 7.10. Force Majeure and Network Events. PICNIC will not be liable for delays or failures in fulfilling its obligations due to events beyond its reasonable control, including but not limited to: governmental acts, wars, terrorism, pandemics, failures in the global internet infrastructure, or critical blockchain network events (such as contentious forks or network halts). 8. AVAILABILITY AND ACCURACY OF TECHNOLOGY SERVICES 8.1. Software Access and Availability. Access to PICNIC's Technology Services may experience degradations, slowdowns, or temporary unavailability due to technical maintenance, third-party server failures, or periods of high congestion on supported blockchain networks. (A) Although PICNIC is dedicated to maintaining Platform stability, we do not guarantee that the technological solution will be available uninterrupted or error-free. (B) The user acknowledges that delays in transaction confirmation or order transmission failures may occur due to instabilities in the blockchain network itself (miners/validators), factors entirely beyond PICNIC's technical control. (C) PICNIC emphasizes that, due to the non-custodial nature of the services, any unavailability of the PICNIC Platform DOES NOT prevent the user from accessing their Virtual Assets. If PICNIC software is unavailable, the user can, at any time, use their Recovery Phrase or Private Key to access and move their funds through other compatible software or wallets available on the market. For this reason, PICNIC will not be liable for any damages, loss of opportunity, or asset devaluation resulting from the temporary inability to use the Platform, as access to assets on the blockchain is independent of PICNIC software availability. 8.2. Accuracy of Information and Network Data. PICNIC's Platform acts as a viewer of public data recorded on the blockchain and third-party price sources (Oracles or market APIs). (A) Although PICNIC seeks to present information (such as balances, history, and quotes) accurately and up-to-date, there may be latency (delay) between the data being recorded on the blockchain and its visualization on the Platform. (B) The user acknowledges that the "source of truth" about their balances and transactions is the immutable record on the blockchain network, not the cached view presented by PICNIC software. In case of discrepancy, blockchain network data prevails. (C) The Virtual Asset price quotes displayed are estimates based on third-party data. PICNIC does not guarantee the accuracy of these quotes and is not responsible for purchase or sale decisions made by the user based on this visual information. 8.3. Third-Party Content and Links. The Platform may display links, news, or integrations with third-party services (including block explorers, DeFi protocols, and liquidity partners). The user acknowledges and agrees that PICNIC does not control, endorse, or assume responsibility for the content, accuracy, policies, or practices of these third-party services. Access to such external resources is entirely at the user's responsibility and risk. 9. PROMOTIONAL CAMPAIGNS, BONUSES, AND REWARDS 9.1. PICNIC may, at its sole discretion, offer promotions, referral programs, sign-up bonuses, or other rewards ("Promotions"). The User's participation in any Promotions is conditioned on acceptance and compliance with the specific terms of each campaign, as well as eligibility rules, regional restrictions, and account verification in effect at the time of participation. 9.2. PICNIC reserves the right to modify, suspend, or terminate any Promotion at any time without prior notice, as well as change eligibility criteria or reward values, not granting the User any acquired rights over future bonuses or discontinued campaigns. 9.3. PICNIC reserves the right to disqualify the User, block the account, and revoke, refund, or cancel any rewards (even if already credited) if it identifies, at its sole discretion, but not limited to: a) Creation of multiple accounts or use of false data; b) Use of robotic means, emulators, VPNs to bypass geographic restrictions, or automation scripts; c) Self-referral or collusion between accounts to manipulate the reward system; d) Any violation of the acceptable use policy or suspicion of fraud. 9.4. The User acknowledges that rewards paid in crypto assets are subject to market volatility. PICNIC is not responsible for value fluctuations, technical failures that prevent immediate participation, or manifest material errors in bonus configuration, reserving the right to correct such failures and adjust balances as necessary. 10. CUSTOMER SERVICE, FEEDBACK, AND DISPUTE RESOLUTION 10.1. If the user has questions, suggestions, feedback, or encounters technical difficulties using the Platform, they should contact PICNIC's Technical Support team via email at oi@usepicnic.com or through the official channels indicated on the usepicnic.com page. For the purpose of receiving legal notices or formal extrajudicial notifications, PICNIC indicates the following physical/electronic address: legal@usepicnic.com 10.2. Scope of Support and Limitations. The user acknowledges that the support offered by PICNIC is strictly limited to the functioning of the technology and software interface. (A) What we support: Login issues on the PICNIC Account, display errors in the app, difficulties integrating with partner services (Card), and interface bugs. (B) What we CANNOT support: PICNIC support does not have the technical means to recover funds sent to wrong addresses, reverse transactions on the blockchain, recover Private Keys lost by the user, or accelerate pending transactions on the network. Complaints of this nature will be technically impossible to be resolved by PICNIC. 10.3. Amicable Dispute Resolution. Except where prohibited by applicable law, before initiating any legal or administrative proceedings against PICNIC, the user agrees to first contact our support team to try to resolve the issue amicably. The user agrees to grant PICNIC a period of up to 30 (thirty) days, from the formal receipt of the complaint with all necessary information, to analyze the case and propose a technical solution or clarification. If the user initiates a dispute without first exhausting this amicable resolution attempt, PICNIC reserves the right to request the suspension of the process until the support procedure is completed. 10.4. These Terms are governed by the laws of the British Virgin Islands. 11. DATA PROTECTION AND PRIVACY 11.1. Personal Data Processing. By using PICNIC's Technology Services, the user acknowledges that PICNIC may collect and process personal data, in accordance with PICNIC's Privacy Policy, which is an integral part of these Terms. Data processing is carried out for the purposes of: (i) Providing the software use license and personalizing the user experience; (ii) Complying with legal and regulatory obligations (including fraud and money laundering prevention); (iii) Enabling integration with Additional Services (such as fiat currency conversion or PICNIC Card issuance with banking partners). 11.2. Data on the Blockchain (Public Data). The user understands and accepts a fundamental characteristic of blockchain technology: Transparency and Immutability. By conducting a transaction through PICNIC's interface, the user's public wallet address and transaction details are permanently recorded on the blockchain. (A) Public Data: These data are public, decentralized, and not controlled or stored on PICNIC's servers. (B) Impossibility of Deletion: The user acknowledges that PICNIC does not have the technical capability to alter, anonymize, or delete data that has already been recorded on the blockchain. Therefore, rights of deletion or forgetting provided by data protection legislation do not apply to immutable blockchain records, but only to data maintained in PICNIC's internal databases (such as email and name registration). 11.3. Sharing with Partners. For the provision of Additional Services (especially connected financial services, such as the PICNIC Card), the user authorizes PICNIC to share their registration and identification data with partner institutions (card issuers, banks, or liquidity partners), strictly for the execution of the contract and compliance with regulatory norms (Compliance) of these institutions. 11.4. User Declarations. The user declares that all information provided to PICNIC is true and current. The user undertakes to keep their data updated on the Platform and acknowledges that reading and accepting the Privacy Policy is an indispensable condition for using the services. 12. USER SECURITY AND PROTECTION 12.1. Responsibility for Credentials and Devices. To use PICNIC software, the user must create access credentials to the Platform (Login and Password). The user is solely and fully responsible for the security of their electronic device and for maintaining proper control of their security data. 12.2. Critical Security Distinction (App vs. Blockchain). The user must understand the difference between two levels of security: (A) PICNIC Account Security: Refers to access to the application interface. PICNIC can assist in recovering the app password (password reset via email) if the user forgets it. (B) Wallet Security (Self-Custody): Refers to the Private Key or Recovery Phrase that controls the funds on the Blockchain. PICNIC NEVER requests, stores, or has access to your Private Key. ATTENTION: If the user loses, forgets, or has their Private Key/Seed Phrase stolen, PICNIC CANNOT recover access to the funds or reverse transactions. The security of the Private Key is the user's sole responsibility. 12.3. Phishing and Scam Prevention. Picnic is not responsible for damages resulting from accessing external links, third-party advertisements (in search engines or social networks), or fraudulent sites that simulate the official service interface. It is the User's duty to verify the authenticity of the URL and ensure they are in the official environment before entering any data or conducting transactions. 12.4. Security Breach. If the user suspects that their PICNIC Account (app access) has been compromised: (A) The user must IMMEDIATELY notify PICNIC Support for temporary access blocking to the interface; (B) The user must IMMEDIATELY use their Recovery Phrase in another secure interface to transfer their funds to a new secure wallet, as PICNIC does not have the power to "freeze" funds on the blockchain. 12.5. Picnic declares that it adopts technical, organizational, and administrative information security measures strictly aligned with the standards required by the General Data Protection Law (Law No. 13.709/2018 - LGPD) and applicable regulatory norms. These measures aim to protect personal data against unauthorized access and accidental or unlawful situations of destruction, loss, or alteration. 13. INTEGRATION WITH NOAH SERVICES 13.1. By using the fiat-to-crypto conversion functionalities available on the platform, the User acknowledges and agrees that these services are provided directly by Noah Savings Inc. ("Noah") and its banking partners, and not by Picnic. Thus: 13.2. Acceptance of Third-Party Terms: To use these services, the User automatically adheres to and must observe Noah's Terms of Service and Privacy Policy. 13.3. Data Sharing: The User authorizes Picnic to share their registration data, KYC (Know Your Customer) information, and wallet details with Noah for identity validation and anti-money laundering prevention purposes, as required by applicable regulation. 13.4. Geographic Restrictions and Sanctions: The service is not available to Users residing, citizens, or attempting to access the platform from jurisdictions classified as "Prohibited Countries" by Noah. The User declares not to have any connection with the following locations: Afghanistan, Albania, Algeria, Bangladesh, Belarus, Qatar, China, Democratic Republic of the Congo, North Korea, Cuba, Eritrea, Ethiopia, Gaza Strip, Yemen, Iran, Iraq, Kosovo, Lebanon, Libya, North Macedonia, Mali, Morocco, Myanmar, Nepal, Nicaragua, Niger, Pakistan, Central African Republic, Russia, Syria, Somalia, Sudan, South Sudan, Ukraine, Venezuela, West Bank, and Zimbabwe. 13.5. Limitation of Liability: Picnic acts only as a technological integrator. Any failure, delay, custody of funds, or dispute related to currency conversion or financial settlement is the sole responsibility of Noah, with Picnic being exempt from liability for losses arising from these specific services. 14. PASSKEYS 14.1 Starting April 6, 2026, the use of passkeys is mandatory for all accounts created with email on Picnic. Accounts created with an external wallet remain under the original access conditions and are not affected by this Clause. 14.2. The Passkey is generated and stored exclusively on the User's secure device hardware. Picnic does not have access to the User's Private Key under any circumstances and cannot request it. Picnic only stores the Public Key, necessary to verify the authenticity of signatures. 14.3. The passkeys implemented by Picnic follow the WebAuthn (FIDO2) standard, the same adopted by Apple, Google, and Microsoft for passwordless authentication. Biometric authentication occurs locally on the user's device. No biometric data is transmitted to Picnic or third parties. 14.4. Each transaction requires individual and direct biometric approval by the User on their device. There is no persistent session. Each action requires confirmation at the time it is performed. 14.5. By design of the WebAuthn standard, the User's Passkey is linked to the origin usepicnic.com. The Passkey will not work on any other domain or application, even if visually identical to Picnic. Picnic will never ask the User to provide, export, or share their Passkey or any biometric data. ℹ Biometric authentication (Face ID, Touch ID, fingerprint) occurs locally on your device. Your biometric data is never sent to Picnic, the blockchain, or any third party. What the network receives is only the cryptographic signature produced by your device. 14.6. USER RESPONSIBILITIES: 14.6.1. The User is solely responsible for the custody, security, and control of the device on which the Passkey is stored. Picnic has no responsibility for losses resulting from theft, loss, unauthorized access, or compromise of the User's device. 14.6.2 The User is responsible for controlling who has access to the biometrics registered on their device. Anyone whose face or fingerprint is registered on the User's device can authenticate transactions on Picnic. Picnic has no means of distinguishing between the User and authorized third parties on the device. 14.6.3 The User is responsible for managing their account in the Passkey Manager of the platform they use (Apple ID, Google account, or compatible manager). The synchronization of the Passkey between devices is a third-party functionality over which Picnic has no control. 14.6.4 The User is strongly encouraged to set up their Passkey before April 6, 2026. After this date, account access will be conditioned on the completion of the setup. The assets remain secure on the blockchain independently, but access to the Picnic interface will require the active Passkey. 14.6.5 The User is responsible for monitoring notifications sent by Picnic during the Protection Period of a recovery. Picnic will send daily notifications during the 7 days of the Protection Period. The User must immediately cancel any recovery they did not initiate. 14.6.6 The User acknowledges and accepts that the Passkey is the only transaction authorization mechanism in their Smart Wallet. The definitive loss of access to the Passkey without recovery possibility through the Recovery Guard implies the permanent loss of access to the assets. Picnic cannot intervene in this situation. USER RESPONSIBILITY: You are the sole guardian of your Passkey. Picnic cannot recover your access outside the process described in Clause 14.6. If you lose your device and your Recovery Guard at the same time, without access to the Passkey Manager, access to your assets may be permanently lost. 14.7. TECHNICAL LIMITATIONS AND PICNIC'S DISCLAIMER. 14.7.1. Picnic does not have access, does not store, and cannot recover the User's Private Key under any circumstances. This is a structural technical component, not an operational policy. 14.7.2 Picnic has no control over third-party Passkey Managers (Apple, Google, 1Password, Bitwarden, or others). Picnic is not responsible for failures, unavailability, policy changes, or discontinuation of these services that affect the User's access to their Passkey. 14.7.3 Picnic is not responsible for secure hardware failures (Secure Enclave or equivalent), operating system updates that affect the functioning of passkeys, or any other technical limitations of the User's devices. 14.7.4 Picnic is not responsible for transactions made by third parties who have gained access to the User's device, registered biometrics on the device, or the User's Passkey Manager, unless proven exclusive failure of Picnic. 14.8. ACCOUNT RECOVERY 14.8.1. The only account recovery mechanism available on Picnic is the process described in this Clause 14.8. Picnic does not offer any other recovery channel, whether through human support, administrative reset, or any other means. 14.8.2 The Recovery Guard is the Magic wallet previously linked to the User's email. After adopting passkeys, the Recovery Guard has no signing powers in the main transaction flow — it acts exclusively as a recovery mechanism in the social recovery module of the Smart Wallet. 14.8.3 To initiate a recovery, the User must: (i) Access Picnic on a new device; (ii) Authenticate with the email associated with the Account, activating the Recovery Guard; (iii) Register a new Passkey on the new device; (iv) Wait for the 7 (seven) calendar day Protection Period; (v) Confirm the activation of the new Passkey at the end of the Protection Period. 14.8.4 The 7-day Protection Period is a security protection and not an operational limitation. It exists to ensure that any unauthorized recovery attempt — such as an attempt by someone who has access to the User's email — can be detected and canceled by the legitimate User before being completed. 14.8.5 During the 7 days of the Protection Period, Picnic will send the User: (a) Immediate notification at the start of the recovery; (b) Daily reminder notifications while the process is active; (c) Final notification when the new Passkey is ready to be activated. 14.8.6 If the User receives notification of a recovery they did not initiate, they must cancel it immediately through the channel indicated in the notification. Picnic is not responsible for recoveries completed during the Protection Period where the User received notifications and did not take action to cancel. 14.8.7 If the User simultaneously loses: (a) access to the Passkey; (b) access to the Passkey Manager; and (c) access to the email associated with the Recovery Guard — account access may be permanently irrecoverable. The assets will remain on the blockchain, but there will be no technical mechanism available to authorize transactions. Picnic cannot intervene in this situation. CRITICAL ATTENTION: The email associated with your account is your safety net. Maintain access to it. If you lose your Passkey and email access at the same time, without recovery possibility via Passkey Manager, your assets may become permanently inaccessible. 14.9. DEVICE SYNCHRONIZATION. 14.9.1. Passkey synchronization between devices is a functionality provided exclusively by the User's Passkey Manager, not by Picnic. Picnic has no control over the synchronization process, its availability, or its technical requirements. 14.9.2 Picnic's passkey implementation is compatible with the following Passkey Managers, without guarantee of future availability or compatibility: (a) Apple iCloud Keychain — synchronization between Apple devices connected to the same Apple ID; (b) Google Password Manager — synchronization between Android devices and Chrome browsers connected to the same Google account; (c) WebAuthn-compatible password managers, including 1Password, Bitwarden, and Dashlane, among others; (d) Cross-platform authentication (mobile and computer) via QR Code and Bluetooth proximity. 14.9.3 In case of migration between ecosystems (e.g., from Android to iPhone), the Passkey may not be automatically transferred. In such cases, the User must use the recovery process described in Clause 14.8 to register a new Passkey on the new platform. 14.9.4 The User is responsible for ensuring that their Passkey synchronization is correctly configured on their devices. Picnic is not responsible for access failures resulting from improper configuration of the Passkey Manager. 14.10. TECHNOLOGICAL UPDATES AND CHANGES TO THE PASSKEY SYSTEM. 14.10.1. Picnic reserves the right to update, modify, or replace the passkey system described in this Clause 14 due to technological developments, security requirements, or regulatory changes, provided with adequate prior notice to the User. 14.10.2 Material changes to the authentication and signature system will be communicated to the User with a minimum of 30 (thirty) days' notice, except in cases of security urgency requiring immediate response. 14.10.3 Picnic commits to maintaining compatibility with the WebAuthn (FIDO2) standard as long as it remains the industry standard for passwordless authentication. Any change in technological standard will be communicated under the terms of Clause 14.10.2. 14.11 The User's use of the passkey functionality constitutes express acceptance of all the terms of this Clause 14, including the responsibilities assigned to the User and the limitations of Picnic's liability. 14.12. This Clause 14 should be read in conjunction with the other clauses of these Terms of Use, especially the clauses relating to Picnic's nature as a software interface, asset self-custody, and general liability limitations. 15. GENERAL PROVISIONS 15.1. The user agrees to use PICNIC's Technology Services in strict compliance with applicable laws, including anti-money laundering regulations. The user declares that the funds moved through the interface have a lawful origin. 15.2. All content, design, source code, logos, graphics, and interfaces provided by PICNIC (“Content”) are the exclusive property of PICNIC or its licensors. The use of the Platform grants the user only a limited, revocable, non-exclusive, and non-transferable license for personal use of the software. Copying, reverse engineering, or redistribution of the Content without express authorization is prohibited. 15.3. These Terms do not create any partnership, joint venture, mandate, franchise, or employment relationship between the user and PICNIC. 15.4. Tax Aspects. Due to the non-custodial nature, PICNIC does not withhold taxes at source on crypto asset transactions. The user is solely responsible for calculating, declaring, and collecting any taxes due on their capital gains from transactions facilitated by the Platform. PICNIC does not provide tax advice. 15.5. Inapplicability of "Unclaimed Property." Unlike banks or custodial exchanges, PICNIC does not hold possession of assets. Therefore, there is no "dormant account" or "unclaimed property" subject to appropriation or transfer to the State by PICNIC. If the user stops using the Platform for years, their assets will remain secure on the blockchain, accessible only by whoever holds the Private Key. 15.6. Succession and Death. PICNIC warns that due to blockchain encryption, it is not possible to transfer the deceased user's funds to heirs if they do not have the Recovery Phrase. (A) Account Access: Upon presentation of a valid Inventory or Judicial Order, PICNIC may transfer the PICNIC Account (login/access to the interface) to the executor or heir. (B) Fund Access: Transferring the login DOES NOT guarantee access to the funds if the deceased did not leave the Private Key/Password accessible to the heirs. PICNIC has no technical means to "break" the wallet's encryption to deliver values to the estate. It is the user's sole responsibility to carry out their digital succession planning. 15.7. Entire Agreement and Assignment. These Terms constitute the entire agreement between the parties. PICNIC may assign or transfer its rights and obligations under this contract (in case of merger, acquisition, or asset sale) without prior user consent, provided notification is given. 15.8. Changes to the Terms. PICNIC may change these Terms at any time. Changes will take effect on the date of their publication on the Platform. Continued use of the services after the change implies tacit acceptance. If the user does not agree, they must immediately cease using the interface. APPENDIX 1: COMMUNICATIONS AND NOTIFICATIONS POLICY 1. Considering the exclusively digital nature of the services provided by PICNIC, the user agrees and expressly authorizes the receipt of all communications, contracts, documents, legal notices, and disclosures (collectively, “Communications”) by electronic means. Communications may include, but are not limited to: (A) Terms and Policies: Updates to these Terms of Use, the Privacy Policy, and other security guidelines; (B) Account Activity: Confirmations of actions performed on the interface, viewed transaction history, security alerts, and receipts related to Additional Services (e.g., use of the PICNIC Card); (C) Legal Notices: Notifications required by tax, fiscal, or anti-money laundering regulations, when applicable to operations with partners; (D) Support: Responses to technical support requests and updates on maintenance status on the Platform. 1.1. Communications will be considered delivered and valid when: (i) published on the Platform or PICNIC's Site; (ii) sent to the email registered in the user's profile; (iii) sent via push notification in the mobile app; or (iv) transmitted via support chat or SMS. 2. PICNIC does not support communications via physical mail or paper. If the user revokes their authorization to receive electronic Communications, this will make the provision of Technology Services unfeasible. Consequently, PICNIC reserves the right to immediately terminate the user's access to the interface and the PICNIC Account, without prejudice to the user's right to continue accessing their assets directly on the blockchain (without using PICNIC software). 3. It is the user's sole responsibility to keep their email address and phone number updated and accessible. (A) The user understands and agrees that if PICNIC sends an electronic Communication to the email address on file, the communication will be considered received and delivered, even if: (i) the user's email is incorrect or outdated; (ii) the inbox is full; or (iii) the user's spam filter or firewall blocks the message. (B) The user can update their contact information at any time through the settings menu in the app or by contacting support through official channels. 4. Picnic communicates with the User exclusively through the official channels identified in the app and on the usepicnic.com site. Picnic will never ask the User, through any channel: (a) Export, share, or disclose their Passkey or Private Key; (b) Biometric data of any kind; (c) Transaction confirmation outside the official app; (d) Remote access to the User's device. 4.1. Any request received by the User — whether by email, message, social media, phone call, or any other channel — should be treated as an attempted fraud. The User should report it immediately to Picnic's official support. APPENDIX 2: COMPLIANCE POLICY 1. Although PICNIC is a non-custodial technology provider, we have an ethical and legal commitment to prevent our software from being used to facilitate illicit activities. Our policy is based on community protection and respect for global anti-money laundering (AML), combating the financing of terrorism (CFT), and economic sanctions norms. 2. PICNIC's operation is carried out through integration with licensed and regulated financial and payment infrastructure providers (including, but not limited to, electronic money issuers and fiat currency payment processors). PICNIC conducts rigorous due diligence on its suppliers ("Know Your Partner" or KYP), selecting exclusively partners that demonstrably adopt strict anti-money laundering (AML), combating the financing of terrorism (CFT), and fraud prevention controls, in compliance with global norms (including FATF/GAFI guidelines). 2.1. The User acknowledges and agrees that the PICNIC platform reflects, in real-time, the security policies and restrictions imposed by these infrastructure partners. Consequently, access to the interface or order execution may be automatically blocked or suspended in the following cases: (A) transaction execution will be prevented if the wallets or identities involved are flagged by our partners' monitoring systems as being on official sanctions lists. (B) access to services may be restricted if the User's IP address or tax residence originates from embargoed or high-risk jurisdictions classified by our partners. Using VPNs to circumvent such restrictions constitutes a serious violation of these terms. (C) transactions may be rejected if the blockchain analysis tools used by our settlement partners identify interaction with high-risk addresses. 2.2. Regardless of the automated restrictions above, PICNIC reserves the right to suspend, block, or terminate the User's account upon express request from any of its financial partners, resulting from suspicion of fraud, platform abuse, swindling, or scams. The merit analysis conducted by regulated partners will be considered valid and sufficient for decision-making by PICNIC. 3. SERVICES REQUIRING IDENTIFICATION (KYC). For functionalities that connect the crypto world to the traditional financial system (the "Additional Services"), such as the PICNIC Card, fiat-to-Crypto conversion, user identification is mandatory. In these cases: (A) The user must submit documents (photo of ID/CNPJ, selfie, etc.) directly to PICNIC's regulated partners. (B) If the partner refuses the user's registration for compliance reasons, PICNIC will automatically revoke access to that specific functionality in the app. 4. USER OBLIGATIONS. By using PICNIC software, you declare, under penalty of law, that: (A) You are not on any international sanctions or trade restriction list; (B) Your funds have a lawful origin and do not derive from criminal activities; (C) You will not use the platform to conceal assets, evade currency, or finance illegal activities. 5. CONSEQUENCES OF VIOLATION. If our systems identify a violation of this Policy or the Terms of Use, PICNIC will block access to our site and app. You will no longer be able to use our visual tool. PICNIC reserves the right to report suspicious activities to the competent authorities if illicit use of our technology is proven.

Privacy Policy - English

Last updated: February 12, 2026 This Privacy Policy ("Policy") describes the terms and conditions under which Defi Basket Labs ("We," "Us," "Company"), a company incorporated in the British Virgin Islands (BVI), processes information and data in relation to the Picnic platform. Clause 1. Nature of the Service Picnic is a decentralized software interface. By using Picnic, you acknowledge that we are solely technology providers facilitating your direct interaction with the blockchain. We do not have custody of your assets nor do we control or intermediate transactions executed on the network. This Policy must be read together with the Picnic Terms of Use. By accepting this Policy, you consent to the data processing necessary for the technological operation of the interface and acknowledge the automatic acceptance of the privacy policies of our infrastructure partners. Clause 2. Applicable Data Protection Laws Given the decentralized nature of Picnic’s software, which resides on blockchain infrastructure rather than centralized servers, the processing of your personal data shall be governed by the data protection laws applicable in the country where you, the user, are located at the time of access. We commit to observing the principles of the LGPD (Brazil), CCPA (United States), GDPR (European Union), and the BVI Data Protection Act (DPA), as geographically applicable. Clause 3. Categories of Data Collected 3.1 Data Collected Directly by Picnic Registration data: email address and telephone number. On-chain identifiers: public wallet address. Purpose: basic user identification, support communications, account security, and technical enablement of the interface to read balances and transaction history on the network. 3.2 Data Collected By or For Infrastructure Partners KYC and compliance data: full name, identification documents (ID card, tax ID, driver’s license or equivalent), proof of address, and facial biometric verification (selfie). Purpose: compliance with Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorism Financing obligations as required by infrastructure partners. Wallet integration: in certain cases, we share your specific wallet address for technical integration and asset settlement purposes. 3.3 Technical and Browsing Data Log data: IP address (processed temporarily for geofencing and security), device type, browser version, and operating system. Purpose: performance optimization, error debugging, and access restriction in sanctioned jurisdictions. Clause 4. Use of Data We use collected data to provide services by maintaining, customizing, and improving the interface and software; to ensure security and protection by detecting, investigating, and preventing fraudulent, unlawful, or unauthorized activities; to comply with legal obligations, governmental requests, and AML regulations; and to send communications such as legal notices, terms updates, security alerts, and technical support messages electronically. Clause 5. Data Sharing with Partners The user acknowledges and accepts that the sharing of personal and transactional data between Picnic and its partners is strictly necessary to enable selected products, such as payment cards and fiat on/off-ramps. When using such services, you provide data that will be processed by partners acting as independent data controllers. Clause 6. Public Nature of Blockchain Data The user acknowledges that transactions carried out through Picnic are recorded on public blockchains. By technological design, data recorded on blockchain networks, including wallet addresses and transfer values, are immutable, transparent, and inherently public. The exercise of certain privacy rights, such as deletion or rectification, is technically impossible with respect to on-chain records. Clause 7. Circumstances for Data Sharing We may share data under the following circumstances: sharing wallet addresses with infrastructure providers and blockchain analytics services to detect and mitigate financial crime where there is reasonable suspicion involving a specific wallet or user; where strictly necessary to enable the Picnic Card, fiat conversion services, or related operations; to prevent harm to the Company or users, or in response to substantiated requests from regulated partners; and in the event of a merger, acquisition, or asset sale, provided equivalent privacy protections are maintained. Clause 8. Security Measures Picnic implements rigorous security protocols to ensure data integrity and confidentiality during communications with external partners. For most services, communication occurs exclusively between the Picnic backend and partners, meaning the user’s browser or application does not directly interact with such services. All transmissions are protected using standard transport encryption (TLS). In the case of the authentication provider Magic, the Picnic backend does not access communications between the user’s device and Magic’s servers. This interaction occurs end-to-end via TLS encryption, ensuring authentication credentials and sensitive data remain isolated from our infrastructure. Users may consult Magic’s security documentation for additional information. Clause 9. User Rights (General) As a BVI entity, we guarantee users the right to request access to personal data held by the Company. Subject to applicable law, users have rights to confirmation of processing, correction of data, and, where legally permitted, anonymization or deletion of unnecessary data. Requests must be submitted to legal@usepicnic.com . Clause 10. Information for Data Subjects in Brazil (LGPD – Law No. 13,709/2018) We process personal data based on the following legal grounds: user consent (for example, marketing communications); performance of a contract or preliminary procedures; compliance with legal obligations such as KYC and AML requirements; and legitimate interests, provided fundamental rights and freedoms are respected. Under the LGPD, users have the right to confirmation and access, correction, anonymization, blocking or deletion, data portability, and withdrawal of consent. Blockchain notice: due to blockchain immutability, on-chain data such as transaction history and wallet addresses cannot be deleted, rectified, or modified by the Company. Clause 11. Information for Data Subjects in the European Union (GDPR) We process personal data for the purposes described in Clause 4 under the following legal bases: consent, contractual necessity, legal obligation, and legitimate interests not overridden by your fundamental rights. Under the GDPR, you have the right to request access to your personal data, request rectification or erasure, object to or restrict processing, request data portability, and withdraw consent at any time. However, we cannot modify or delete information stored on blockchain networks, including transaction data, wallet addresses, or assets associated with such addresses, as these remain outside our control. To exercise GDPR rights, contact legal@usepicnic.com . Clause 12. Information for Users in the United States For users residing in the United States who utilize fiat conversion services, data processing is conducted in accordance with applicable federal and state laws. The user acknowledges and accepts that Noah US Inc. acts as the technological and regulatory partner enabling financial operations in the United States. To use these services, users must provide identity verification data directly to Noah for KYC and AML purposes. Processing of such data, including access and deletion rights subject to mandatory legal retention, is governed exclusively by Noah’s Privacy Policy available at https://noah.com/en/privacy-notice . Clause 13. Electronic Communications The user expressly agrees to receive all communications, contracts, and legal notices electronically, including terms updates, security alerts, and support communications. Clause 14. Corporate Changes and Policy Updates In the event of a merger or sale of Defi Basket Labs, data may be transferred to the successor entity under the same privacy standards established herein. This Policy may be updated periodically. Continued use of the platform following updates constitutes acceptance of the revised terms. Clause 15. Material Changes and Contact If we make material changes to this Policy, we will notify you through the Services. Continued use of the Services reflects your periodic review of this Policy and constitutes consent to its terms. If you have any questions regarding this Policy or how we collect, use, or share your information, please contact us at legal@usepicnic.com.

Privacy Policy - English

Last updated: February 12, 2026 This Privacy Policy ("Policy") outlines the terms and conditions under which Defi Basket Labs ("We", "Company"), a company incorporated in the British Virgin Islands (BVI), processes information and data related to the Picnic platform. CLAUSE 1. Picnic is a decentralized software interface. BY USING PICNIC, YOU ACKNOWLEDGE THAT WE ARE ONLY TECHNOLOGY PROVIDERS FACILITATING YOUR DIRECT INTERACTION WITH THE BLOCKCHAIN. WE DO NOT HOLD CUSTODY OF YOUR ASSETS NOR DO WE CONTROL OR INTERMEDIATE TRANSACTIONS MADE ON THE NETWORK. THIS POLICY SHOULD BE READ IN CONJUNCTION WITH THE PICNIC TERMS OF USE. BY ACCEPTING THIS POLICY, YOU CONSENT TO THE DATA PROCESSING NECESSARY FOR THE TECHNOLOGICAL OPERATION OF THE INTERFACE AND ACKNOWLEDGE AUTOMATIC ACCEPTANCE OF THE PRIVACY POLICIES OF OUR INFRASTRUCTURE PARTNERS. CLAUSE 2. Given the decentralized nature of Picnic's software, which resides on the blockchain and not on a centralized server, the processing of your personal data will be governed by the data protection laws of the country where you, the user, are located at the time of access. We are committed to respecting the principles of the LGPD (Brazil), CCPA (USA), GDPR (Europe), and DPA (BVI) as applicable to your specific case. CLAUSE 3. For the platform's operation, we collect the following categories of data: 3.1. Data collected directly by Picnic: - Registration Data: email and phone number - On-chain Identifiers: Public wallet address. - Purpose: Basic user identification, support communication, account security, and technical facilitation of the interface for reading balances and network history. 3.2. Data collected by/for Infrastructure Partners: - KYC/Compliance Data: Full name, identification documents (RG/CPF/CNH), proof of residence, and facial biometrics (selfie). - Purpose: Compliance with legal "Know Your Customer" (KYC) obligations, anti-money laundering (AML) prevention, and counter-terrorism financing, as required by infrastructure partners. - Wallet Integration: For certain specific partners, we share your specific wallet address for technical integration and asset settlement purposes. 3.3. Technical and Navigation Data - Log Data: IP address (temporarily processed for geofencing and security), device type, browser version, and operating system. - Purpose: Performance optimization, error debugging, and access restriction in sanctioned jurisdictions. CLAUSE 4. We use the collected data to: (1) provide services: maintain, customize, and improve the interface and software, (2) security and protection: investigate and prevent fraudulent, illegal, or unauthorized activities, (3) legal compliance: fulfill legal obligations, government requests, and Anti-Money Laundering (AML) regulations, (4) communications: send legal notices, terms updates, security alerts, and technical support via electronic means. CLAUSE 5. The User acknowledges and accepts that the sharing of personal and transactional data between Picnic and its partners is strictly necessary to enable the chosen products (such as cards and fiat ramps). By using these services, you provide data that will be processed by partners as independent controllers. CLAUSE 6. The User acknowledges that transactions made through Picnic are recorded on public blockchains. By technological design, data recorded on the blockchain (including wallet addresses and transfer amounts) are immutable, transparent, and PUBLIC BY NATURE. The exercise of privacy rights, such as deletion or rectification, is not technically possible for on-chain records. CLAUSE 7**.** We may share data under the following circumstances: - We share wallet addresses with infrastructure and blockchain analysis providers to detect and mitigate financial crimes, in case of a founded suspicion of crime involving specific wallets or users. - The sharing of personal and transactional data is strictly necessary to enable the Picnic Card, fiat currency conversion, and other operations. - To prevent harm to the Company or users, or in case of a substantiated request from one of our regulated partners. - In the event of a merger, acquisition, or asset sale, data may be transferred under the same privacy standards established here. CLAUSE 8 – Picnic uses strict security protocols to ensure the integrity and confidentiality of data during communication with external partners. Our architecture is divided into two security pillars: 1. For most services, communication occurs exclusively between Picnic's backend and partners, so the user's browser or app does not directly interact with these services. All transmission is protected by conventional transport encryption (TLS). 2. In the case of the Magic authentication provider, to ensure maximum privacy, Picnic's backend does not access, at any time, communications between the user's device and Magic's servers. This interaction occurs end-to-end via TLS encryption, ensuring that access keys and sensitive authentication data remain isolated from our infrastructure. For more information, users can consult Magic's security documentation. CLAUSE 9. As a BVI entity, we guarantee users the right to request access to personal data the Company may hold. Under applicable law, users have the right to confirmation, correction, and, when legally permitted, anonymization or deletion of unnecessary data. Requests should be made to legal@usepicnic.com. CLAUSE 10. INFORMATION FOR DATA SUBJECTS IN BRAZIL (LAW NO. 13,709/2018 - LGPD). We process your personal data based on the following legal grounds: (i) with your consent (e.g., for marketing communications); (ii) for the execution of a contract or preliminary procedures (e.g., to enable the use of the interface and the Picnic Card); (iii) to comply with a legal obligation (e.g., KYC and Anti-Money Laundering regulations of our partners); and (iv) to meet our legitimate interests or those of third parties, provided that your fundamental rights and freedoms are respected. Under the LGPD, you have the following rights: 1. Confirmation and Access: Right to confirm the existence of processing and access your data. 2. Correction: Right to request the correction of incomplete, inaccurate, or outdated data. 3. Anonymization or Deletion: Right to request the anonymization, blocking, or deletion of unnecessary data or data processed in non-compliance with the law. 4. Portability: Right to request the portability of data to another service provider, subject to ANPD regulations. 5. Revocation of Consent: Right to revoke your consent at any time and be informed about the consequences of refusal. Note on Blockchain: The User acknowledges that due to the immutable nature of blockchain technology, data recorded on-chain (such as transaction history and wallet addresses) cannot be deleted, rectified, or altered by the Company, which limits the exercise of certain deletion rights over public and distributed records. CLAUSE 11. INFORMATION FOR DATA SUBJECTS IN THE EUROPEAN UNION. We process personal data for the purposes described in CLAUSE 4 above. Our legal bases for processing your data include: (i) you have given consent for processing to us or our service providers for one or more specific purposes; (ii) processing is necessary for the performance of a contract with you; (iii) processing is necessary for compliance with a legal obligation; and/or (iv) processing is necessary for the purposes of legitimate interests pursued by us or third parties, provided that your interests and fundamental rights do not override such interests. Your rights under the General Data Protection Regulation ("GDPR") include the right to: (i) request access and obtain a copy of your personal data; (ii) request the rectification or deletion of your personal data; (iii) object to or restrict the processing of your data; and (iv) request the portability of your data. Additionally, you may withdraw your consent at any time. However, we cannot edit or delete information stored on a specific blockchain. Information such as transaction data, blockchain wallet address, and assets held by your address, which may be related to the data we collect, are beyond our control. To exercise any of your rights under the GDPR, contact us at legal@usepicnic.com. CLAUSE 12. INFORMATION FOR USERS IN THE UNITED STATES. For users residing in the United States who use fiat currency conversion services (fiat ramps), data processing is carried out in accordance with applicable US federal and state laws. The User acknowledges and accepts that: (1) Infrastructure Partner: Noah US Inc. acts as the partner responsible for the technological and regulatory enablement of financial operations in the US. (2) Compliance and KYC: To use these services, the User must provide data directly to Noah for identity verification (KYC) and Anti-Money Laundering (AML) purposes. (3) Third-Party Privacy Policy: The processing of these data, as well as rights of access and deletion (subject to mandatory legal retentions), is governed exclusively by Noah's Privacy Policy, available at https://noah.com/en/privacy-notice. CLAUSE 13. The user expressly agrees to receive all communications, contracts, and legal notices electronically, including updates to terms, security alerts, and support notices. CLAUSE 14. In the event of a merger or sale of Defi Basket Labs, data may be transferred to the new entity under the same privacy standards. This Policy may be updated periodically; continued use of the platform after updates constitutes acceptance of the new terms. CLAUSE 15. If we make material changes to this Policy, we will notify you through the Services. However, your continued use of the Services reflects your periodic review of this Policy and other Company terms, and indicates your consent to them. If you have any questions about this Policy or how we collect, use, or share your information, contact us at legal@usepicnic.com.

Transparency Page

Welcome to our transparency page. Here at PICNIC, we believe you should understand exactly how your financial technology works. We are not a bank, nor a traditional brokerage. We are something new. We are the technology of your financial freedom. Recently, we have dedicated considerable time to thoroughly reviewing our operational structure. We have been working intensively on consolidating our Pure DeFi model. The purpose of this document is to clarify how PICNIC operates and how we ensure our actions comply with current legislation. 1. What are we? PICNIC is a non-custodial DeFi interface aggregator. Technically, we are a tool that translates complex smart contract operations into a simplified user experience.  When you use PICNIC, you are using our software to send commands directly to the public Blockchain. This means we only provide the necessary software interface for the user to interact with the Blockchain. At no point do the user's assets pass through accounts owned by PICNIC; our software simply allows you to allocate your capital directly into protocols, without human or centralized intermediaries. Our platform operates under the self-custody model. The legal relationship established is a software use license, where the technological tool allows the user to exercise their financial sovereignty, maintaining exclusive control over their private keys and the final execution of any transaction. 2. How does our technology work? Technologically, PICNIC operates under a non-custodial software architecture. This means our platform strictly acts as a graphical interface for interacting with the Blockchain, never holding possession of the assets.  The technical operation is based on four pillars: - Cryptography and local storage (your private key): When using PICNIC, a digital wallet is generated for the user. Control of this wallet depends on a private key. For security architecture, PICNIC does not have access to this key. Today, your security relies on Magic's cutting-edge technology (HSM) to protect your key. Very soon, with the arrival of Passkeys in PICNIC v1, we will take a step further: the key that controls your account will be generated and stored exclusively on your phone or computer. This means you will have 100% custody and control of your wallet, with maximum security from your hardware. - Transaction signing: Our software's role is to translate your intention into code. When you decide to perform an operation, the final validation — the "digital signature" — occurs on your device. You authorize the transaction before it is transmitted to the network. - Direct settlement on the blockchain: Traditional banks and brokerages use an "Internal Ledger." When you see your balance there, you see a promise of payment, not necessarily the actual asset real. In Picnic, financial settlement occurs without intermediaries: assets move from your wallet directly to the smart contracts (automated protocols) on the Blockchain. At no point do funds pass through bank accounts or wallets owned by PICNIC.  Source: Appinvestiv Understanding DeFi Architecture To understand why PICNIC is not a bank, it's essential to grasp the fundamental shift that Decentralized Finance (DeFi) has brought: the change in the trust locus. In DeFi, trust is placed in public and auditable code: a smart contract (see section 5 for more details). This creates a deterministic execution environment: if the contract rules are met, the outcome invariably occurs, without the possibility of censorship or human intervention. 1. The Block Structure The DeFi ecosystem is not random; it follows a logical "layered" architecture, comparable to building a digital structure (based on the Schär, 2021 model). - Layer 1 - Settlement: It's the solid ground. Here are the Blockchain (like Ethereum or Gnosis) and their native assets. It ensures that transactions are irreversible and publicly recorded. - Layer 2 - Assets: On the foundation, tokens are created (like the ERC-20 standard). It's the digital representation of value that allows different currencies to "communicate" with each other. - Layer 3 - Protocols: These are the sets of Smart Contracts that define the rules, such as Decentralized Exchanges (DEXs - e.g., Uniswap). - Layer 4 - Application: These are the visual interfaces that allow you to look inside the contracts and interact with them. - Layer 5 - Aggregation: This is where PICNIC operates. We connect various protocols simultaneously, allowing you to compare and access the best opportunities in a single simplified interface. Source: Schär (2021, p. 157) 3. Legislation and Framework It's crucial to dispel a common misconception: PICNIC does not operate in a legal vacuum. The fact that our business model is distinct does not exempt us from responsibilities. On the contrary: as a global platform, Picnic operates in strict compliance with the legal framework of the countries where we are present. Our operations are governed by a complex matrix of regulations that ensure user safety, data privacy, and the integrity of commercial operations. Although PICNIC is a non-custodial technology provider, we have an ethical and legal commitment to prevent our software from being used to facilitate illicit activities. Our compliance policy is based on community protection and adherence to global anti-money laundering (AML), counter-terrorism financing (CFT), and economic sanctions regulations. - The typical prudential requirements for custodians — such as asset segregation and capital requirements — are designed to mitigate counterparty risk (fraud, bankruptcy, commingling). In self-custodial software like Picnic, these risks do not exist.  - There are other risks involved in self-custody, such as permanent loss of private keys, phishing, or potential code failures. Regarding these risks, we are actively and continuously working to alert and ensure they do not occur with users who use our technology. 3.1. Why are we not a regulated Financial Institution or Virtual Asset Service Provider? We operate as Technology Providers (Software as a Service). For this reason, in the current model, we understand that our structure does not fit into the regulatory categories of financial institutions or virtual asset service providers, precisely because our architecture is different. A. We are not "Custodians" To be a custodian, the institution needs to have control of the private keys or the ability to move funds on behalf of the client. Our technology is self-custodial. We do not have your private key. Without the key, it is technically impossible for us to transfer, freeze, or confiscate your funds. Without possession of this cryptographic code, there is no effective control over the asset in a decentralized network. It is the technical ability to make transactions on behalf of the client — and the consequent power of exclusion of third parties — that attracts the qualified duty of diligence of a potential custodian. Furthermore, your funds never pass through a Picnic account, nor do we have any control over them, as they are stored directly on the Blockchain and can only be transferred with possession of your private key.  B. We are not "Intermediaries" Intermediaries have the social purpose of acting "on behalf of third parties." Their primary function is order execution and business management, encompassing activities such as buying, selling, and exchanging assets, portfolio management, and acting as a fiduciary agent. It is noted that the core of this activity is agency: the intermediary connects ends or manages strategies, operating as a transactional intermediary or resource manager, without necessarily holding the definitive custody of assets for deposit purposes. By regulation, an Intermediary is a company that acts "on behalf and order of third parties." It's like a broker who receives an order from you and goes to the market to execute it on your behalf. We do not act on your behalf. We are the technology that you use to transact on your own behalf directly on the blockchain. - Picnic functions like a browser (Google Chrome, for example), which allows you to access your bank's website and make a Pix, but the browser is not the bank nor the financial intermediary. It is just the technological tool. Similarly, we are the interface (SaaS) that connects you directly to the Blockchain. The legal relationship is You ↔ Blockchain. C. We are not "Brokers/Exchanges"  Brokers (like exchanges) are hybrid entities that mix the two functions above: they hold the funds (custody) and make the exchanges (intermediation). Moreover, we do not maintain an internal "Order Book" and do not match buy and sell orders internally - another typical brokerage activity - because you transact and transfer your funds directly on the Blockchain.  - The Picnic reality: In light of the described operational architecture, we understand that Picnic does not fit into the typical activities of custody, intermediation, or brokerage, especially because it does not hold control over private keys, does not execute orders on behalf of the user, and does not maintain an internal order book. What are we then? Picnic acts as a technology service provider. We provide an interface for you to access the DeFi ecosystem - primarily in Decentralized Protocols (DEXs) on the public Blockchain. In specific cases where we use partner liquidity aggregators to ensure better rates, the operation continues to follow the non-custodial principle: settlement is direct to your wallet. We understand that regulation has come - and very timely - to mitigate risks associated with financial institutions and exchanges (counterparty risk, insolvency, commingling, etc.). At Picnic, since your funds are not under our custody and we do not perform intermediation, the typical prudential rules and risks do not apply to our software architecture. - We work with partners for fund entry/exit to the traditional financial market. Our partners are regulated Virtual Asset Service Providers, but the difference is that they make the exchange and send the stablecoins directly to your self-custody at Picnic. Everything that touches the traditional financial market is regulated - our technology operates on top of these regulated institutions to ensure that the final possession of your assets is yours. 4. Reports Many users ask us: "Does Picnic send my data and balances to the IRS, like traditional brokerages do?" Picnic, as a non-custodial software provider and under current legislation, does not report to the IRS. However, incoming transactions (Pix) are processed by regulated partners in Brazil who comply with current regulations. This is not a matter of choice, but a consequence of our technological architecture and current legislation (RFB Normative Instruction No. 2291/2025). Understand why: Under current legislation, specifically Art. 5º, II, b, of IN 2291/2025, reporting operations carried out on decentralized platforms not based in Brazil is the obligation of the individual or entity resident and domiciled in Brazil. Since PICNIC does not hold custody, does not process transactions centrally, and is not based in Brazil, we understand that we do not fall under the reporting obligations applicable to traditional exchanges. Thus, fiscal transparency before the Brazilian IRS is the direct and individual responsibility of each user.  "But do you have my CPF?" Yes, we store your registration data (such as CPF and email). We do this for two practical reasons of User Experience (UX) and functionality: 1. Connection with partners: For you to acquire virtual assets with Pix (via our partner BRLA) or issue your Debit Card (via Gnosis Pay), these partner financial institutions require your identification. 2. Ease of access: We store your data so you don't have to fill out complex forms every time you open the app. - In summary: To process your payments in Reais (Pix), we use regulated partners in Brazil who comply with applicable regulations. Article 5º (II) of IN RFB 2291/2025 establishes the rule that: when operations are carried out on decentralized platforms (DeFi) located outside Brazil, the obligation to report these movements falls on the user (you). 5. Why are Smart Contracts Secure? You may have heard that Picnic operates via smart contracts. But what does this mean for the security of your money? A smart contract is a self-executing software. It's a computer program that lives on the Blockchain and follows an unbreakable mathematical logic: "IF [condition X happens] → THEN [action Y is executed]" To understand the security of this, imagine a vending machine: 1. "IF you insert $5.00 and press button A1 → THEN the machine dispenses the soda." 2. You don't need to trust that a vendor will take your money and give you the product. You don't need to say "please." The machine is programmed to do only that. It can't take your money and say "not today." At Picnic, we use this same logic. In the traditional system, when you make a transfer, you rely on an intermediary institution, like a bank or brokerage. With Smart Contracts, the operation is: - Deterministic: If you have a balance and sign the transaction with your key, the transfer happens. There's no "maybe." It's pure mathematics. - Impartial: The code doesn't know who you are, has no biases, and doesn't get tired. It treats everyone equally at all times. - Auditable: The rules of the game are public. Anyone in the world can read the code and verify that it does exactly what it promises to do. Picnic connects you to the most tested and audited smart contracts in the world. These are protocols that process billions of dollars daily for years, without failures. We build the interface so you can use this infrastructure. - Transparency requires us to be direct: Although in the smart contracts we use, failures are events of rare occurrence and technical complexity, code risks are possible in any technological system. Therefore, some type of failure may occur. - Therefore, at Picnic, security is not a finished product but a continuous process. We work tirelessly monitoring updates, following global audits, and reviewing protocols to ensure the integrity of your assets is always protected. 6. Risk Awareness Statement By opting for self-custody, you eliminate the risk of the institution going bankrupt and taking your funds, but you assume full responsibility for the security of your access. It is essential that you understand the following points: 1. Impossibility of password recovery: Since Picnic does not have access to your private key, we do not have the technical ability to recover your funds or reset your password if you lose access to your device or your backup credentials (seed phrase/recovery keys). 2. Irreversibility of transactions: Transactions on the Blockchain are immutable. Once you sign an operation (send funds), it cannot be undone, canceled, or reversed by Picnic. 3. Device security: The protection of your assets ultimately resides in the security of your device. Although the key is protected by external security modules (Magic), the final decryption step occurs locally. Therefore, if your hardware is compromised by malware or accessed by third parties, the security barrier is broken. The integrity of your access environment and understanding of the risks associated with this architecture are your sole responsibility. 7. What happens if Picnic ceases to exist? This is the ultimate proof of our non-custodial nature. If PICNIC went offline today, your funds would remain protected on the blockchain, as they are not with us, but in a smart contract under your exclusive control. - To access them, you would use your private key in any interface that supports smart wallets (like Safe). By connecting your key, you regain full control over your assets and can transfer them wherever you wish. PICNIC is just the gateway; the key and the vault are yours. We do not touch your funds. And, therefore, your assets remain under your absolute control. - Attention: transactions on the blockchain are irreversible 8. The Picnic Card: real economy and cutting-edge technology The Picnic Card is not just a payment method; it's a tool for financial efficiency and freedom. It was designed to solve two problems: the abusive fees of international travel and the lack of control over one's own assets in traditional prepaid cards. A. Cost efficiency and operational structure One of the main questions from our users is about the cost composition when using Picnic for international travel. The efficiency of our model is based on the legal nature of the assets we use. Understand what you are acquiring: When loading your balance on Picnic, you are performing a purchase operation of Virtual Assets (like USDC or USDT), supported by Law 14.478/2022 (Legal Framework for Cryptoassets). - In the traditional model: When you acquire foreign currency (dollar or euro) in banks, a foreign exchange operation occurs on which the IOF-Exchange is levied. - In the Picnic model: The acquisition of stablecoins is legally treated as the purchase of a digital asset. It is the purchase of a digital asset, not foreign fiat currency. The Practical Result: By using blockchain technology to transact your assets globally, you access an optimized cost structure. Your purchasing power is preserved because the technology allows you to use your digital assets directly. B. A Self-Custodial Card The Picnic Card is built on the principle of self-custody. You remain in full control of your funds — before, during, and after each transaction. Unlike brokerages that require custody, Picnic, via Gnosis Pay, allows you to spend directly from your personal wallet (Smart Wallet). What does this mean in practice? - Only you access and approve the funds.  - Your funds are never touched by Picnic.  - All transactions are recorded on the network (on-chain) and can be independently verified. C. How the Technology Works To allow a Blockchain wallet to pass a Visa card, we use Smart Contracts that apply security modules to your wallet: - Roles Module: It acts as a shield for your account. It authorizes the card system to move only a specific token to a single, secure destination. Thus, the card operates in an "isolated corridor," without any power over the rest of your assets. - Delay Module: To ensure security and accuracy of balances on the blockchain, transactions outside card use have a 3-minute interval. This time is essential to avoid processing conflicts (double spending) and maintain the total integrity of your smart wallet. Security Tip: We recommend using your Picnic wallet as a "Spending Vault". Keep only the amount you intend to use daily or while traveling, managing it independently from your long-term savings. D. If the card is decentralized, why do we ask for KYC (Documents)? Although your wallet is self-custodial and decentralized, the Picnic Card, via Gnosis Pay, connects this new world to the Visa network, which is a traditional and regulated financial system. For Visa to accept processing your payments in millions of establishments worldwide, it is mandatory to comply with KYC (Know Your Customer) and anti-money laundering regulations. We ask for your data only to issue the card and meet this requirement of the brand, but this does not give us the power to control or confiscate your assets on the Blockchain. Attention: at Picnic, you operate with digital dollars (USDC), a stablecoin backed by US dollars. The exchange rate may vary, and the final valid value is always the one displayed on the confirmation screen at the time of the transaction. About Picnic: we are a software interface for self-custody of digital assets. This means your account is self-managed: you are solely responsible for your assets and for protecting your credentials and understanding the financial products you use. Past performance does not guarantee future results. Picnic does not provide investment advice. Picnic only communicates through the @usepicnic.com domain. If you receive communication from another domain or channel requesting any action related to your account, treat it as a fraud attempt and report it to oi@usepicnic.com. Transactions on the blockchain are irreversible.