Effective date: April 1, 2026

This Privacy Policy explains how Posted.art processes personal data in connection with the Posted.art platform, including the website, web application, mobile-first application experience, hosted Postcard pages, smart-contract-enabled ownership flows, and related services, features, content, and functionality that link to or reference this Privacy Policy (collectively, the "Platform").

Posted.art is designed to minimize personal data collection. The Platform does not use traditional user accounts and primarily relies on Wallet-based, pseudonymous identifiers and transaction-related data needed to operate the Services.

Capitalized terms used but not defined in this Privacy Policy have the meanings given to them in the Terms of Service.

By accessing or using the Platform, you acknowledge the practices described in this Privacy Policy.

Posted.art is a mobile-first platform for visual digital content. The personal data processed by Posted.art varies depending on how you use the Platform.

This Privacy Policy applies to personal data processed by Posted.art in connection with:

• public browsing of the Platform
• Wallet-linked authentication and session handling
• Wallet-linked favorites and like functionality
• creation, hosting, and sharing of Postcards
• creator submissions through Create & Earn
• Art Certificate purchase and ownership flows
• support requests, legal compliance, and operational administration
• cookies, local storage, session storage, and similar technologies used by the Platform

This Privacy Policy does not apply to third-party websites, Wallet providers, blockchains, marketplaces, or other third-party services that have their own privacy policies.

Depending on how you use the Platform, Posted.art may process the following categories of personal data:

• Wallet addresses and related public blockchain identifiers
• signed authentication messages and related authentication metadata
• technical data limited to what is needed to operate the Platform, including IP-based location handling and browser language detection
• Postcard-related data, including selected Content, any personal written message, optional music, gift-related media, a sharing link, and hosting status
• public Postcard presentation data, including sender Wallet identity elements shown on a public Postcard page, such as a shortened Wallet address, Wallet avatar, or ENS-style name if available
• creator submission data, including uploaded Content, the Wallet address connected at the time of submission, and related Platform-side metadata
• Wallet-linked favorites and like data, including Wallet address, content key, like status, like count, and related timestamps
• Art Certificate purchase and preparation data, including the authenticated buyer Wallet address, chain or network context, transaction hashes where available, and public smart-contract data related to minting and ownership
• Art Certificate-related metadata and associated public blockchain ownership data
• support and contact communications sent to Posted.art, including email correspondence and related records
• cookie, local storage, session storage, and similar device-level identifiers or preference data

Posted.art collects personal data:

• directly from you when you connect a Wallet, sign an authentication message, create a Postcard, submit Content, buy an Art Certificate, or contact Posted.art
• automatically when you browse or interact with the Platform
• from public blockchain networks and related infrastructure, including Wallet, naming, avatar, and indexing services used to retrieve or display blockchain-linked information through the Platform
• from service providers and infrastructure partners that help operate the Platform

Posted.art uses cookies and similar technologies, including local storage and session storage, as part of operating the Platform. These technologies are used only for limited Platform functions, such as:

• maintaining wallet-authenticated or session-related state
• storing a wallet-authenticated session token, associated Wallet address, and issued-at time
• storing a last-activity timestamp used to reset app state after extended inactivity
• remembering whether an install prompt has already been shown
• storing a temporary session flag while Wallet authentication is in progress
• supporting essential Platform security and functionality

Posted.art also uses a temporary in-memory session cache for certain app data. That cache is cleared on hard reload or app reset.

Posted.art may process personal data to:

• provide, operate, and maintain the Platform
• authenticate Wallet-linked access and manage sessions
• maintain Wallet-linked favorites and like functionality
• create, host, display, and share Postcards
• review and manage Create & Earn submissions
• support Art Certificate purchases, minting flows, and related ownership features
• display public blockchain and public Platform data in the user interface
• process pricing, payment, and transaction-related flows
• provide customer support and respond to requests

Where applicable law requires a legal basis for processing, Posted.art relies on the legal bases applicable to the relevant use of the Platform, including performance of a contract, consent where required, and legitimate interests in operating the Platform.

Posted.art may share personal data with:

• hosting, storage, content delivery, infrastructure, and other technical service providers that help operate the Platform
• blockchain networks, smart contracts, Wallet providers, and public blockchain-linked indexing, naming, avatar, and display services used for Wallet-linked or NFT-related functionality

Posted.art is not responsible for the privacy practices of third-party services. Posted.art does not sell personal data.

Because Posted.art uses internet-based and blockchain-based infrastructure, personal data may be processed in countries outside your country of residence.

Public blockchain data and decentralized storage systems may involve global distribution that is not controlled solely by Posted.art.

Posted.art keeps personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy.

By category, this generally means:

• Wallet authentication and session-related data: retained only as long as reasonably necessary for authentication, security, and session management
• Postcards and related hosted assets: retained for the active hosting period and then deleted from Platform-controlled hosting, unless earlier removed by the user
• creator submission data: retained for as long as necessary to review and operate Create & Earn activity
• Wallet-linked favorites and like data: retained while the related postcard or content item remains available in the library; when the related postcard or content item is removed from the library, the related favorites and like records are purged from the corresponding favorites and likes tables
• support communications: retained for as long as reasonably necessary to respond, document, and manage the relevant issue
• public blockchain and decentralized storage data: remains publicly accessible independently of Posted.art and is not deletable by Posted.art

Posted.art uses reasonable technical and organizational measures intended to protect personal data appropriate to the nature of the Platform and the data involved.

However, no system is completely secure. Posted.art cannot guarantee absolute security of the Platform, any third-party service, or any blockchain network.

You are responsible for protecting your Wallet, private keys, seed phrases, devices, and access credentials.

Depending on your location and applicable law, you may have rights relating to your personal data, including the right to:

• request access to personal data Posted.art holds about you
• request correction of inaccurate personal data
• request deletion of personal data, subject to legal and technical limits
• object to or request restriction of certain processing
• withdraw consent where processing is based on consent
• request data portability where applicable
• lodge a complaint with a supervisory authority

Users can directly manage and remove certain Platform-controlled data through the app itself, including deleting their own Postcards, changing favorites and like-related state, disconnecting their Wallet, and clearing browser-stored app data on their own device.

These rights are not absolute and may be limited by applicable law, technical constraints, Platform architecture, or the public and immutable nature of blockchain systems. Posted.art cannot delete or alter public blockchain records or data stored through decentralized systems not controlled by Posted.art.

For creator-submitted Content, a Creator may request removal by providing the related file names for the submitted Content. Before acting on such a request, Posted.art may require proof of control of the Wallet associated with that Content.

The Platform is not designed as a service specifically for children. Posted.art does not knowingly collect personal data from children.

Some data processed through the Platform is intentionally public by design, including public Postcard links and their visible contents during the hosting period, sender identity elements shown on public Postcard pages, public blockchain transaction data, Art Certificate ownership and transfer records visible on-chain, and public Content and metadata displayed through the Platform.

Public blockchain and decentralized storage data remains visible independently of Posted.art even if Platform-side functionality later changes or is removed. You should not submit or share information through the Platform unless you are comfortable with that public visibility.

Posted.art may update this Privacy Policy from time to time. An updated version becomes effective when posted, unless a later effective date is stated.

For questions, requests, or complaints regarding this Privacy Policy or privacy-related matters, use the contact details in the FAQ.