Privacy Policy

Version 1.0 — March 2026

Data Protection Officer (DPO): legal@carrot.eco

1. Introduction and Scope

Carrot Fndn is a Swiss foundation established under Articles 80 et seq. of the Swiss Civil Code, domiciled in Zug, Switzerland (Tax ID: UID# CHE-152.448.302), which develops and operates the Carrot Network — a technology platform that combines cloud infrastructure and blockchain for tracking circular economy actions and issuing Tokenized Environmental Credits (TRC/TCC).

This Privacy and Data Protection Policy ("Policy") describes how Carrot Fndn collects, processes, stores, shares, and protects personal data, in compliance with:

• Lei nº 13.709/2018 — Lei Geral de Proteção de Dados Pessoais (LGPD);
• Resolução CD/ANPD nº 15/2024 — procedure for communicating security incidents to ANPD;
• Lei nº 14.478/2022 — Brazilian Crypto Assets Legal Framework and Central Bank of Brazil regulations applicable to Virtual Asset Service Providers (VASPs), as applicable;
• General Data Protection Regulation (GDPR — EU Regulation 2016/679), as applicable to data subjects residing in the European Economic Area;
• Swiss Federal Act on Data Protection (revDSG — in force since September 1, 2023), applicable to the Foundation's operations by virtue of its domicile in Zug, Switzerland.

This Policy applies to all Users who access the websites and subdomains operated by Carrot Fndn under the carrot.eco domain, including, without limitation: www.carrot.eco, explore.carrot.eco, store.carrot.eco, docs.carrot.eco, my.carrot.eco, and whitepaper.carrot.eco, as well as any other subdomains that may be created, the Carrot Network and its smart contracts, or who interact with the Foundation in any capacity.

Jurisdiction Note

For purposes of the LGPD, Carrot Fndn may act as Controller or Processor of personal data, depending on the context of the operation (detailed in Section 2). Brazilian law governs the Platform usage relationship in Brazil; Swiss law (revDSG) governs the Foundation's operations and the issuance and sale of Tokenized Environmental Credits.

2. Roles and Responsibilities in Data Processing

Defining the roles of each party in data processing is essential for the proper attribution of responsibilities under art. 5, items VI and VII, of the LGPD and art. 4 of the GDPR.

2.1 When the User Is the Controller

For data that the User inputs into the Platform regarding their own operations — including data of employees, clients, Generators, Transporters, and Processors —, the User acts as Controller and is responsible for ensuring the lawfulness of the processing before sharing such data with the Platform. It should be noted that, in most cases, this data is submitted to the Carrot Network directly by Network Integrators on behalf of the User Controller.

2.2 When Carrot Is the Processor

Carrot Fndn acts as Processor when it processes personal data on behalf and under the instructions of the User Controller — for example, when validating data submitted by Network Integrators for the purpose of credit issuance.

2.3 When Carrot Is an Independent Controller

Carrot Fndn acts as an independent Controller in processing activities carried out on its own behalf, such as:

• KYC/KYB — identification and verification of Users, performed directly or through specialized third-party providers;
• Distribution of Rewards via smart contracts;
• Compliance with legal and regulatory obligations, including those arising from Lei nº 14.478/2022;
• Prevention of fraud, money laundering (AML), and terrorism financing (CFT);
• Accreditation process of participants carried out directly by Carrot Fndn.

2.4 Network Integrators and Validators as Subprocessors

Network Integrators are third-party applications and platforms that integrate with the Carrot Network through APIs to record waste chain-of-custody events. When inputting personal data of chain participants (Generators, Transporters, Processors) into the Platform, Network Integrators act as Subprocessors of Carrot Fndn, under art. 39 of the LGPD.

Admission of Network Integrators to the Carrot Network is subject to the execution of a Data Processing Agreement (DPA) with Carrot Fndn, which shall establish compliance obligations, processing limits, and required security measures. Carrot Fndn will maintain an updated registry of accredited Network Integrators at www.carrot.eco.

Validators and Auditors are authorized agents who confirm transactions and certify operations along the chain of custody. When the exercise of their functions involves access to personal data contained in MassIDs or audit records, these agents operate as limited Subprocessors, with access restricted to the minimum necessary for the validation or certification of the corresponding operation, equally subject to a DPA.

Regardless of the role exercised, a party shall not be held liable for acts, omissions, or violations of data protection legislation committed by the other party, its agents, and/or contractors (cf. art. 42, §3, LGPD).

3. Technology: Cloud Infrastructure and Blockchain

Carrot Fndn adopts a data architecture that combines cloud storage (off-chain) and blockchain storage (on-chain), with the objective of simultaneously ensuring traceability, auditability, and privacy of data subjects.

3.1 Off-chain Data (Cloud Servers)

Sensitive personal information — name, email, identification documents, KYC/KYB data — is stored on secure cloud infrastructure, currently hosted on servers located in the United States of America (providers such as AWS and Google Cloud), with encryption at rest (AES-256) and in transit (TLS 1.2+). This data is subject to access, correction, and deletion by the data subject, as provided in Section 7. For the Platform's traditional login component, a password recovery mechanism is available, unlike access to digital wallets (addressed in Section 8.3).

3.2 On-chain Data (Blockchain)

Transaction records for circular economy operations, credit issuance (TRC/TCC), and validation hashes are immutably recorded on the blockchain. In accordance with the principle of privacy by design, Carrot Fndn does not record identifiable personal data directly on-chain in a public manner: cryptographic hashing techniques are used to preserve data integrity without exposing the data subject's identity.

On-chain Anonymization Procedure

When the data subject exercises the right to deletion provided for in art. 18, IV, of the LGPD with respect to data recorded on-chain, Carrot Fndn shall adopt the following procedure: (i) permanent deletion of the personally identifiable data in the off-chain records; (ii) invalidation of the mapping between the public wallet address and the data subject's identity in the Foundation's database; (iii) issuance of an anonymization certificate to the data subject within 30 (thirty) days. The remaining on-chain hash will maintain the integrity of the environmental transactions without allowing re-identification of the data subject.

4. Data Collection, Purpose, and Legal Basis

Carrot Fndn collects exclusively the data necessary to fulfill the purposes described in this Policy, in compliance with the principle of necessity (art. 6, item III, LGPD).

4.1 Categories of Data Collected

4.1.1 Use of Registration Data for Public Recognition (Section 7A of T&C)

The name, logo, and website of the Participant organization, which are part of the data collected during the registration process (KYC/KYB), may also be used for purposes of public recognition of environmental impact, as set forth in Section 7A of the Terms and Conditions (Impact Recognition Program).

Such use is contingent upon the authorization granted by the User upon accepting the Terms and Conditions, and may be revoked at any time by written notice to legal@carrot.eco, without prejudice to disclosures previously made.

4.2 Legal Basis for Processing

The processing of personal data by Carrot Fndn is based on the following legal grounds under art. 7 of the LGPD:

• Performance of a contract (art. 7º, inc. V): processing necessary for the provision of services contracted by the User;
• Compliance with a legal or regulatory obligation (art. 7º, inc. II): KYC/KYB, tax obligations, regulatory reporting, and compliance with Lei nº 14.478/2022, Resolução BCB nº 1/2020, and AML/CFT obligations;
• Legitimate interest (art. 7º, inc. IX): used specifically for (i) fraud prevention and Network security; (ii) anomaly and attack detection; (iii) technical improvement of services; and (iv) public recognition of Participants' environmental impact, including disclosure of the organization's name, logo, and website on Carrot Fndn's institutional channels, as set forth in Section 7A of the Terms and Conditions (Impact Recognition Program). The use of this legal basis is subject to a proportionality test and documented in a Data Protection Impact Assessment (DPIA) maintained internally;
• Consent (art. 7º, inc. I): for non-essential cookies and marketing purposes, collected in a specific, prominent, and unambiguous manner at the time of first access.

4.3 Data We Do Not Collect

Carrot Fndn does not collect, under any circumstances: private keys, seed phrases, or any credentials that allow direct access to the User's digital assets.

4.4 Use of the Platform by Minors

Carrot Fndn's services are intended exclusively for natural persons over 18 (eighteen) years of age and legal entities represented by their legal representatives, pursuant to art. 14 of the LGPD and art. 8 of the GDPR. By using the Carrot Network, the User declares that they have full legal capacity. If the User is a legal entity, the legal representative declares that they have the authority to accept this Policy on behalf of the entity.

If Carrot Fndn identifies that data from a minor has been inadvertently collected without verifiable consent of parents or legal guardians, such data will be immediately deleted. Users who become aware of such a situation should notify the DPO at legal@carrot.eco.

4.5 Automated Decisions

The Carrot Network uses smart contracts to automatically process decisions with effects on the User, including:

• (i) calculation and distribution of Rewards based on the waste chain of custody recorded in MassIDs;
• (ii) validation or rejection of MassIDs for the purpose of issuing Tokenized Environmental Credits;
• (iii) temporary suspension of participants identified as potentially irregular by Network Auditors.

Under art. 20 of the LGPD, the User has the right to request human review of any automated decision that significantly affects them, including suspensions and Reward blocks. The request shall be sent to the DPO (legal@carrot.eco), with a description of the contested decision, and will be responded to within 15 business days, extendable by an additional 15 calendar days.

5. Cookies and Tracking Technologies

Carrot Fndn uses cookies and similar technologies on its websites to ensure the proper functioning of the Platform, analyze performance, and improve the User experience.

5.1 Cookie Categories

5.2 Consent Management and Opt-out

On the first visit to any website operated by Carrot Fndn, the User will be presented with a cookie consent banner, allowing them to accept, decline, or customize each non-essential category. Consent is recorded with a timestamp and may be revoked at any time at the Privacy Policy page. Declining non-essential cookies does not prevent use of the Platform.

For specific opt-out from analytics tools:

• Google Analytics 4: install the opt-out add-on available at tools.google.com/dlpage/gaoptout;
• Vercel Analytics: disable in your browser's privacy settings or use compatible blocking extensions.

GA4 Transfer to US

Google Analytics 4 transfers data to servers in the US. Carrot Fndn adopts the European Commission's Standard Contractual Clauses (SCCs) as a safeguard. For Brazilian data subjects, the transfer is based on art. 33, VIII, of the LGPD (specific consent) and the data processing agreement with Google.

6. Sharing, Sub-processors, and International Transfers

Personal data may be shared with third parties under the following circumstances and conditions:

• Technology partners and sub-processors: exclusively to enable Platform operations, under a DPA with confidentiality and compliance obligations;
• Accredited independent auditors: for environmental certification and verification purposes, strictly limited to what is necessary;
• Regulatory, judicial, and virtual asset supervisory authorities: when required by law, court order, or applicable regulation, including the Central Bank of Brazil and COAF, under Lei nº 14.478/2022, for compliance with anti-money laundering (AML) and counter-terrorism financing (CFT) obligations.

6.1 Main Sub-processors

Material changes will be communicated with a minimum notice of 30 (thirty) days.

6.2 International Data Transfers

Carrot Fndn operates with cloud infrastructure hosted in the United States of America and with its institutional headquarters in Switzerland, which entails international transfers of personal data. Switzerland holds an adequacy recognition from the European Commission for GDPR purposes. For purposes of the Brazilian LGPD, ANPD has not yet published an official list of countries with an adequate level of protection; until such a decision is formalized, international transfers are carried out based on:

• Standard Contractual Clauses (SCCs): adopted with all international sub-processors, under art. 33, II, of the LGPD, as the primary safeguard for transfers from Brazil to the US and Brazil to Switzerland;
• Specific consent of the data subject: (art. 33, VIII, LGPD), when applicable and collected in a prominent manner.

Note on ANPD Adequacy

The adequacy recognition of Switzerland is valid only in the context of the GDPR (European Commission). For the LGPD, until ANPD publishes an official list, the current safeguard is the SCCs. This Policy will be updated when a formal ANPD decision is issued.

7. Data Subject Rights

Under art. 18 of the LGPD, the personal data subject has the following rights, exercisable by request to the DPO at legal@carrot.eco:

7.1 Rights under the LGPD

Rights of Third Parties Whose Data Arrives via Integrator

Chain participants (e.g., transport companies whose data is submitted by Network Integrators) are personal data subjects and retain all rights under art. 18 of the LGPD, even without a direct contractual relationship with Carrot Fndn. Upon receiving a deletion request for such data, Carrot Fndn will assess whether there is a conflict with environmental audit obligations or legal retention periods. In case of conflict, it may invoke the exceptions under art. 18, §3, of the LGPD (compliance with a legal obligation or regular exercise of rights), communicating the outcome to the data subject within 15 days.

7.2 Additional Rights under the GDPR (Data Subjects in the EEA)

For data subjects residing in the European Economic Area, the following additionally apply:

• Right to Object (art. 21 GDPR): the data subject may object to processing based on legitimate interest, at any time;
• Restriction of Processing (art. 18 GDPR): in certain circumstances, the data subject may request that the processing of their data be restricted;
• Complaint to a Supervisory Authority: the data subject may file a complaint with the data protection authority of the EU Member State of their habitual residence or where the alleged infringement occurred.

Should Carrot Fndn begin to systematically process data of European data subjects at a relevant scale, it will assess the need to appoint a representative in the EU pursuant to art. 27 of the GDPR. To exercise these rights: legal@carrot.eco.

7.3 Rights under the revDSG (Data Subjects in Switzerland)

For data subjects residing in Switzerland, the rights provided under the revDSG apply, including: access, correction, deletion, portability, and objection. Complaints may be filed with the FDPIC (Federal Data Protection and Information Commissioner — www.edoeb.admin.ch). Contact channel: legal@carrot.eco.

Carrot Fndn will respond to requests within 15 (fifteen) days, extendable by an equal period when justified, under art. 18, §5, of the LGPD, and within a reasonable timeframe as required by the GDPR and the revDSG.

8. Information Security

Carrot Fndn adopts appropriate technical and administrative measures to protect personal data against unauthorized access, destruction, loss, alteration, disclosure, or any other form of improper processing, in compliance with art. 46 of the LGPD and art. 32 of the GDPR.

8.1 Technical Measures

• Encryption in transit: TLS 1.2 or higher protocol for all client-server communication;
• Encryption at rest: AES-256 standard for data stored on cloud infrastructure;
• On-chain cryptographic hashing: ensures mathematical integrity of records without exposing identifiable personal data;
• Identity-based access control (IAM): only authorized users and systems may access personal data;
• Continuous monitoring: detection of anomalies and unauthorized access attempts.

8.2 Administrative Measures

• Privacy and data protection governance program, with periodic reviews;
• Training and awareness for employees and service providers;
• Security incident response plan, with documented notification procedures;
• Data Processing Agreements (DPAs) with all sub-processors and Subprocessors.

8.3 Digital Asset Custody

Carrot Fndn does not store, manage, or have access to the private keys or seed phrases of Users' digital wallets. Custody of digital assets is the exclusive responsibility of the User, and the loss or misplacement of such credentials is the User's sole responsibility, with no possibility of recovery by the Platform.

Note: the mechanism described above applies exclusively to the Platform's Web3 digital wallet component. For traditional login access (email and password), Carrot Fndn provides a standard password recovery mechanism.

8.4 Security Incident Communication

In the event of a security incident that may pose a risk or relevant harm to data subjects, Carrot Fndn will adopt the following procedures:

Notification to affected data subjects will be carried out via the email registered on the Platform. When the volume of affected individuals makes individual notification impractical, a prominent notice will be published at www.carrot.eco and on the Platform's authenticated access panel for a minimum period of 30 (thirty) days.

The notification shall include: (i) the nature of the affected data; (ii) information about the data subjects involved; (iii) technical measures adopted; and (iv) related risks and actions to mitigate their effects.

8.5 Limitation of Liability for Security Incidents

Notwithstanding the security measures described in Sections 8.1 and 8.2, Users acknowledge that no technology system offers absolute security.

Carrot Fndn shall not be liable for security incidents arising exclusively from: (i) zero-day vulnerabilities not yet identified by the security community at the time of the incident; (ii) state-level attacks or attacks on critical infrastructure beyond the Foundation's reasonable control; or (iii) failures in systems, networks, or third-party infrastructure over which the Foundation has no direct operational control.

Carrot Fndn remains liable for incidents resulting from failures in its own implemented security measures, subject to the liability provisions set forth in the Terms and Conditions (Section 15).

9. Data Retention and Deletion

Personal data is retained for the period necessary to fulfill the purposes for which it was collected, subject to mandatory legal retention periods. Upon termination of the contractual relationship and expiration of applicable retention periods, off-chain data will be securely deleted or anonymized.

10. Global Storage and Processing

Due to the decentralized nature of the Carrot Network and infrastructure resilience requirements, data is primarily processed and stored on servers located in the United States of America, in addition to the institutional headquarters in Switzerland. Carrot Fndn ensures that all international transfers comply with the mechanisms provided in arts. 33 to 36 of the LGPD, with adoption of Standard Contractual Clauses (SCCs) as the primary safeguard, ensuring a level of protection equivalent to that required by Brazilian legislation.

11. Data Protection Officer (DPO)

In compliance with art. 41 of the LGPD and Resolução CD/ANPD nº 2/2022, Carrot Fndn has designated a Data Protection Officer (DPO), responsible for:

• Receiving communications from data subjects, ANPD, FDPIC, and competent GDPR supervisory authorities;
• Advising employees and contractors on data protection practices;
• Acting as a communication channel between the Foundation, data subjects, and supervisory authorities.

DPO Contact: legal@carrot.eco

The DPO's nominal identity will be disclosed in compliance with Resolução CD/ANPD nº 2/2022. For contact purposes, legal@carrot.eco is the official address designated for all data protection communications.

12. Changes to this Policy

This Policy may be updated periodically to reflect legal, technological, or operational changes. Changes are classified into two types:

12.1 Material Changes

Changes are considered material when they involve: (i) a new processing purpose; (ii) a new category of data collected; (iii) new sharing with third parties; or (iv) a change in the applicable legal basis. Such changes will be communicated with a minimum notice of 30 (thirty) days by email, requiring express consent from the User (opt-in) to continue using the Platform.

12.2 Non-Material Changes

Changes in wording, clarifications, or corrections that do not alter the scope of processing will be communicated with a minimum notice of 15 (fifteen) days by email. Continued use of the Platform after the changes take effect implies tacit acceptance.

The current version of this Policy will always be available at docs.carrot.eco/legal/privacy-policy.

13. Version History

14. Glossary

---

Legal inquiries: legal@carrot.eco · Operational support: operations@carrot.eco

This document supersedes all previous versions of the Carrot Platform Usage Agreement.