Privacy Policy

• Account data: name, email address, password, profile photo, professional bio, skills, and time zone.
• Verification data: government-issued ID, proof of address, date of birth, and tax identification numbers (W-9 / W-8BEN).
• Financial data: wallet addresses, tax forms, and payout preferences.
• Contract data: job descriptions, milestone definitions, deliverable submissions, messages, dispute filings, and review content.
• Support data: any information you share when contacting us.

• Device and log data: IP address, browser type, operating system, device identifiers, referral URLs, pages viewed, and timestamps.
• Cookies and similar tracking technologies — see Section 4.
• Wallet connection metadata when you connect a self-custodial wallet (address, chain ID, connection time).

• Identity verification partners (e.g., Persona).
• Blockchain analytics providers (Chainalysis, TRM Labs): wallet screening results, transaction risk scores, and sanctions-related flags for OFAC compliance.
• Sanctions list providers (OFAC SDN, EU Consolidated, UK OFSI).
• Fraud-prevention services and communications platforms integrated with Zttld.

Government-issued ID images and biometric templates derived from ID verification may constitute "special category" data under the GDPR. We process such data only where it is strictly necessary for identity verification and anti-money laundering compliance, on the legal bases set out in Section 2.5.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 (and, where applicable, Article 9) of the GDPR:

• Performance of a contract (Art. 6(1)(b)): processing required to create your account, match you with counterparties, coordinate escrow milestones, process payouts, and provide support.
• Compliance with a legal obligation (Art. 6(1)(c)): KYC/AML screening, OFAC and UK OFSI sanctions compliance, tax reporting (1099-K), record retention, and responding to lawful requests from authorities.
• Legitimate interests (Art. 6(1)(f)): securing the Platform against fraud and abuse, debugging, improving our services, and defending legal claims. Our legitimate interests are balanced against your rights and freedoms; you may object at any time as described in Section 7.
• Consent (Art. 6(1)(a)): where we ask for it, including for non-essential cookies, optional marketing communications, and processing of sensitive data under Article 9(2)(a). Consent may be withdrawn at any time.
• Substantial public interest / AML (Art. 9(2)(g)): where sensitive data is processed for sanctions screening or anti-money-laundering compliance.

Some aspects of our service involve automated processing that may produce legal or similarly significant effects — in particular:

• Automated sanctions screening of user identities and wallet addresses, which may result in account suspension or declined onboarding.
• Automated risk scoring of transactions for fraud and AML purposes, which may result in additional verification requests or blocked transactions.
• Smart-contract auto-release of milestone payments after the 5-business-day approval window described in the Terms of Service.

These automated decisions are necessary for entering into or performing our contract with you and for compliance with our legal obligations (Article 22(2)(a) and 22(2)(b) GDPR). Where applicable, we apply suitable measures to safeguard your rights, including the right to obtain human intervention, express your point of view, and contest the decision by contacting privacy@zttld.com. A Zttld team member will review the automated outcome and respond to you within a reasonable time.

The Zttld Platform coordinates payments on Base, a public blockchain. Information recorded on-chain — including wallet addresses, transaction amounts, timestamps, and smart-contract state — is permanently public, immutable, and outside our ability to delete or redact. You acknowledge and understand that:

• On-chain records will persist even after you delete your Zttld account.
• Blockchain analytics providers and third parties may associate wallet addresses with other publicly available information.
• Zttld has no technical ability to modify or remove on-chain transaction records.

Off-chain, we store your wallet address and associate it with your account for operations, tax reporting, and compliance.

You can access and update much of your account information directly through your Zttld account settings, or by contacting privacy@zttld.com.

Depending on your state (including California, Colorado, Connecticut, Virginia, Utah, and others), you may have the right to request access, deletion, correction, and portability of your personal data, and to opt out of targeted advertising or certain profiling. California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to conditions and exemptions under applicable law:

• Right of access (Art. 15): obtain confirmation of whether we process your personal data and receive a copy.
• Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
• Right to erasure / "right to be forgotten" (Art. 17): request deletion of data we no longer need. Note that on-chain data cannot be deleted; we will delete off-chain records to the extent permitted by law.
• Right to restrict processing (Art. 18).
• Right to data portability (Art. 20): receive data in a structured, machine-readable format.
• Right to object (Art. 21): object to processing based on our legitimate interests or for direct marketing.
• Right not to be subject to solely automated decisions (Art. 22): as described in Section 3.6, including the right to obtain human review.
• Right to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint with your supervisory authority (for example, the UK's Information Commissioner's Office, Ireland's Data Protection Commission, or your local EU authority).

To exercise these rights, contact privacy@zttld.com. We will respond within one month, subject to extensions permitted by the GDPR.

If Zttld becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will:

• Notify the competent supervisory authority (for EU/UK residents, the relevant Data Protection Authority) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, as required by Article 33 GDPR and the UK GDPR.
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR.
• Provide, in plain language, a description of the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
• Comply with applicable U.S. state-level breach-notification laws (including California Civil Code §1798.82 and analogous statutes) on their required timelines.

If you believe an account or personal data has been compromised, please contact us immediately at security@zttld.com.

For any question about this Privacy Policy or to exercise your rights, contact:

• Data protection inquiries: privacy@zttld.com
• Security incidents: security@zttld.com
• Registered entity: Zttld Labs LLC, a Delaware Limited Liability Company