Vanta Trading and Hyperscaled Unified Privacy Policy

Effective Date: March 27, 2026

1. Introduction and Scope

This Privacy Policy ("Policy") describes how Taoshi VT Services, a Cayman Islands exempted company with limited liability ("Vanta," "we," "us," or "our"), collects, uses, discloses, and protects personal information when you access or use the Vanta Trading Challenge, the Hyperscaled Challenge, our websites, interfaces, browser extensions, dashboards, APIs, and related services, including the applicable Scaled Trader Program(s) where relevant (collectively, the "Platform"). This Policy applies to all visitors, users, and participants ("you" or "your").

By accessing or using the Platform, creating an account, linking or registering a wallet or other supported-venue identifier, installing or using a Vanta browser extension, or paying a Challenge Entry Fee, you acknowledge that you have read and understood this Policy. This Policy is not a contract that requires your agreement. Where we rely on your consent as a legal basis for processing (such as for non-essential cookies or direct marketing communications in certain jurisdictions), we obtain that consent separately, and you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

This Policy should be read together with the applicable Terms of Service and, if you are invited into a Scaled Trader Program, the applicable Independent Contractor Agreement ("ICA"). Capitalized terms not defined in this Policy have the meanings assigned in the applicable Terms of Service or ICA, as the context requires.

2. Data Controller

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection laws, the controller of your personal information is:

Taoshi VT Services
Cayman Islands Exempted Company
Email: support@vantatrading.io
Address: PO Box 144, 3119 9 Forum Lane, Camana Bay, George Town, Grand Cayman KY1-9006, Cayman Islands

We have not appointed a Data Protection Officer ("DPO"). If a DPO is appointed in the future, their contact details will be published here. We have not appointed an EU or UK representative under Article 27 GDPR / UK GDPR. If such appointment becomes required, we will update this Policy accordingly.

3. Information We Collect

We collect information in several categories depending on your level of engagement with the Platform. Not all categories apply to all users, and certain data is collected only at specific stages of participation.

Core Account Data (Collected at Signup)

When you create an account, register for a Challenge, or link a wallet or other supported-venue identifier, we may collect:

• Email address
• Full name, display name, username, and, where applicable, your Registered Wallet address or other supported-venue identifier
• Account credentials (passwords are stored in hashed form; we also maintain authentication and security logs)
• IP address, device type, browser information, operating system, and application or extension version information where applicable
• Usage data, including login timestamps, platform activity, session duration, dashboard or browser-extension interaction logs, and related diagnostic or security logs

Trading and Performance Data

We collect data related to your simulated trading activity and, for Hyperscaled or other supported-venue products, qualifying trading activity that is mirrored, copied, translated, or otherwise evaluated for Challenge or Program purposes, including:

• Simulated trading activity, mirrored or translated activity, order history, position data, and related wallet-linked or supported-venue activity records
• Profit and loss (PnL), returns, drawdowns, validated simulated performance, and other risk metrics
• Strategy behavior, execution logs, trading patterns, timestamps, instrument selection, and integrity or anti-abuse signals
• Evaluation results, scoring, eligibility status, Pass/Fail determinations, scaling status, and related review notes

Payment and Billing Data

When you pay a Challenge Entry Fee or make other transactions through Vanta Trading or Hyperscaled, we may collect:

• Billing name and billing address, where applicable to the payment method used
• Transaction history, invoice records, wallet addresses used for payment or payout, blockchain transaction hashes, chain/network, token type, amount, timestamps, and payment or payout status, as applicable

For Vanta Trading, credit and debit card details are processed directly by our third-party payment processor (currently Stripe or a comparable provider) and are not stored on our servers. We receive only limited payment details such as tokenized references, last four digits, and transaction confirmations.

For Hyperscaled and other on-chain payment flows, we do not receive or store private keys or seed phrases, but we may receive and record blockchain payment details associated with your transaction, and those transactions may also be publicly visible on the relevant blockchain or network.

Post-Challenge, Payout, and KYC Data (Conditional)

If you pass a Challenge and become eligible for an invitation to a Scaled Trader Program or otherwise become payout-eligible, we may collect additional information as part of Know Your Customer ("KYC") and Anti-Money Laundering ("AML") compliance procedures. This data is collected only from payout-eligible individuals or where otherwise required for compliance, fraud prevention, or onboarding. Such data may include:

• Government-issued identification (e.g., passport, driver's license)
• Date of birth
• Residential address
• Nationality, tax residency, and related tax or beneficial-ownership information, as applicable
• Bank account details or cryptocurrency payout wallet address, depending on the payout rail used
• Results of compliance screening (including identity verification, liveness, sanctions, AML, fraud-prevention, and related compliance checks, as applicable)

Government-issued identification, date of birth, and bank account details are sensitive personal information under certain privacy laws. We use this information only for the purposes described in Section 4 and do not use or disclose it for purposes beyond what is reasonably necessary for compliance, fraud prevention, onboarding, and payout administration.

We may use third-party service providers such as Stripe Connect or Sumsub to conduct identity verification and compliance checks. Depending on the flow, we may collect this information directly or the applicable provider may collect it on our behalf subject to its own terms and privacy notice.

Communications Data

If you contact us for support or otherwise communicate with us, we may collect:

• Support tickets and email correspondence
• Communications through integrated platforms such as Discord or Slack, to the extent initiated by you

Automatically Collected Technical Data

We automatically collect certain technical information when you visit or use the Platform, including our websites, dashboards, and browser extensions, where applicable:

• IP address and approximate geolocation
• Browser type and version, device type, operating system, and application or extension version information where applicable
• Referring URLs, pages viewed, clickstream data, and interaction data across our websites, dashboards, or extensions
• Cookies, pixel tags, and similar tracking technologies (see Section 8 below)

4. How We Use Your Information

We use the information we collect for the following purposes:

Account Administration

To create and manage your account, authenticate your identity or wallet linkage, maintain account security, and communicate with you about your account and the Platform.

Challenge and Program Operations

To register you for Vanta Trading or Hyperscaled Challenges, monitor and evaluate simulated trading activity, record qualifying supported-venue or wallet-linked activity where applicable, calculate performance metrics, administer Challenge Rules and Program Rules, and determine eligibility or status.

Scaled Trader Program Administration

To onboard traders who are invited to a Scaled Trader Program, administer ICA-related operations, validate simulated performance, calculate eligibility for service compensation, and manage payout administration.

Payment Processing

To process Challenge Entry Fees, on-chain fee payments, issue invoices, manage disputes, refunds, or corrective actions where applicable, and maintain billing, accounting, tax, and transaction records.

KYC/AML Compliance

To verify your identity, confirm eligibility, conduct required compliance checks, and manage sanctions, AML, fraud-prevention, and related controls where required by Applicable Law or reasonably necessary for program integrity.

Platform Improvement and Analytics

To analyze usage patterns, diagnose technical issues, improve Platform functionality, and develop new features.

Security and Fraud Prevention

To detect, investigate, and prevent fraudulent activity, unauthorized access, abuse of the Platform, wallet compromise, prohibited conduct, multi-accounting, strategy cloning or correlation, and violations of the applicable Terms of Service, Challenge Rules, ICA, or Program Rules.

Legal Compliance

To comply with Applicable Law, respond to legal process, enforce our agreements, and protect our rights and the rights of third parties.

Communications

To send you transactional messages (e.g., account confirmations, Challenge status updates, payment receipts, payout notices, and security alerts) and respond to your inquiries. Where permitted and, where required by Applicable Law, with your consent, we may also send promotional or informational communications. You may opt out of non-transactional marketing communications at any time.

5. EU/UK Legal Bases and Required Disclosures

If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we process your personal data only where we have a valid legal basis under the GDPR or UK GDPR. The table below summarizes the primary legal bases for our processing activities:

Processing PurposeCategories of DataLegal BasisAccount administration; Challenge and Program operationsCore account data; trading and performance data; wallet or supported-venue identifiers where applicablePerformance of a contract (Terms of Service and, where applicable, ICA); legitimate interests (service administration and integrity)Payment processingPayment and billing dataPerformance of a contract; compliance with legal obligations (tax and recordkeeping)KYC/AML compliancePost-challenge / payout / KYC dataCompliance with legal obligations; legitimate interests (platform integrity and fraud prevention)Security and fraud preventionCore account data; technical data; trading data; wallet or supported-venue dataLegitimate interests (platform security, fraud prevention, program integrity); compliance with legal obligations where applicableAnalytics and product improvementTechnical data; usage dataLegitimate interests (service improvement); consent for non-essential cookies where requiredMarketing communicationsEmail address; nameConsent where required by law; otherwise, legitimate interests with opt-outLegal compliance and dispute resolutionAll categories as relevantCompliance with legal obligations; legitimate interests (exercising or defending legal claims)

Legitimate Interests Statement. Where we rely on legitimate interests as a legal basis, our interests include ensuring the security and integrity of the Platform and the Challenge; preventing fraud, abuse, manipulation, multi-accounting, and strategy cloning or correlation; analyzing and improving our services; and exercising or defending legal claims. We balance these interests against your rights and freedoms and do not process personal data where our interests are overridden by the impact on you.

6. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

Service Providers

We share information with third-party vendors and service providers who perform services on our behalf, such as payment processing (including Stripe or comparable providers for applicable Vanta Trading flows), cloud hosting and infrastructure (currently Google Cloud Platform), analytics, KYC/AML and identity verification services (including Sumsub or comparable providers where applicable), customer support tools, and email delivery services. These providers are contractually obligated to use your information only as necessary to provide their services to us and in accordance with this Policy.

Network Participants and On-Chain Data

Because the Platform may interact with decentralized networks, public blockchains, and supported third-party venues, certain activity data (such as registered wallet addresses, trade or position data, performance metrics, and on-chain payment details) may be recorded on, derived from, or visible through those systems in accordance with their protocols. Data recorded on Subnet 8, public blockchains, or similar decentralized systems may be public and may be difficult or impossible to modify, correct, or delete due to the immutable or distributed nature of those systems.

Legal and Regulatory Requirements

We may disclose your information if required to do so by Applicable Law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

Business Transfers

In connection with any merger, acquisition, sale of assets, financing, or transfer of all or a portion of our business, your information may be transferred as part of that transaction. We will notify you by email and/or prominent notice on the Platform of any change in ownership or material changes to the use of your personal information.

With Your Consent

We may share your information for other purposes with your express consent.

7. International Data Transfers

Vanta is organized under the laws of the Cayman Islands. Your personal information is primarily stored and processed using Google Cloud Platform infrastructure, which may involve processing in the United States and other jurisdictions where Google Cloud operates data centers. We may also engage additional service providers whose infrastructure is located outside your jurisdiction.

Where your personal information is transferred outside the EEA, the United Kingdom, or Switzerland, we ensure that appropriate safeguards are in place as required by Applicable Law. These safeguards currently include:

• Google Cloud's Data Processing and Security Terms, which incorporate the Standard Contractual Clauses ("SCCs") approved by the European Commission and the UK International Data Transfer Addendum ("UK IDTA"), as applicable
• Where we engage other service providers, we rely on SCCs, the UK IDTA, transfers to countries recognized as providing an adequate level of data protection, or other lawful transfer mechanisms as appropriate
• Additional technical and organizational measures as appropriate to supplement contractual safeguards

You may request a copy of the relevant transfer safeguards by contacting us using the details in Section 15.

8. Cookies and Tracking Technologies

We use cookies, pixel tags, web beacons, and similar tracking technologies to collect information about your interactions with the Platform.

Types of Cookies

• Strictly Necessary Cookies. These cookies are essential for the Platform to function (e.g., session authentication, security tokens). They cannot be disabled without affecting Platform functionality and do not require your consent.
• Analytics and Performance Cookies. These cookies help us understand how visitors interact with the Platform, diagnose technical issues, and improve our services.
• Marketing and Advertising Cookies. If used, these cookies track your activity across sites to deliver relevant advertising.

Consent for Non-Essential Cookies (EU/UK Users)

Where required by Applicable Law (including the ePrivacy Directive and UK PECR), we deploy non-essential cookies (analytics and marketing) only with your prior consent, obtained through our cookie consent banner or preferences center. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Do Not Track

We do not currently respond to "Do Not Track" browser signals. Where available, you may manage your tracking preferences through our cookie preferences center.

9. Data Retention

We retain your personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. Retention periods vary by data category and the legal basis for processing:

• Account, trading, wallet-linked, and supported-venue data is retained for the duration of your account and for a reasonable period thereafter (generally no longer than three (3) years for audit, compliance, and dispute resolution purposes, unless a longer period is required by Applicable Law).
• Payment and transaction records are retained as required by Applicable Law, payment-network rules, blockchain or payment recordkeeping requirements, and tax obligations (typically five (5) to seven (7) years).
• KYC/AML data is retained for the period required by Applicable Law, which may be five (5) years or more following the end of the business relationship.
• Communications data (support tickets, correspondence) is retained for as long as necessary to resolve the matter and for a reasonable period thereafter for quality assurance and dispute resolution.
• Usage and technical data is generally retained in aggregated or anonymized form and may be retained indefinitely for analytics purposes. Aggregated or anonymized data that can no longer be linked to an identifiable individual is not considered personal data.

When personal information is no longer required, we will securely delete or anonymize it in accordance with our data retention procedures. Public blockchain or decentralized-network data may remain available outside Vanta's control.

10. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information.

General Rights

Subject to Applicable Law, you may have the right to:

• Access your personal information and obtain a copy of the data we hold about you.
• Correct inaccurate or incomplete personal information.
• Delete your personal information, subject to certain exceptions (e.g., legal retention obligations, ongoing disputes).
• Portability — receive your personal information in a structured, commonly used, machine-readable format.
• Opt out of non-transactional marketing communications at any time.

Additional Rights for EU/UK Data Subjects

If you are located in the EEA, United Kingdom, or Switzerland, you additionally have the right to:

• Restrict processing of your personal data in certain circumstances.
• Object to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the United Kingdom, the CNIL in France, or your relevant national authority in the EEA).

To exercise any of these rights, please contact us using the information in Section 15. We will respond to your request within the time frames required by Applicable Law (generally within thirty (30) days for GDPR/UK GDPR requests). We may need to verify your identity before processing your request.

Blockchain Data Limitation. Please note that data recorded on public blockchains, supported venues, or decentralized networks (including Subnet 8) may be technically impossible to modify, correct, or delete. Your rights under this Section apply to off-chain records maintained by Vanta. We will inform you if a request cannot be fully fulfilled due to on-chain or decentralized-network data limitations.

11. Automated Decision-Making and Profiling

Your Challenge trading activity and, for Hyperscaled or other supported-venue products, qualifying activity from your Registered Wallet or supported venue are evaluated against published performance criteria using automated scoring and analysis systems. These systems calculate metrics such as profit and loss, drawdowns, risk parameters, and integrity signals, which contribute to eligibility determinations (e.g., Pass or Fail).

While initial scoring is automated, significant decisions regarding your Challenge or Program eligibility, including any determination that may result in disqualification for suspected rule violations, payout ineligibility, or other enforcement action, are subject to review and meaningful human involvement before a final outcome is applied.

If you believe an automated decision has been made in error, or if you wish to contest an eligibility determination, you may contact us at the details in Section 15 to request a review.

12. California Privacy Rights (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Policy with information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA").

Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information:

• Identifiers: name, email address, username, IP address, account credentials, Registered Wallet address, and other account or supported-venue identifiers.
• Financial information: billing address, transaction history, invoices, on-chain payment details, and payout information. (Payment card data is processed by Stripe or another payment processor and not stored by us.)
• Internet or network activity: browsing history on the Platform, login data, usage data, cookies, clickstream data, and platform or extension interaction data.
• Geolocation data: approximate location derived from IP address.
• Professional or employment-related information: simulated trading performance data, strategy behavior, evaluation results, and program eligibility or payout status.
• Sensitive personal information (conditional): government-issued ID, date of birth, and, where applicable, bank account details, crypto wallet address, or comparable verification information, collected only from payout-eligible individuals or others requiring enhanced verification for KYC/AML, fraud prevention, or payout administration.

Categories Disclosed for a Business Purpose

We may disclose the following categories to service providers and third parties for business purposes:

• Identifiers (to payment processors, cloud providers, analytics providers, KYC vendors, support providers, and similar service providers)
• Financial information (to payment processors, payout providers, and accounting or tax providers where applicable)
• Internet or network activity (to analytics, security, and infrastructure providers)
• Sensitive personal information (to KYC/AML verification providers and payment or payout onboarding providers, only for payout-eligible individuals or others who require enhanced verification)

Sale and Sharing

We do not sell personal information as defined by the CCPA/CPRA.

Sensitive Personal Information

We may collect sensitive personal information (government ID, date of birth, bank/crypto details) only from payout-eligible individuals or others who require enhanced verification, and only for the following purposes:

• Identity verification, KYC/AML compliance, sanctions screening, and fraud prevention as required by Applicable Law or reasonably necessary for program integrity
• Payout, tax, and onboarding administration under a separate Independent Contractor Agreement or related program documentation

We do not use or disclose sensitive personal information for purposes beyond what is reasonably necessary to provide the services or as otherwise permitted by the CCPA/CPRA.

Your California Rights

As a California resident, you have the right to:

• Know what categories and specific pieces of personal information we have collected about you.
• Delete your personal information, subject to certain exceptions.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of your personal information (if applicable).
• Limit the use of sensitive personal information to purposes authorized by the CCPA/CPRA.
• Non-discrimination. We will not discriminate against you for exercising your privacy rights.

How to Submit a Request

To submit a verifiable consumer request, contact us using the information in Section 15. You may also designate an authorized agent to submit a request on your behalf. If you use an authorized agent, we may require written proof of authorization and may verify your identity directly. We will respond to verified requests within forty-five (45) days, with an extension of up to an additional forty-five (45) days where reasonably necessary, as permitted by law.

Appeal

If we deny your request in whole or in part, you may appeal by contacting us at the details in Section 15 with the subject line "Privacy Appeal." We will respond to your appeal within the time frame required by Applicable Law.

13. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, use, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls, regular security assessments, and employee training. Our primary cloud infrastructure provider (currently Google Cloud Platform) maintains industry-standard certifications including SOC 2 and ISO 27001.

However, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials, the security of any Registered Wallet or Payout Wallet you use in connection with the Platform, and any activity that occurs under your account or attributable to your wallet.

14. Children's Privacy

The Platform is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as promptly as practicable. If you believe we have inadvertently collected information from a child under 18, please contact us immediately using the information in Section 15.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, or if you wish to exercise any of your rights described in this Policy, please contact us at:

Taoshi VT Services
Cayman Islands Exempted Company
Email: support@vantatrading.io
Address: PO Box 144, 3119 9 Forum Lane, Camana Bay, George Town, Grand Cayman KY1-9006, Cayman Islands

16. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Effective Date" at the top of this Policy and, where required by Applicable Law, provide additional notice (such as email notification or a prominent notice on the Platform). We encourage you to review this Policy periodically. Your continued use of the Platform after a revised Policy takes effect indicates your awareness of the updated practices.

17. Important Clarifications

For the avoidance of doubt, the following clarifications apply to this Policy and the data practices described herein:

No Brokerage or Custodial Accounts

Vanta does not operate brokerage accounts. All trading activity on the Platform during the Vanta Trading Challenge or the Hyperscaled Challenge is simulated. We do not hold custody of client funds, real assets, or securities at any time. In Hyperscaled and similar supported-venue products, you may trade through your own self-custodied account on a supported third-party venue using your own capital, while Vanta monitors qualifying activity on a read-only basis for evaluation or Program purposes.

No Direct Storage of Payment Card Data and Wallet Keys

Full credit or debit card numbers are never stored on our servers. All payment card data is collected and processed directly by our PCI-compliant third-party payment processor for applicable Vanta Trading flows. For Hyperscaled and other on-chain flows, we record transaction and wallet details necessary to administer the Service but do not collect or store private keys or seed phrases.

KYC Data Is Conditional

Government-issued identification, date of birth, nationality, tax residency, and bank or crypto payout details are collected only from individuals who become payout-eligible or otherwise require enhanced verification for compliance, fraud prevention, or onboarding. This data is not collected from general participants unless needed for those purposes.

Optional Data and Wallet Identifiers

Certain data fields (such as full name during the Challenge stage) may be optional. Where data collection is optional, it will be clearly indicated at the point of collection. For Hyperscaled, public wallet addresses and related supported-venue identifiers may function as core account or program identifiers.

On-Chain Data

Certain data submitted to or derived from public blockchains, supported venues, or decentralized networks (including Subnet 8) may become public or effectively immutable. Such data may be beyond Vanta's ability to modify or delete. This limitation is inherent to decentralized systems and public blockchain architecture and is not a result of Vanta's off-chain data handling practices.

‍