Prividium Privacy Policy
Last Updated: 25th of March, 2026
1. Who We Are and How This Policy Applies
This Privacy Policy describes how Matter Labs Technologies, Inc. ("ML US"), a Delaware corporation, and Matter Labs Cayman ("ML Cayman"), a Cayman Islands company (together, "Matter Labs," "we," "us," or "our"), collect, use, share, and protect personal data in connection with the Prividium platform.
Prividium is an enterprise blockchain platform designed for institutional operators. ML US licenses the Prividium technology. ML Cayman provides managed services, including managed hosting, technical support, maintenance, and settlement wallet operations.
This Privacy Policy applies to:
- Prividium websites and related documentation, APIs, and developer resources (the 'Site');
- Representatives and personnel of our enterprise clients and prospective clients ("Client Contacts"); and
- Individuals whose personal data we process on behalf of enterprise clients in connection with our Managed Services offering ("End Users"), where applicable law requires us to provide direct privacy information to those individuals.
What this policy does not cover. When an enterprise client operates a Prividium chain, whether self-hosted or through our Managed Services, that institution is the data controller for the personal data of its own end users — including KYC/KYB data, transaction records, and authentication data processed on that chain. In those circumstances, the enterprise client's own privacy policy applies. If you are an end user of a Prividium-powered service offered by a bank, asset manager, or other institution, please refer to the privacy policy of that institution. Our processing as a data processor on their behalf is governed by our Data Processing Agreement with that client.
In limited circumstances, Matter Labs may act as a joint controller with an enterprise client, for example where we make independent decisions about certain technical processing activities (such as settlement wallet operations). Where joint controllership applies, it will be documented in the relevant contractual arrangements between Matter Labs and the enterprise client, and this Privacy Policy will apply to Matter Labs' portion of that processing.
Our EU establishment and lead supervisory authority. Matter Labs is established in the European Union through personnel located in Malta, the Netherlands, and Poland. Our lead supervisory authority under the GDPR is the Office of the Information and Data Protection Commissioner in Malta. Data subjects may also lodge complaints with the supervisory authority in their country of residence or place of work.
2. Personal Data We Collect
2.1 Site Visitors: The Site is designed for business use and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
| Category | Examples | How Collected |
|---|---|---|
| Device and usage data | IP address, browser type and version, operating system, device identifiers, pages visited, referring URLs, session duration, clickstream data | Automatically via cookies, server logs, and analytics tools |
| Contact form data | Name, email address, company name, job title, message content | Provided by you when submitting an inquiry |
2.2 Client Contacts
| Category | Examples | How Collected |
|---|---|---|
| Business contact information | Name, business email address, phone number, job title, employer name | Provided during sales, onboarding, contract negotiation, or account setup |
| Account and access credentials | Username, role assignments, authentication tokens (via Okta SSO or Sign-in With Ethereum), JWT session data | Generated through platform access and authentication |
| Communications | Correspondence, support tickets, meeting notes, feedback | Provided during the business relationship |
| Billing information | Invoicing details, billing address, payment contact | Provided during contract execution |
2.3 Data Processed Through the Managed Services
When enterprise clients use ML Cayman's Managed Services, the following categories of personal data may be processed within the client's Prividium chain infrastructure. Matter Labs processes this data as a data processor on the client's instructions. For self-hosted deployments, all of this data resides entirely within the enterprise client's own infrastructure and Matter Labs has no access to it.
| Category | Examples |
|---|---|
| KYC/KYB identity verification data | Names, addresses, identification document details |
| Wallet addresses and counterparty identifiers | Wallet addresses linked to authenticated users via Okta SSO or SIWE |
| Financial transaction records | Account balances, position data, trade information, transaction history |
| Authentication data | SSO tokens, JWT session tokens, user permissions |
| Access control data | Role-based access assignments, permission parameters, user provisioning records |
| Audit logs | System access records, transaction audit trails |
2.4 Data on Public Networks
Prividium operates as a Validium. Only cryptographic commitments (state roots and zero-knowledge proofs) are posted to the Ethereum blockchain. No transaction inputs, wallet addresses, calldata, or other personal data is visible or inferable from the public chain. Consistent with the European Court of Justice's ruling in EDPS v SRB (Case C-413/23), where reassociation of pseudonymised data is technically infeasible for a recipient, such data does not constitute personal data for that recipient. On that basis, the zero-knowledge proofs posted to Ethereum should not constitute personal data for any party other than the controlling enterprise client.
Cross-chain interoperability between Prividium chains uses a decentralized model in which transaction data flows directly between the originating chain and the token-issuing chain. Matter Labs does not operate a centralized gateway and does not handle, route, or store interoperability transaction data.
3. Why We Process Your Data and Our Legal Bases
| Purpose | Categories of Data | Legal Basis (GDPR Art. 6(1)) |
|---|---|---|
| Operating the Site and responding to inquiries | Site visitor data, contact form data | Legitimate interest in providing information about our products and responding to prospective clients (Art. 6(1)(f)) |
| Sales, onboarding, and relationship management | Client Contact data | Performance of a contract or steps prior to entering into a contract (Art. 6(1)(b)); legitimate interest in managing client relationships (Art. 6(1)(f)) |
| Providing and operating the Prividium platform, including account administration and authentication | Account and access credentials | Performance of a contract (Art. 6(1)(b)) |
| Providing Managed Services on behalf of enterprise clients | Data processed through Managed Services (as processor) | Processing is performed on the client's instructions under a Data Processing Agreement; the client determines the applicable legal basis for its end users |
| Technical support and troubleshooting | Client Contact data, technical logs | Performance of a contract (Art. 6(1)(b)); legitimate interest in maintaining platform reliability (Art. 6(1)(f)) |
| Security monitoring, fraud prevention, and abuse detection | Device and usage data, access logs | Legitimate interest in protecting the platform, our clients, and their end users (Art. 6(1)(f)) |
| Billing and invoicing | Billing information | Performance of a contract (Art. 6(1)(b)) |
| Compliance with legal obligations | As applicable | Legal obligation (Art. 6(1)(c)) |
| Website analytics and product improvement | Device and usage data | Legitimate interest in understanding usage patterns and improving our products (Art. 6(1)(f)); consent where required by ePrivacy laws |
| Marketing communications | Client Contact data | Consent (Art. 6(1)(a)) where required; legitimate interest for existing client relationships (Art. 6(1)(f)) with opt-out available |
4. How We Share Personal Data
We share personal data only in the following circumstances:
Service providers and sub-processors. We engage third-party providers for ho. sting, analytics, authentication, customer relationship management, and communication tools. These providers process data on our behalf under written agreements that require them to protect personal data and use it only as instructed. A current list of sub-processors for Managed Services is available at https://www.zksync.io/prividium/privacy/subprocessors (https://www.zksync.io/prividium/privacy/subprocessors) or upon request.
Enterprise clients. Where we act as a processor under Managed Services, we process data on the enterprise client's instructions and share data with them as the controller directs.
Professional advisors. We may share data with legal counsel, auditors, and consultants as necessary for the operation of our business, subject to confidentiality obligations.
Legal and regulatory requirements. We may disclose data to comply with applicable laws, regulations, court orders, or enforceable governmental requests, or to establish, exercise, or defend legal claims.
Business transfers. In connection with a merger, acquisition, financing, or sale of assets, personal data may be transferred to the successor or acquiring entity. We will notify affected individuals before their data is subject to a different privacy policy.
Cross-chain interactions. When end users initiate deposits to or withdrawals from a Prividium chain that interacts with public blockchain networks, the transaction data submitted to the public network becomes visible on that network. All other Prividium state data remains private within the enterprise client's infrastructure.
5. International Transfers
Matter Labs operates globally, and personal data collected in the European Economic Area ("EEA"), the United Kingdom, or Switzerland may be transferred to and processed in countries outside those regions, including the United States and the Cayman Islands.
Where such transfers occur, we implement appropriate safeguards, including:
- Standard Contractual Clauses approved by the European Commission, or the UK International Data Transfer Agreement / Addendum, as applicable;
- Transfer impact assessments where required; and
- Supplementary technical and organizational measures, including encryption in transit and at rest, access controls, and pseudonymization.
For Managed Services deployments, Prividium's Validium architecture provides an inherent safeguard: personal data in the private chain state is stored in the enterprise client's chosen infrastructure and jurisdiction. Only cryptographic proofs, which do not constitute personal data for third parties, are posted to Ethereum's globally distributed network.
Certain jurisdictions in which Prividium may be deployed impose data localization requirements (including China's Personal Information Protection Law, Data Security Law, and Cybersecurity Law). Where applicable, data localization compliance is addressed on a client-by-client basis in the relevant contractual arrangements and local hosting configurations.
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law.
| Category | Retention Period |
|---|---|
| Site visitor data (analytics) | In accordance with our cookie settings and applicable ePrivacy law |
| Client Contact information | Duration of the contract plus 7 years after termination, unless longer retention is required by law |
| Account and access credentials | Duration of the account plus 12 months after closure or deactivation |
| Support communications | 3 years from resolution |
| Billing and invoicing records | As required by applicable tax and commercial law (typically 7 years) |
| Marketing contact data | Until consent is withdrawn or opt-out is exercised, plus a suppression list entry to honor the opt-out |
For data processed as a processor under Managed Services, retention is governed by the enterprise client's instructions and our Data Processing Agreement. Upon termination of a Managed Services engagement, we will return or delete client personal data in accordance with the terms of that agreement within 30 days.
Retention periods listed above are subject to legal holds, contractual obligations, and backup retention schedules as described in our Data Retention Policy. Data subject to a legal hold will be isolated and retained until the hold is lifted. Data in backup systems will age out in accordance with our backup retention schedule.
7. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. These include:
- Encryption of data in transit (TLS) and at rest;
- Role-based access controls and the principle of least privilege;
- Authentication through enterprise-grade identity providers (Okta SSO, Sign-in With Ethereum);
- Proxy RPC architecture that validates user permissions before any on-chain operation is executed;
- Regular security assessments and independent audits of the Prividium technology stack;
- Annual penetration testing by independent third parties; and
- Incident response procedures, including personal data breach detection, containment, and notification protocols.
Prividium's zero-knowledge proof architecture provides a layer of privacy by design: cryptographic proofs verify computational integrity without exposing the underlying transaction data.
8. Your Rights
Client Contacts and their authorized personnel have rights under Applicable Data Protection Law with respect to their personal data, including rights of access, rectification, erasure, restriction, portability, and objection. To exercise any of these rights, contact us at privacy@matterlabs.dev. We will respond within one month. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months with prior notice.
If we process your personal data as a processor on behalf of an enterprise client, please direct your request to that enterprise client. We will assist them in responding as required by applicable law and our Data Processing Agreement.
You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Office of the Information and Data Protection Commissioner in Malta. You may also lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement.
9. Cookies and Local Storage
The Prividium Site uses strictly necessary cookies required for the Site to function. These cannot be disabled.
The Prividium SDK, used by enterprise clients to integrate with the platform, stores authentication tokens (JWT) in browser local storage to maintain session state. The SDK includes CSRF protection and automatic token expiration validation. This storage occurs within the enterprise client's application environment and is governed by the client's own privacy and security policies.
10. Contact Us
For questions about this Privacy Policy, our data practices, or to exercise your data subject rights:
Matter Labs Technologies, Inc. 228 Park Ave S, New York, NY 10003, USA Email: privacy@matterlabs.dev
Matter Labs Cayman 190 Elgin Avenue, George Town, Grand Cayman KY1-9008, Cayman Islands Email: privacy@matterlabs.dev
Lead Supervisory Authority: Office of the Information and Data Protection Commissioner Level 2, Airways House, High Street, Sliema SLM 1549, Malta https://idpc.org.mt
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify Client Contacts of material changes by email or through the platform before they take effect. The "Last Updated" date at the top indicates when the most recent revision was made.