This Privacy Policy governs the collection, use, disclosure, storage, and protection of Personal Data by Mālama Labs Inc., a Delaware corporation (“Mālama,” “Company,” “we,” “us,” or “our”). By accessing or using Mālama services, you acknowledge that you have read and understood this Privacy Policy.
Mālama Labs Inc. acts as the Controller of Personal Data unless otherwise specified.
This Policy applies to all Personal Data collected through:
- Websites and launch platforms operated by Mālama.
- Hex Node sales, reservations, and deployments.
- Applications, dashboards, APIs, and developer tools.
- Customer support and communications.
- Token-enabled or blockchain-integrated features.
- Any related online or offline interactions.
8 The Green, Suite A
Dover, Delaware 19901
United States
We collect Personal Data proportionate to the nature of your interaction with our systems.
Identity Data
Name, username, organization, role, and where required, identity verification documentation.
Contact Data
Email address, phone number, billing and shipping address, and communication records.
Financial and Transaction Data
Purchase records, payment metadata (processed via third-party payment processors such as Stripe or equivalent), wallet addresses, and blockchain transaction identifiers.
Technical Data
IP address, device identifiers, operating system, browser type, session logs, and diagnostic data.
Profile Data
Account credentials, preferences, node ownership status, participation history, and support interactions.
Usage Data
Behavioral interaction data such as page views, clicks, feature usage, and session analytics.
Node and Infrastructure Data
- Node registration and hardware identifiers, including Device DID.
- Deployment metadata and geographic hex cell assignment.
- Telemetry and uptime data.
- Environmental measurement data.
- Approximate geolocation (H3 hex cell resolution — see disclosure below).
- Signed sensor outputs and verification data.
Geolocation is published on-chain by design. The H3 hex cell associated with each Hex Node License is published to the Cardano, Hedera, and/or Base blockchain as required to enforce geographic exclusivity and anchor signed sensor readings to their claimed location.
H3 hex cells provide approximate geographic location (not precise coordinates). Because blockchain records are immutable and globally readable, the hex-cell association cannot be deleted, reversed, or restricted after it is recorded on-chain, even in response to a data-subject deletion request.
If you do not wish the approximate geographic area of your node to be publicly associated with your license, do not operate a Hex Node.
Blockchain Data
- Public wallet addresses.
- Smart contract interactions on Cardano, Hedera, and Base.
- Token holdings or reward eligibility indicators.
- On-chain transaction history.
Blockchain data is inherently public and immutable. Mālama does not control third-party access to such data.
Aggregated Data
We may generate anonymized, aggregated datasets for system optimization, network research, and operational reporting. Aggregated data does not identify individuals and is not considered Personal Data under applicable law.
We process Personal Data under one or more of the following legal bases under applicable law, including GDPR Article 6:
| Basis | When we rely on it |
|---|---|
| Performance of contract | Fulfilling node orders, processing reservations, operating accounts, and providing the core Services you have requested. |
| Legal obligation | Complying with applicable law, tax obligations, sanctions screening, law enforcement cooperation, and regulatory reporting requirements. |
| Legitimate interests | Operating and improving the Network, fraud prevention, security monitoring, abuse prevention, and business analytics — balanced against your rights and interests. Records of our Legitimate Interests Assessments are available on request. |
| Consent | Marketing communications to EU/EEA/UK residents, and any other processing where we have explicitly requested and obtained your consent. Consent may be withdrawn at any time without affecting prior processing. |
| Purpose | Activities & lawful basis |
|---|---|
| Service Delivery | Account creation and management, node provisioning and registration, order fulfillment and logistics. Basis: Contract. |
| Transaction Processing | Payments, billing, refunds, fraud screening, tax reporting. Basis: Contract; Legal obligation. |
| Network Operations | Device authentication, sensor validation and telemetry monitoring, reward calculations, MRV system integrity and auditability. Basis: Contract; Legitimate interests. |
| Communications | Transaction notifications, technical updates, security alerts, customer support. Basis: Contract; Legitimate interests. |
| Product Improvement | Analytics, performance monitoring, debugging, and system optimization. Basis: Legitimate interests. |
| Legal Compliance | Regulatory reporting, sanctions screening, law enforcement cooperation. Basis: Legal obligation. |
| Rights Protection | Enforcement of agreements, dispute resolution, abuse prevention. Basis: Legitimate interests; Legal obligation. |
| Marketing | Product announcements and updates to existing users (opt-out available at any time). For EU/EEA/UK residents: marketing communications require your prior consent and will only be sent where consent has been obtained. Basis: Legitimate interests (non-EU); Consent (EU/EEA/UK). |
We use cookies and similar technologies on our websites and applications. Cookies fall into the following categories:
| Category | Purpose & consent |
|---|---|
| Strictly necessary | Session management, authentication, security, and core site functionality. Cannot be disabled without breaking the Services. Consent: Not required (exempt). |
| Functional | Storing your preferences (language, display settings) and maintaining user state. Consent: Varies by jurisdiction. |
| Analytics | Understanding how users interact with the Services, measuring traffic and performance, and improving functionality. Consent: Required (EU/EEA/UK). |
| Marketing | Tracking interactions to serve relevant communications. We do not use third-party advertising networks. Consent: Required where applicable. |
You may control non-essential cookies through your browser settings, our cookie preference manager where available, or applicable platform-level controls. Functional and analytics cookies are retained for up to 13 months unless you withdraw consent or clear them earlier.
We disclose Personal Data only where necessary and have entered into data processing agreements (DPAs) with service providers acting as processors on our behalf, as required by GDPR Article 28 and applicable equivalents.
| Recipient | Examples |
|---|---|
| Service providers (processors) | Cloud hosting, analytics, payment processors, logistics, CRM, identity verification. All engaged under DPAs. |
| Professional advisors | Legal, accounting, audit, insurance, and compliance providers — bound by confidentiality obligations. |
| Ecosystem partners | Hardware manufacturers, environmental registry partners, infrastructure operators, and data verification entities — engaged under appropriate agreements. |
| Authorities | Regulators, courts, and law enforcement where legally required or permitted. |
| Corporate transactions | Acquirers, successors, or financing parties in the event of a merger, acquisition, restructuring, or financing. |
| Blockchain networks | Certain data is permanently recorded on public Cardano, Hedera, and/or Base networks and is accessible globally and indefinitely. |
We do not sell Personal Data for monetary consideration. We do not share Personal Data for cross-context behavioral advertising purposes.
We implement commercially reasonable safeguards, including encryption where applicable, access control frameworks, secure key management, monitoring and logging systems, and vendor security assessments.
No system, including blockchain or IoT infrastructure, is fully secure. Users assume inherent technological risks associated with decentralized networks, hardware devices, and wallet self-custody.
Data may be processed in the United States and other jurisdictions. Where we transfer Personal Data outside the European Economic Area, United Kingdom, or Switzerland to countries not recognized as providing adequate protection, we implement appropriate safeguards including Standard Contractual Clauses approved by the European Commission, or equivalent mechanisms.
Distributed systems — including Cardano, Hedera, Base, and cloud infrastructure — may involve global data propagation. Public blockchain data is accessible worldwide by construction and cannot be restricted by geographic transfer limitations.
| Data type | Retention period |
|---|---|
| Transaction and account data | 7 years from the date of transaction or account closure, unless a longer period is required by applicable law or a legal hold is in effect. |
| Support and communication records | 3 years from the close of the relevant matter, or as required for dispute resolution. |
| Technical logs and diagnostic data | Up to 12 months for operational and security purposes, unless required longer for an ongoing investigation. |
| Marketing consent records | Retained for the duration of the relationship and for 3 years thereafter to demonstrate consent compliance. |
| Blockchain and on-chain data | Indefinite — blockchain data is immutable and cannot be deleted by Mālama or anyone else. |
| Aggregated and anonymized data | Indefinite — not Personal Data once genuinely anonymized. |
When data is no longer required, we delete, anonymize, or archive it securely in accordance with applicable legal requirements.
Subject to applicable law and the limitations described below, you may request to access, correct, delete, restrict processing of, or receive a portable copy of your Personal Data, and to withdraw consent or opt out of marketing at any time. To exercise any right, contact privacy@malamalabs.com.
Blockchain records — including on-chain hex cell assignments, wallet addresses, transaction history, and SaveCard data — cannot be altered or deleted by Mālama or any other party.
Legal, contractual, and regulatory obligations may also prevent deletion or restrict processing of certain data. Identity verification is required before we can fulfill data-subject requests.
11.1 · EU/EEA, UK, and Swiss residents (GDPR / UK GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation or equivalent UK/Swiss law:
| Access | To your Personal Data (Article 15). |
| Rectification | Of inaccurate data (Article 16). |
| Erasure | “Right to be forgotten,” subject to the on-chain immutability limitation above (Article 17). |
| Restriction | Of processing in specified circumstances (Article 18). |
| Data portability | Where processing is automated and based on contract or consent (Article 20). |
| Objection | To processing based on legitimate interests (Article 21). |
| Withdrawal of consent | At any time where processing is consent-based, without affecting prior processing (Article 7). |
You have the right to lodge a complaint with your local Data Protection Authority at any time.
Mālama will notify the competent supervisory authority of any Personal Data breach that poses a risk to rights and freedoms within seventy-two (72) hours of becoming aware, as required under GDPR Article 33.
Where a breach is likely to result in a high risk to your rights and freedoms, Mālama will also notify affected individuals directly without undue delay, as required under GDPR Article 34, unless an exemption applies.
EU/UK Representative. Mālama is in the process of designating an EU/UK representative as required by GDPR Article 27 and UK GDPR Article 27. Until this designation is complete, direct all EU/UK data protection inquiries to privacy@malamalabs.com with subject line “GDPR Request.” Mālama will not commence active marketing to EU/EEA/UK residents at scale prior to completing this designation.
11.2 · California residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
- Know what Personal Information is collected, used, shared, or sold.
- Delete Personal Information collected from you, subject to certain exceptions.
- Correct inaccurate Personal Information.
- Opt out of the sale or sharing of Personal Information for cross-context behavioral advertising.
- Limit the use and disclosure of sensitive Personal Information.
- Non-discrimination for exercising these rights.
Mālama does not sell Personal Information for monetary consideration. Mālama does not share Personal Information for cross-context behavioral advertising. Mālama does not knowingly sell or share the Personal Information of consumers under 16.
To exercise a CCPA/CPRA right: email privacy@malamalabs.com with subject line “CCPA Request,” your full name, California residency address, and the specific right you wish to exercise. We will respond within forty-five (45) days and may extend by an additional forty-five (45) days with notice, as permitted by law.
11.3 · Other U.S. state privacy laws
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or another U.S. state with a comprehensive privacy law, you may have rights substantially similar to those described in Section 11.2. Contact us at privacy@malamalabs.com with subject line “State Privacy Request” and identify your state of residence.
Our Services are not intended for individuals under 18. We do not knowingly collect Personal Data from anyone under 18. If we become aware that we have collected Personal Data from a minor without appropriate authorization, we will take prompt corrective action, including deletion where possible and permitted by applicable law.
Due to the nature of Mālama’s infrastructure:
- Sensor data may be cryptographically signed and permanently recorded on public blockchains (Cardano, Hedera, Base).
- Environmental measurement data produced by your node — including SaveCards used in carbon credit verification and AI compute energy attestation — may be used in regulatory, financial, or carbon market contexts by third parties.
- Blockchain entries cannot be modified or erased by Mālama or any other party.
- Third parties may independently analyze or derive insights from public blockchain data.
- Geographic hex cell assignments are public and permanent once recorded on-chain.
Users acknowledge and accept these characteristics as a condition of operating a Hex Node or participating in the Network.
To the maximum extent permitted by law:
- Mālama is not liable for third-party access to, use of, or analysis of public blockchain data.
- Mālama does not guarantee anonymity in decentralized systems — public wallet addresses and on-chain activity may be linkable to individuals by third parties using blockchain analytics.
- Mālama is not responsible for privacy breaches arising from your own negligence, wallet compromise, private key loss, or failures in external infrastructure not operated by Mālama.
We may update this Privacy Policy periodically. When we make material changes, we will update the “Last Updated” date at the top of this page and, where required by law or where we have your contact information, provide notice by email or prominent website announcement. Continued use of the Services after revised terms become effective constitutes acceptance of the updated Policy.
This Privacy Policy is governed by the laws of the State of Delaware, without regard to conflict of law principles, except to the extent superseded by applicable federal law or mandatory data protection law in the user’s jurisdiction (including GDPR for EU/EEA/UK residents).
| Term | Definition |
|---|---|
| Personal Data | Information that identifies or can reasonably be linked to an identified or identifiable natural person, as defined by applicable law including GDPR and CCPA. |
| Controller | Entity that determines the purposes and means of processing Personal Data. Mālama Labs Inc. is the Controller for Personal Data collected through its Services. |
| Processor | Entity that processes Personal Data on behalf of the Controller. Mālama’s service providers acting on written instructions under a DPA. |
| Blockchain Data | Public, immutable ledger data recorded on Cardano, Hedera, Base, or other blockchain networks. |
| DPA | Data Processing Agreement — a written agreement between Controller and Processor governing the terms of processing as required by GDPR Article 28. |
| LIA | Legitimate Interests Assessment — a balancing test conducted to document that Mālama’s legitimate interests are not overridden by data-subject rights when relying on the legitimate interests lawful basis. |
| H3 Hex Cell | A geographic area defined by Uber’s H3 geospatial indexing system. H3 hex cells used in the Mālama network provide approximate location, not precise GPS coordinates. |
| SaveCard | A cryptographically signed, on-chain environmental data record produced by Mālama sensor infrastructure and validated by Hex Nodes. |
Use the routing below so requests reach the correct handler under the applicable framework. Identity verification is required before fulfillment.
8 The Green, Suite A
Dover, Delaware 19901
Mālama Labs, Inc. · Privacy Policy · Effective April 11, 2026 · Last Updated April 28, 2026 (v2)
Questions: privacy@malamalabs.com · 8 The Green, Suite A, Dover, Delaware 19901.