Sallar Lite — Privacy Policy

Effective date: 2026-05-16

Last updated: 2026-05-18

Operator / Data controller: Astral Hodling OÜ, Lõõtsa tn 5, 11415 Tallinn, Estonia

1. Scope

This Privacy Policy applies to the Sallar Lite mobile application ("App") and any associated services we make available through the App.

The App may be distributed through third-party application stores, including the Solana dApp Store, Google Play, and the App Store.

This Privacy Policy explains what personal data we collect through the App, how we use it, how long we keep it, with whom we may share it, and what rights you have in relation to your data.

This Privacy Policy should be read together with our Terms of Use.

2. About us

The data controller responsible for the processing of personal data is Astral Hodling OÜ, a company registered in Estonia with its registered office at Lõõtsa tn 5, 11415 Tallinn, Estonia.

For any privacy-related question, request, or complaint, you can contact us at [email protected].

3. Information we collect

When you use the App, we may collect the following categories of data:

App installation and device identifier data, including a device identifier generated by the App at first setup. This is used to recognise the same App installation across sessions and support the basic operation of the service. Lawful basis: performance of a contract under Article 6(1)(b) GDPR.
Optional contact data, including an email address if you choose to provide one for service communication, support, security notices, privacy requests, or legal notices. Providing an email address is optional. Lawful basis: your consent under Article 6(1)(a) GDPR where you voluntarily provide the email address; performance of a contract under Article 6(1)(b) GDPR where communication is necessary to provide the App or respond to your service request; our legitimate interests in service communication and support under Article 6(1)(f) GDPR; or compliance with a legal obligation under Article 6(1)(c) GDPR where applicable.
Pairing data, including pairing status, pairing method, mother node identifier, pairing code metadata, QR pairing metadata, paired-device status, unpairing events, and related timestamps. Lawful basis: performance of a contract under Article 6(1)(b) GDPR and our legitimate interests in service security and integrity under Article 6(1)(f) GDPR.
Diagnostic data, including crash reports, error logs, App version, operating system version, device model, and basic technical metadata needed to troubleshoot and improve the App. Lawful basis: our legitimate interests in operating, maintaining, securing, troubleshooting, and improving the App under Article 6(1)(f) GDPR.
Operational and network participation data, including session start and stop events, basic activity counters, participation status, uptime-related signals, workload status, execution status, runtime responses, workload result metadata, error states, and technical measurements needed to operate, verify, secure, and troubleshoot the App and the network. Lawful basis: performance of a contract under Article 6(1)(b) GDPR where processing is necessary to provide App and network functionality, and our legitimate interests in service operation, security, fraud prevention, and reliability under Article 6(1)(f) GDPR.
Device security and trust data, including hardware attestation status, platform security results, device integrity signals, device-verification results, pairing-verification data, and workload-verification signals where available and implemented. Lawful basis: our legitimate interests in security, fraud prevention, service integrity, and network reliability under Article 6(1)(f) GDPR. We do not use this data to identify you biometrically.
Connection and security log data, including IP address, connection timestamps, request metadata, server logs, security logs, authentication events, and infrastructure events needed to operate, secure, monitor, and protect the App and related backend services. Lawful basis: our legitimate interests in service security, abuse prevention, fraud prevention, and infrastructure reliability under Article 6(1)(f) GDPR.
Support communication data, including messages, requests, verification details, and related correspondence when you contact us for support, account, privacy, or security matters. Lawful basis: performance of a contract under Article 6(1)(b) GDPR, our legitimate interests in handling support and privacy requests under Article 6(1)(f) GDPR, or compliance with a legal obligation under Article 6(1)(c) GDPR where applicable.

We do not knowingly collect special categories of personal data as defined in Article 9 GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, sex life, or sexual orientation.

4. What we do not collect

The App does not collect, process, or transmit:

precise or coarse geolocation;
contacts, calendar entries, SMS, or call logs;
photos, videos, files, or other private content from your device;
payment information or credit card data;
biometric or health data;
microphone audio;
camera images or video content;
advertising identifiers.

Where the camera is used, it is used solely to read a one-time pairing code on-device. Camera images are not stored, uploaded, or transmitted by the App.

The App does not access private files, photos, videos, messages, contacts, browsing history, or personal content stored on your device.

Workloads processed through the App may involve technical, operational, public, synthetic, encrypted, or otherwise limited data selected by us or by authorised network operators. Such workload data is processed only for the intended operation of the App and the network. We may process workload metadata and technical verification data for security, verification, troubleshooting, and service integrity.

5. How we use your information

We use the information we collect to:

provide, operate, and maintain the App;
recognise the same App installation across sessions;
enable device pairing, unpairing, and basic service functionality;
connect your device to a mother node where applicable;
assign, limit, reject, verify, or troubleshoot workloads;
verify device integrity, pairing status, attestation status, and workload execution where available and implemented;
operate, secure, monitor, and maintain the network and related backend services;
detect, prevent, investigate, and respond to fraud, abuse, technical manipulation, unauthorised access, service misuse, or security incidents;
communicate with you about service-related matters, including security notices, updates, support, privacy requests, and legal notices;
improve the reliability, stability, and performance of the App;
comply with applicable legal obligations.

We do not use your information for advertising, behavioural profiling, or automated decision-making that produces legal or similarly significant effects concerning you.

We do not sell or rent your personal information.

We may share your information only where necessary with the following recipients:

hosting, infrastructure, database, storage, security, logging, monitoring, and email service providers acting on our behalf under written contract;
technical providers that help us operate, secure, verify, troubleshoot, or maintain the App, the network, and related backend services;
public authorities, courts, regulators, or law enforcement bodies where required by applicable law;
professional advisers where necessary for legal, compliance, accounting, security, or dispute-resolution purposes;
successors in interest in the context of a merger, acquisition, restructuring, or transfer of business, subject to equivalent privacy protections.

All service providers processing personal data on our behalf are required to follow appropriate confidentiality, security, and data-protection obligations.

We do not share App data with advertising networks, data brokers, or third-party analytics providers.

7. Third-party platforms and operating-system services

The App may be distributed through third-party application stores, including the Solana dApp Store, Google Play, and the App Store.

Solana Mobile, Google, Apple, device manufacturers, and operating-system providers may process certain data independently when you download, install, update, review, or use the App through their platforms or operating systems. Their processing is governed by their own terms and privacy policies.

The App may also rely on platform-level services, operating-system security mechanisms, app-store infrastructure, crash handling, update delivery, device integrity checks, or other technical services provided by the relevant platform vendor or device manufacturer.

This Privacy Policy governs only our processing of personal data through the App and related services operated by us or by service providers acting on our behalf.

8. Where the data lives and how long we keep it

Personal data is primarily processed within the European Economic Area on infrastructure operated by us or by service providers acting on our behalf.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards, including Standard Contractual Clauses issued by the European Commission under Article 46(2)(c) GDPR, or on an adequacy decision adopted under Article 45 GDPR. A copy of the relevant safeguards is available on request.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy:

App installation, profile, and pairing data - for as long as the App installation or related service profile remains active, plus a limited retention period after deletion where necessary for security, fraud prevention, legal, or technical reasons.
Email address - for as long as needed to provide service communication or support, unless you withdraw consent or request deletion, subject to legal or security-related retention requirements.
Diagnostic data - up to 90 days, after which it is deleted or anonymised, unless a longer period is necessary for security investigation, fraud prevention, legal compliance, or dispute resolution.
Operational and network participation data - up to 12 months, after which it is deleted or anonymised, unless a longer period is necessary for workload verification, service integrity, security investigation, fraud prevention, legal compliance, or dispute resolution.
Device security and trust data - for as long as necessary to maintain device trust, pairing integrity, workload verification, security, fraud prevention, and service integrity, and generally no longer than 12 months after the related App profile becomes inactive, unless a longer period is necessary for investigation, legal compliance, or dispute resolution.
Connection and security logs - up to 12 months, unless a longer period is necessary for security investigation, fraud prevention, abuse prevention, legal compliance, or dispute resolution.
Support communication data - for as long as necessary to handle your request and maintain appropriate records of the communication, generally no longer than 24 months after the matter is closed, unless a longer period is required by law or necessary for dispute resolution.
Backup copies - retained only for a limited rolling backup period and are not used for active processing.

9. Your rights

Subject to applicable law, you have the right to:

access the personal data we hold about you under Article 15 GDPR;
request correction of inaccurate or incomplete data under Article 16 GDPR;
request deletion of your data under Article 17 GDPR;
restrict certain processing activities under Article 18 GDPR;
object to processing carried out on the basis of legitimate interest, including direct marketing, under Article 21 GDPR;
receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible, where the conditions under Article 20 GDPR apply;
withdraw consent at any time where processing is based on consent under Article 7(3) GDPR.

To exercise any of these rights, contact us at [email protected].

We respond to verified requests within the timeframes required by applicable law. Under GDPR, this is generally one month from receipt of the request, extendable by two further months where necessary due to complexity or number of requests.

If you are located in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection authority. As the controller is established in Estonia, you may also contact the Estonian Data Protection Inspectorate, known as Andmekaitse Inspektsioon.

If you reside in a jurisdiction that grants additional rights beyond those listed above, please contact us and we will honour the rights mandated by applicable law.

10. Account and data deletion

You may request deletion of your App profile, installation-related data, and associated personal data at any time through either of the following paths:

In-app: open the App, go to Settings → Delete account, and confirm the deletion request.
By email: send a request to [email protected] from the email address associated with your App profile, if one was provided. We may ask for verification details to prevent unauthorised deletion.

We process verified deletion requests within thirty (30) days.

After deletion, your personal data is removed from active systems. Backup copies are purged on a rolling cycle and are inaccessible to active operations in the meantime.

Uninstalling the App from your device does not automatically delete all data already processed by our backend systems. To delete your App profile and associated personal data, you should use the deletion paths described above.

Some limited information may be retained where required by law or where necessary for legitimate purposes such as fraud prevention, security, abuse prevention, workload verification, accounting, dispute resolution, or compliance with legal obligations. Any such retention is limited to what is necessary.

11. Security

We apply administrative, technical, and organisational safeguards designed to protect your information against unauthorised access, alteration, disclosure, loss, or destruction.

These safeguards include:

encryption of data in transit;
access controls;
restricted internal access;
infrastructure monitoring;
security logging;
fraud and abuse detection;
technical measures designed to protect the App and related backend services.

Where available and implemented, the App may use Android Hardware Key Attestation, Apple App Attest, DeviceCheck, Secure Enclave-related mechanisms, or other platform security mechanisms to support device identity, pairing integrity, workload verification, and network security.

No security measure is perfect. While we work to protect your information, we cannot guarantee absolute security.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 GDPR.

12. Children

The App is not directed to children under the age of 16, and we do not knowingly collect personal data from children.

If you believe that a child has provided us with personal data, contact us at [email protected] and we will take appropriate steps to delete the information in accordance with applicable law.

13. Third-party advertising and analytics

The App does not embed third-party advertising, third-party analytics, or tracking technologies.

We do not sell personal data to advertising networks or data brokers.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

The most recent version and effective date will always be shown at the top of this page. Material changes will be communicated in-app where reasonably possible or through another appropriate communication channel.

The updated Privacy Policy will apply from the effective date indicated in the updated version.

15. Contact

For any question, request, or complaint regarding this Privacy Policy or our handling of your personal data, contact:

Astral Hodling OÜ
Lõõtsa tn 5
11415 Tallinn
Estonia
Email: [email protected]