Version：v1.0.0 Update：October 7, 2025 15:00:00 GMT+0800 (Taipei Standard Time) Owner：moonpacket team

Introduction

1. This privacy policy (hereinafter referred to as 'this policy') describes how we collect, use, store, and protect your personal information and usage data when you use the services provided by moonpacket, including the Telegram Mini App, bot, and website (collectively referred to as 'the service'). Please read it fully before use; by starting to use the service, you agree to this policy.
2. The core function of this service is 'community growth and red packet interaction,' and it may provide necessary features related to cloud wallets, transactions, or redemptions under compliance requirements. This policy only governs data processing; for usage regulations, liability limits, risk disclosures, and disclaimers, please refer to the 'Terms of Use.'
3. moonpacket (hereinafter referred to as 'moonpacket' or 'the service') is the entity and administrator that collects, uses, stores, and processes personal and usage data related to the operation of this service, processing data solely for technical and operational purposes; moonpacket is not a bank, trust, custodian, investment advisor, payment intermediary, or asset manager, nor does it assume any fiduciary, custody, preservation, investment, or guarantee obligations due to the processing of the aforementioned data.

Definitions

• moonpacket': Refers to the application services provided by this project, including web applications and mobile applications available for download, and including (but not limited to) Telegram Mini App, bots, cloud wallets, and related functional modules.
• Personal Data': Information that can directly or indirectly identify a natural person, such as (where applicable) contact information, Telegram UID, cloud wallet address (if it can identify an individual), device, and network identifiers.
• Usage Data': Event records and interactions related to accounts or devices (e.g., sending/receiving red packets, errors and performance logs, anti-bot signals).

Scope of application

1. These terms apply to your use of all functions provided by moonpacket, including (but not limited to) joining or managing groups/channels, sending or receiving red packets, participating in events, linking or using cloud wallets and points, and integrations via API/Webhook.
2. moonpacket supports two main use cases: those sending red packets and those receiving red packets. Senders must add the bot to their owned or managed groups/channels and grant necessary permissions; if unauthorized or permissions are insufficient, functionality cannot be guaranteed. Recipients do not have their private information captured outside of necessary network identifiers and usage events during group interactions.

The data we collect

1. Account and Identity: Telegram UID, username, avatar, language settings, group member identity and permissions; if needed, government-issued ID data, selfies or facial biometric matching results, residence declaration, KYC/AML audit information and matching results will be collected and retained solely for compliance, anti-money laundering, combating terrorist financing, compliance with sanctions, tax reporting, fraud investigation or risk management purposes.
2. Usage Events: Sending/receiving red packets, commands and interaction records, event participation, events from API/Webhook, errors and performance logs; anti-bot and risk control signals (such as abnormal frequency, device, or network characteristics).
3. Transactions and Assets: Cloud wallet related addresses, balances or transaction summaries (only to the extent necessary for functionality); on-chain transactions can be publicly verified, but they are irreversible and immutable. The aforementioned information may include Off-chain records (such as internal accounting marked balances, amounts pending distribution or locked status), which are provided only for internal system settlement and allocation instructions and do not constitute moonpacket's custody, trust, deposit, delegated financial management, payment collection and payment, investment management, or safekeeping obligations.
4. Technical and Device Information: Device model, operating system, browser or application version, network address (IP/ASN) and approximate region, cookie and local storage tags (if any).
5. Contact Information: Email or customer support chat content you provide actively (if any).

Source of Data

• Your data provided actively during registration, binding, interaction, or communication with customer service.
• Events and technical data automatically recorded by the system during your use of this service.
• Third-party comparison or verification results obtained legally for compliance or service necessity (such as KYC/AML service providers).

Our usage

1. The functions provided for the operation and maintenance of this service include: identity verification, permission authentication, activation and management modules (red packet, points, cloud wallet), troubleshooting, and security monitoring.
2. Risk management and compliance: Detecting, preventing, and investigating abuse, fraud, money laundering, terrorist financing, sanctions evasion, tax evasion, illegal fundraising, unauthorized financial services, revenue sharing manipulation, or other abnormal activities; conducting KYC/AML audits and identity verification (including government-issued identification, selfies, and biometric verification), risk rating, and tax and sanctions review. If necessary, it may involve retaining, freezing, delaying, limiting, or denying transactions, distributions, refunds, withdrawals, or unfreezing. Such actions do not constitute a breach or infringement by moonpacket, and moonpacket is not liable for any compensation, indemnity, or other liability.
3. Data analysis and product optimization: Statistical usage trends, improving experience and performance, conducting A/B testing, and training anti-fraud models (using minimization and de-identification methods).
4. Regulatory compliance and rights assertion: Cooperating with legal requests from regulations, authorities, or courts, or exercising, establishing, or defending legal rights. moonpacket may, at its sole discretion, provide relevant data to regulatory authorities, judicial bodies, tax or sanction authorities, arbitration or enforcement agencies, or their authorized compliance service providers based on legal, regulatory, tax, sanctions, anti-money laundering, anti-terrorism financing, fraud investigation, or other compliance needs; such provision does not constitute a breach or infringement by moonpacket, and moonpacket is not liable for any compensation, indemnity, or other liability.
5. Communication and notification: Providing you with important changes, event notifications, or necessary service information; marketing messages will only be sent with consent or as permitted by law.

Regulatory basis

1. Necessary for fulfilling contracts or providing services (e.g., enabling red packet/points processes, risk control verification, and event records).
2. Compliance with legal obligations (e.g., KYC/AML, sanctions, audit, and retention obligations).
3. Legitimate interests (e.g., detecting abuse, ensuring system security and service availability, improving products and experiences). In this case, we will implement balancing tests and adopt de-identification or minimization measures.
4. Your consent (e.g., receiving marketing messages, non-essential cookies, and revocable choices).

Cookies and local storage

1. Necessary Cookies and Local Storage: Used to maintain login status, language selection, anti-bot measures, and security controls; some features may not function properly if disabled.
2. Analytics or Preference: Enabled only if legally permitted or with your consent; you can remove or limit them in your browser settings.

Cloud Wallet, Gift Commitment, and Fund Locking

1. If the cloud wallet is provided by this service or a partner, it will only process and retain the minimum necessary transaction data and receipts upon completing red packet, points, or necessary exchange processes.
2. On-chain data is public and irreversible; please operate cautiously. The unchangeable, permanently public nature, and data associations stemming from blockchain features are beyond the control of this service.

Anti-bot, Abuse Control, and Account Restrictions

1. To prevent abuse and fraud, we may evaluate interaction frequency, device or network characteristics, geographic location, behavioral patterns, and blacklist signals; functionality may be suspended or restricted and additional verification may be required as necessary.
2. For compliance and security reasons, we reserve the right to share relevant indicators or audit results with trusted anti-fraud or compliance service providers within reasonable limits.
3. For the aforementioned purposes, moonpacket may, at its sole discretion, suspend, delay, limit, or deny specific functionalities and require supplemental verification (including KYC/AML audits, government-issued ID, selfies, or biometric comparisons) or share necessary indicators or audit results with trusted anti-fraud, compliance, tax, or sanctions service providers; such actions do not constitute a breach or infringement by moonpacket, and moonpacket shall not be liable for any damages, compensation, or other responsibilities.

Data sharing recipients

1. Processing or third-party providers, including cloud hosting, logging and monitoring, analytics, anti-bot, and compliance service providers, conduct operations under minimized and contractual constraints.
2. Partners and community managers will share necessary information based on the specific activities, red packets, or community governance scenarios you participate in, according to activity rules.
3. We will disclose necessary data to authorities, courts, or rights holders in compliance with legal procedures as required by law or for asserting rights.
4. moonpacket may retain, analyze, transmit, disclose, and provide necessary information (including off-chain records, on-chain evidence, KYC/AML data, group/chat/activity records, and distribution and withdrawal behavior) to authorities, courts, law enforcement or tax units, sanction and regulatory units, or their authorized compliance service providers regarding compliance reviews, KYC/AML audits, identity verification (including government-issued ID and biometric comparisons), anti-money laundering, combatting terror financing, following sanctions, tax compliance, fraud investigations, abuse detection, financial audits, and tracking distributions and withdrawals, within a reasonable commercial scope. Such processing, transmission, and disclosure do not constitute a breach or tort by moonpacket, and moonpacket is not liable for any compensation, indemnity, or other responsibilities.

Cross-border transfer

1. Based on the cloud architecture of this service, global operational model, risk management, Anti-Money Laundering (AML), combating terrorist financing, compliance with sanctions, tax cooperation, fraud prevention, audit retention, customer support, and system maintenance needs, your data (including personal data, usage data, Off-chain records, KYC/AML audit results, and risk control and withdrawal records) may be processed, stored or transmitted outside your jurisdiction, and may be accessed by partners, cloud infrastructure providers, compliance and risk management service providers, or authoritative/ judicial/tax/sanction/regulatory authorities (or their authorized entities) as needed for the aforementioned purposes.
2. moonpacket will assess the information security and compliance obligations of the recipients, within commercially reasonable and necessary limits, and will reduce risks of unauthorized access or misuse through contracts, technical, and organizational measures; however, you understand and agree that any cross-border transfer, cloud hosting, or third-party processing may be affected by network and regulatory environments, and cannot guarantee absolute security or availability. The aforementioned cross-border processing and transfer do not constitute a breach or infringement by moonpacket, and moonpacket will not be liable for any damages, compensation, or other liabilities.

Retention period

1. We will retain data for the time required to fulfill collection purposes and keep necessary records as required by law or audit obligations (e.g., accounting and compliance logs).
2. Once the purpose is achieved or the retention period expires, we will delete or process the data in a de-identified manner; on-chain data is not subject to this limitation due to its unalterability.
3. Even if you request to deactivate your account, delete your data, or stop using this service, moonpacket may retain, freeze, analyze, or provide the aforementioned data as required or permitted by laws, regulations, tax, sanctions, anti-money laundering, anti-terrorism financing, fraud investigation, audit retention, accounting verification, or other compliance obligations. Such retention and processing do not constitute a breach or infringement by moonpacket, and moonpacket is not liable for any compensation, indemnity, or other liability.

Security

1. We adopt reasonable and proportional technical and management measures, including access control, transmission and static encryption (as applicable), permission segregation, audit logs, and minimum necessary personnel access principles.
2. Although moonpacket has taken technical and managerial measures to reduce the risk of unauthorized access, use, disclosure, alteration, or destruction within a reasonable commercial scope, you understand and agree that any transmission, storage, or third-party integration may carry certain risks. moonpacket makes no express or implied guarantees regarding data security, integrity, availability, uninterrupted access, or interference. Such risks or damages do not constitute a breach or tort by moonpacket, and moonpacket is not liable for any compensation, indemnity, or other responsibilities.

Minor-related regulations

1. This service is not intended for individuals under 13 years of age or below the minor threshold in your jurisdiction. If you are a minor, please use this service with the consent of your legal guardian, or refrain from using this service.

Your rights and how to exercise them

1. According to applicable laws in various regions, you have the right to query or review your personal data, request copies, correct, limit processing, delete, data portability, and withdraw consent, but not in conflict with moonpacket’s legal obligations to retain, freeze, analyze, audit, cooperate with the requirements of regulatory/judicial/tax/sanction/regulatory authorities, or KYC/AML/anti-terrorism financing/sanctions compliance/tax reporting/fraud investigation/abuse detection, or moonpacket's legitimate interests.
2. If you wish to exercise the aforementioned rights or raise privacy concerns, please contact moonpacket using the 'Contact Information.' To ensure security, moonpacket may request you to complete identity verification (including but not limited to providing information required for KYC/AML audits, government-issued identification, selfies, or biometric verification results) to confirm that the requester is the data subject or an authorized representative.
3. moonpacket may, at its sole discretion, fully or partially refuse, delay, limit, or request corrections to such requests within the scope of legal or compliance obligations, legitimate interest requirements, or risk management purposes; such refusals, delays, limitations, or requests for correction do not constitute a breach or infringement by moonpacket, and moonpacket is not liable for any compensation, indemnity, or other liability.

Frequently Asked Questions (Privacy and Security)

1. Why do we need compliance and risk control information? This is necessary for providing red packets, preventing abuse, and ensuring safe operations, as well as complying with relevant laws or platform policies.
2. Can I refuse to provide certain information? Without affecting service safety and legal obligations, you can choose to disable non-essential items, but this may result in some features being unavailable.
3. Can blockchain data be deleted? On-chain records are irreversible and public, and we cannot modify or delete them on your behalf.

Terms Update

1. These terms may be updated with service adjustments or legal changes; significant changes will be indicated through internal messages or page announcements; the updated version takes effect from the announcement or the effective date stated in the terms.

Contact information

1. Customer service robot