This Privacy Policy (the `“`Policy`“`) delineates the intricacies surrounding the collection, utilisation, and safeguarding of personal information within Jupiter Meta`'`s Consumer Research Application (the `“`Application`“`). Users are subject to the terms stipulated in this Policy upon accessing and utilising the Application.

1. DEFINITIONS

1.1 Personal Information

`“`Personal information`“` encompasses data identifying or related to a particular individual, limited to names, email, addresses, PAN, Aadhaar etc and does not include mobile number and location

1.2 Decentralised Identifiers (DID)

`“`Decentralised Identifiers`“` or `“`DID`“` refers to blockchain-based cryptographic identifiers implemented by Jupiter Meta to obfuscate user identities, ensuring secure, decentralised, and pseudonymous interactions.

2. INFORMATION COLLECTION AND USAGE

2.1 Purpose

The collection of information serves the singular purpose of conducting consumer research studies and

surveys facilitated by the Application.

2.2 Use of Decentralised Identifiers (DID)

DIDs are instrumental in preserving user anonymity. Leveraging blockchain technology, DIDs securely mask user identities, providing a cryptographic layer of protection against unauthorised access.

2.3 Ephemeral Data

Jupiter Meta employs an ephemeral data framework within the Application. Ephemeral data refers to information that is temporarily accessed for the exclusive purpose of improving survey functionality, mapping and attributing user behaviour and validating research inputs. Such data is processed in real time and is not retained, stored, or persisted beyond the immediate session in which it is utilised.

Examples of ephemeral data may include:
• Application usage duration (time spent on third-party apps for behavioural research purposes).

Ephemeral data does not include content, orders, messages, or other personal interactions within third-party applications, and no personally identifiable information is extracted.

The ephemeral data program enhances research validity while preserving user privacy, ensuring that temporary signals are leveraged solely for verification and statistical accuracy, after which they are irrevocably discarded.

The ephemeral data program starts and stops on a user`'`s device only after the user toggles it on by themselves and does not run in the background if the user has never given permission and stop as and when the user revokes permission/chooses to stop sharing.

User understands that the ephemeral data program or data task only runs upon active, granular consent for every app activity that the user so chooses to share.

2A. Zero-Knowledge Know-Your-Customer (zkKYC) Verification

2A.1 Purpose and Scope

The Application utilises a privacy-preserving identity verification system (“zkKYC”) to verify user authenticity without collecting or storing raw personally identifiable information. The zkKYC process converts sensitive information such as Aadhaar number, name, date of birth, and address into a cryptographic proof (“zkProof”) on the user’s device. The zkProof alone - never the raw data - is transmitted for verification.

2A.2 On-Device Processing

All sensitive data used to generate the zkProof is processed locally within secure device memory and never uploaded or stored. No raw identity data leaves the user`'`s device at any time.

2A.3 Temporary Cloud Storage

The resulting zkProof is transmitted through encrypted channels (TLS 1.2 +) and stored temporarily on encrypted Google Cloud Storage buckets located within the appropriate regional jurisdiction (e.g., India for DPDP, EU for GDPR). Proofs stored off-chain are automatically deleted within 30-60 days.

2A.4 On-Chain Commitments (JMDT Chain)

Certain zkProofs or aggregated Merkle roots may be committed to a blockchain to provide auditability and tamper-resistance. Data placed on-chain is designed to be non-identifiable and unlinkable, ensuring that no individual user can be re-identified. These records are immutable and cannot be altered or erased once committed.

2A.5 Lawful Basis and Consent

User consent is explicitly sought prior to initiating zkKYC. Consent records are logged and may be withdrawn for future zkKYC activity. However, once anonymised proofs are published on-chain, they cannot be deleted because they contain no personal data capable of identification.

2A.6 Data Minimisation and Retention

Only information necessary to validate identity attributes (for example, “is over 18” or “has valid Aadhaar”) is processed. Off-chain data is deleted after its purpose is served, in accordance with defined retention schedules.

2A.7 User Rights and Limitations

Users may request access to or deletion of personal data processed off-chain. Immutable on-chain zkProofs are excluded from such rights as they contain no retrievable personal data.

2A.8 Security and Compliance

All zkKYC operations employ ZK-STARK encryption at rest, TLS 1.2 + in transit, strict IAM access control, multi-factor authentication for administrators, and periodic penetration testing. The zkKYC system aligns with the principles of GDPR (Art. 5 & 32) and the Digital Personal Data Protection Act 2023.

2A.9 Transparency – ZK Privacy Manifest

3. INFORMATION SHARING

3.1 Third-Party Sharing

No personal information, including metadata, is disseminated to third parties to uphold the sanctity of user privacy.

3.2 Aggregated and Anonymized Data

Research responses, once anonymized and aggregated, may be shared with research-conducting entities to derive insights, without compromising individual user privacy.

4. USER RIGHTS

4.1 Access and Correction

The right to access and rectify personal information held within the system.

4.2 Opt-Out

The right to opt-out of marketing communications, ensuring control over data usage.

4.3 Deletion

The right to request the deletion of user accounts and associated data, adhering to data erasure principles.

4.4 Ephemeral Data

Given its temporary nature, ephemeral data is never stored or retained within the Application. Accordingly, such data does not fall within the scope of access, correction, or deletion rights, as it ceases to exist immediately upon completion of its intended session-based use. This safeguard ensures that ephemeral data cannot be misused, replicated, or disclosed, further reinforcing Jupiter Meta`'`s commitment to privacy-by-design principles.

5. SECURITY MEASURES

5.1 Encryption

End-to-end encryption protocols are implemented to protect personal information and research responses during transmission and storage. Encryption standards extend to zkKYC proofs, using AES-256 for data at rest and TLS 1.2 + for all proof transmissions.

5.2 Security Audits

Regular security assessments, including penetration testing and code reviews, are conducted to ensure the robustness of implemented security measures.

6. COOKIES AND TRACKING TECHNOLOGIES

6.1 Purpose Cookies and advanced tracking technologies are employed for user experience enhancement and detailed research pattern analysis, all while maintaining the utmost respect for user privacy.

7. AMENDMENTS

This Policy may undergo periodic updates to reflect evolving practices. The date of the latest revision will be prominently displayed.

8. CONTACT INFORMATION

For inquiries, users can reach out to Jupiter Meta at hello@jupitermeta.io.

CONCLUSION

This Privacy Policy constitutes a legally binding document elucidating Jupiter Meta`'`s commitment to the intricate technical and cryptographic principles safeguarding user privacy within the Consumer Research Application.