Last updated: 31 July 2025.

Midnight Foundation (“Midnight”, “we”, “our”, “us”) is committed to protecting and respecting your privacy. We are a company registered in the Cayman Islands with its registered address at Harneys Fiduciary (Cayman) Limited, 4th Floor, Harbour Place, P.O. Box 10240, Grand Cayman KY1-1002, Cayman Islands.

This Website and Portal Privacy Policy (“Privacy Policy”) applies to all personal data collected through any website managed by Midnight, including but not limited to https://midnight.gd and https://midnight.foundation, the NIGHT Portal, and in connection with any services we provide to you (collectively, the “Website”). For the purposes of this Privacy Policy, “personal data” has the meaning given to this phrase (or similar phrases such as ‘personal information’ or ‘personally identifiable information’) under the relevant data protection law applicable to us when we process your personal data.

In this Privacy Policy, we describe how we collect, use, store and share your personal data and what rights you have in relation to it. If there are any terms in this Privacy Policy that you do not agree with, please discontinue access and use of our Website.

Please read this Privacy Policy carefully as it will help you make informed decisions about sharing your personal data with us.

In addition, if you reside in any of the following countries, please note the following:

• If you reside in the European Economic Area (the “EEA”) or the United Kingdom (the “UK”), please refer to the “EEA/UK Addendum” below in addition to this Privacy Policy.
• If you reside in the United States (the “US”), please refer to the “US Addendum” below in addition to this Privacy Policy.
• If you reside in Japan, please refer to the “Japan Addendum” below in addition to this Privacy Policy.

1. Collection of Personal Data

Midnight collects the following types of personal data:

Information you provide:

• Public blockchain addresses, signed messages, and related personal data which you may choose to provide to us (“blockchain personal data”). This information is required to enable us to fulfil our contract with you. If you do not provide this information, we will not be able to provide you with our blockchain related services on the Website.
• Name and email address (“contact data”) where you opt-in to receive updates on our services available on the Website or marketing communications or choose to contact us and/or exercise your rights.
• Any personal data you choose to provide when you use our chatbot, including contact data and blockchain personal data (“chat data”).
• Information we collect automatically: When you visit our Website, we automatically collect certain information sent to us by your computer, mobile phone or other device you use to access the Website. This information includes:
• Data collected via cookies or similar tracking technologies (“cookies data”). If you reside in the EEA/UK or Japan, we only collect information via non-essential cookies (e.g., analytics cookies) where you have provided your consent to the use of such cookies; please see our Cookies Policy for further information; and
• IP addresses, and date and time of any requests submitted by you on the Website; device information including, but not limited to, name and type of operating system; standard web information such as your browser type and the pages you access on our Website; and security information (“usage data”).

Information we receive from third parties:

• We may receive personal data about you from certain third parties providing services to us, such as sanctions-related personal data and/or token value data, where required (“sanctions or token data”).

2. Use of Personal Data

Midnight uses your personal data for the following purposes.

Processing Purpose

To allow you to participate in the features of the Website such as the airdrops of the NIGHT tokens, when you choose to do so and provide us with blockchain related information (please see the Token End-User Terms and NIGHT White Paper for further details on the airdrop services).

Categories of Personal Data

Blockchain personal data; sanctions or token data.

Processing Purpose

To provide you with support, updates and/or information about our services on the Website and/or marketing and promotional content which we think may be of interest to you.

Categories of Personal Data

Contact data; chat data.

Processing Purpose

To gather analysis or valuable information so that we can improve the Website, monitor usage of the Website, and detect prevent and address technical issues.

Categories of Personal Data

Cookies data; usage data.

Processing Purpose

To comply with legal obligations, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Website, and to protect our interests.

Categories of Personal Data

Blockchain personal data; contact data; chat data; cookies data; usage data; sanctions or token data.

To the extent that you are based in the EEA or the UK, please refer to the EEA/UK Addendum for details on the legal bases we rely on for such processing.

3. Retention of Personal Data

We will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy. We will also retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your personal data to comply with applicable laws), resolve disputes, and enforce legal agreements and policies.

We will also retain certain cookies and usage data for internal analysis purposes. Such data is generally retained for a shorter period of time, except when this data is used to strengthen the security of, or to improve the functionality of the Website, or we are legally obligated to retain such data for longer time periods.

• Disclosure of Personal Data

Midnight will disclose your personal data as necessary, or as required or permitted by applicable laws to the following categories of recipients:

• Service providers and vendors. Such third parties include: (i) our service providers to provide you with our services via the Website; (iii) data analytics vendors; (iii) security vendors; (iv) website hosting vendors; (v) chatbot developers and providers; and (vi) social media providers. These service providers assist us with various different functions and tasks, such as providing data storage and disaster recovery services and communicating with you.
• When you request us to share certain information with third parties, to perform a contract with you.
• With professional advisors such as auditors, law firms or accounting firms, in our legitimate interests or as required by law.
• We will share your personal data with regulators, law enforcement agencies, public authorities, or any other relevant organisations for the following purposes, as required to comply with our legal obligations or in our legitimate interests to run a successful business: (i) if we have determined that it is necessary to share your personal data to comply with applicable laws, including cooperation with law enforcement, judicial orders, and regulatory inquiries; (ii) to protect the interests of, and ensure the safety and security, of us, our users, a third party or the public; (iv) to establish, exercise or defend legal claims; and (v) to enforce any applicable terms and conditions that govern our relationship with you.
• With our affiliates, in our legitimate interests to run a successful business, for administrative, marketing and maintenance purposes and in order to provide our services and features on the Website to you.
• In connection with an asset sale or purchase, a share sale, purchase or merger, bankruptcy, or other business transaction, or re-organisation, in our legitimate interests. We will share your personal data with a prospective buyer, seller, new owner, or other relevant third party as necessary while negotiating or in relation to a change of corporate control such as a restructuring, merger, or sale of our assets.

5. Security of Personal Data

We use reasonable technical and organisational methods to safeguard your information.

You acknowledge that data transmissions over the internet are not 100% secure and we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet. As such, any information you transfer to us is done at your own risk.

6. Links To Other Websites

The Website may contain links to other websites, products or services that are not operated by Midnight. If you click on a third-party link, you will be directed to that third party's site. You’re advised to review the privacy policy of each third-party site you decide to visit.

Midnight has no control over and assumes no responsibility for the content, privacy policies or practices of any third-party website, product or service.

7. Changes To This Privacy Policy

We may update this Privacy Policy from time to time. We will inform you of changes, as required under applicable laws and we will post the updated “effective date” at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes.

8. Data Controller and Data Privacy Contact

Midnight TGE Ltd. is the controller of your personal data processed under this Privacy Policy.

You can reach out to our legal team at legal@midnight.foundation for any questions related to this Privacy Policy. If you reside in the EEA or the UK, please also refer to the EEA/UK Addendum for further details.

EEA/UK Addendum

If you reside in the EEA or the UK, Midnight TGE Ltd. is the controller of your personal data processed under this Privacy Policy.

This EEA/UK Addendum complements the Privacy Policy and addresses specific requirements under EEA and UK privacy laws.

1. EEA and UK Representatives

If you reside in the EEA: Our representative in the EEA is European Data Protection Officer (“EDPO”). You can contact EDPO for any queries relating to this Privacy Policy and/or our processing of your personal data, by:

using EDPO’s online request form, available here; or writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.

If you reside in the UK: Our representative in the UK is EDPO UK Ltd (“EDPO UK”). You can contact EDPO for any queries relating to this Privacy Policy or our processing of your personal data, by:

using EDPO UK’s online request form, available here; or writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom.

2. Use of personal data and legal bases

Midnight uses your personal data for the purposes, and in reliance on, the legal bases listed in the table below.

Processing Purpose

To allow you to participate in the features of the Website such as the airdrops of the NIGHT tokens, when you choose to do so and provide us with blockchain related information (please see the Token End-User Terms and the NIGHT White Paper for further details on the airdrop services).

Categories of Personal Data

Blockchain personal data; sanctions or token data.

Legal Bases

Contractual necessity, in order for us to perform our obligations under any contract with you, such as the Website Terms of Use, and/or the Token End-User Terms, or to comply with our legal obligations.

Processing Purpose

To provide you with support, updates and/or information about our services on the Website and/or marketing and promotional content which we think may be of interest to you.

Categories of Personal Data

Contact data; chat data.

Legal Bases

Your consent when you opt-in to receive such communications by providing your contact data.

For our legitimate interests of providing our customers with support in the case of chat data.

Processing Purpose

To gather analysis or valuable information so that we can improve the Website, monitor usage of the Website, and detect prevent and address technical issues.

Categories of Personal Data

Cookies data; usage data.

Legal Bases

Your consent for processing of cookies data, where required for non-essential cookies.

For our legitimate interests of maintaining our relationship with you and ensuring efficient and successful management of our Website and efficient performance or management of our relationship with you, where your consent is not required (i.e., when we use essential cookies).

Processing Purpose

To comply with legal obligations, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Website, and to protect our interests.

Categories of Personal Data

Blockchain personal data; contact data; chat data; cookies data; usage data; sanctions or token data.

Legal Bases

To comply with our legal obligations or in our legitimate interests to maintain a secure and successful business.

3. Transfer of Personal Data

We are based in the British Virgin Islands, therefore we operate our services, collect and process your personal data from the British Virgin Islands. In addition, when we engage with third parties, we may onward transfer and/or process your personal data outside the EEA and the UK, to jurisdictions where data protection laws may differ. For additional information on how we handle transfers of personal data, please contact us by using the contact details in the “Data Privacy Contact” section of the Privacy Policy.

4. Your Rights

You have certain data protection rights under EEA and UK privacy laws:

• Access. You have the right to request access to personal data we hold about you, how we use it, and who we share it with.
• Correction. You have the right to correct your information we hold that is inaccurate.
• Objection. You have the right to object to our processing of your personal data.
• Restriction of processing to storage only. You have the right to require us to stop processing the personal data we hold about you, other than for storage purposes, in certain circumstances.
• Portability. You have the right to receive a copy of the personal data we hold about you and to request that we transfer it to a third party, in certain circumstances and with certain exceptions.
• Erasure. You have the right to request we delete the personal data we hold about you, in certain circumstances.
• Withdrawal of consent. You have the right to withdraw your consent at any time by contacting us using the details below, where we rely on your consent to process your personal data.
• Objection to marketing: You can object to marketing at any time by opting out using the unsubscribe function displayed in our communications to you.

If you want to exercise your rights or if you have complaints about how we process your personal data, please contact us via email at legal@midnight.foundation, or our EEA or UK representatives at the details provided above. Please note that we may ask you to verify your identity before responding to such requests.

If you think we have infringed data protection laws, you can file a claim with the data protection supervisory authority in the EEA country in which you are based in or where you think we have infringed data protection laws, or with the UK Information Commissioner’s Office, as applicable to you.

US Addendum

This US Addendum complements the Privacy Policy and addresses specific requirements under: (i) the California Consumer Privacy Act (“CCPA”), and (ii) other US state privacy laws, where applicable.

A. CALIFORNIA RESIDENTS

This section applies to you only if you are a California resident. For purposes of this section, references to “personal data” shall include “sensitive personal data”, as these terms are defined under the CCPA.

• Processing of Personal Data

In the preceding 12 months, we collected and (where indicated below) disclosed for a business purpose the following categories of personal data about California residents:

Identifiers: such as contact data, IP address and where applicable, chat data.

Commercial information: such as blockchain personal data, sanctions or token data, chat data where applicable, and related personal data you choose to share with us.

Internet or other similar network activity: such as cookies data, usage data, and other personal data that we collect automatically when you use the Website.

Inferences drawn from other personal data: using the other pieces of personal data collected about you, we may draw inferences about you, reflecting what we believe to be your preferences, characteristics, predispositions, and attitudes.

The categories of sources from which we collect your personal data are described in Section 1 of this Privacy Policy: “Collection of Personal Data.” The specific business or commercial purposes for which we collect your personal data are described in Section 2 of this Privacy Policy: “Use of Personal Data”. The criteria we use to determine how long to retain your personal data is described in Section 3 of this Privacy Policy: “Retention of Personal Data.” We disclosed personal data over the preceding 12 months for the business or commercial purposes described in Section 2 of this Privacy Policy with the categories of third parties listed in Section 4 of this Privacy Policy: “Disclosure of Personal Data.”

2. Selling and/or Sharing of Personal Data

We do not “sell” or “share” (as those terms are defined under the CCPA) personal data, nor have we done so in the preceding 12 months. Further, we do not have actual knowledge that we “sell” or “share” personal data of residents under 16 years of age.

3. Your California Privacy Rights

As a California resident, you may make the following requests in relation to personal data that we have collected about you, subject to certain exceptions:

• Request to know/access. You may request we disclose to you the categories of personal data we have collected and disclosed for a business purpose; the categories of sources from which we collected personal data; the business or commercial purposes for collecting personal data; the categories of third parties to whom the personal data was disclosed for a business purpose; and the specific pieces of personal data we have collected.
• Request to delete. You may request that we delete personal data we maintain about you.
• Request to correct. You may request that we correct inaccurate personal data we maintain about you.

You may exercise any of these rights by sending us an email at legal@midnight.foundation and including “California Privacy Rights Request” in the subject line. We will not discriminate against you for exercising any of these rights. We will take reasonable steps to verify your identity before providing a substantive response to your request. The verification steps may vary depending on the sensitivity of the personal data.

If you are a California resident, you may designate, in writing or through a power of attorney document, an authorized agent to make requests on your behalf. Before accepting such a request from an agent, we will require that the agent provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us.

B. RESIDENTS OF OTHER US STATES

If you are a California resident, please see the section above, California Residents, for information on your rights in relation to personal data that we have collected about you. If you are a resident of another US state, including but not limited to, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Delaware, Iowa, Nebraska or Michigan, depending on the state you live in, you may make the following requests in relation to personal data that we have collected about you, subject to certain exceptions:

• Request to access. You may request that we confirm whether we process personal data about you and give you access to that information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another business without impediment.
• Request to delete. You may request that we delete information we maintain about you.
• Request to correct. You may request that we correct inaccurate information we maintain about you.

You may exercise any of these rights by sending us an email at legal@midnight.foundation, including “US Privacy Rights Request” in the subject line, and providing us with your state of residence. We will not discriminate against you for exercising any of these rights. We will take reasonable steps to verify your identity before providing a substantive response to your request. The verification steps may vary depending on the sensitivity of the personal data.

Depending on your state of residence, you may designate, in writing or through a power of attorney document, an authorized agent to make requests on your behalf. Before accepting such a request from an agent, we will require that the agent provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us.

In addition, if you are not satisfied with the outcome of your request you may appeal our decision by sending us an email at legal@midnight.foundation, and including “Privacy Rights Appeal” in the subject line. When you submit a request or launch an appeal, we will limit our collection of your personal data to only what is necessary to securely fulfil your request or process your appeal. We will not require you or your authorized agent to pay a fee for the verification of your request or appeal.

Japan Addendum

If you reside in Japan, your personal data will be handled in accordance with the following rules in addition to the rules set forth in this Privacy Policy.

This Japan Addendum complements the Privacy Policy and addresses specific requirements under Japanese data protection law (the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended), “APPI”).

1. Controller of Personal Data

Any personal data provided to, or gathered by, Midnight is controlled primarily by Midnight TGE Ltd., located at Craigmuir Chambers, Road Town, Tortola, VG, 1110, BVI.

2. Sharing of Personal Data

Midnight will not provide personal data to third parties, excluding data processors who process on our behalf and on our instructions, without obtaining your prior consent, except otherwise permitted by the applicable law.

3. International Transfer of Personal Data

We are based in the British Virgin Islands, therefore we operate our services, collect and process your personal data from the British Virgin Islands. In addition, when we engage with third parties, we may onward transfer and/or process your personal data outside of Japan, to jurisdictions where data protection laws may differ. For additional information on how we handle transfers of personal data, please contact us by using the contact details in the “Data Privacy Contact” section of the Privacy Policy.

4. Your Rights

If you are located in Japan, you have certain data protection rights:

• The right to access. You have the right to request access to personal data we hold about you, how we use it, and who we share it with.
• The right of rectification. You have the right to have your personal data rectified if that information is inaccurate or incomplete.
• The right of restriction. You have the right to require us to stop processing or third-party provision of your personal data, in certain circumstances.
• The right to erasure. You have the right to request we delete the personal data we hold about you, in certain circumstances.
• The right to withdraw consent. You have the right to withdraw your consent at any time by contacting us using the details below, where we rely on your consent to process your personal data.
• The right to object to marketing communications: You can object to marketing at all times by opting out using the unsubscribe function displayed in our communications to you.

If you have requests, complaints, and inquiries regarding personal data and the confidentiality of communications pursuant to APPI, please send an email to legal@midnight.foundation.