Lobster.cash

LOBSTER.CASH — Privacy Policy

Effective Date: March 30, 2026
https://www.lobster.cash

---

1. Introduction

Lobster.cash, operated by Crossmint ("we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have over your data when you use the Lobster.cash platform and related services (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy.

---

2. Information We Collect

2.1 Information You Provide

- Account information: When you register, we collect your email address and authentication details via our identity provider, Stytch (e.g. through Google OAuth or other supported methods).
- Configuration data: Spending limits, agent permissions, and wallet settings you configure within the Service.
- Payment card references: When you save a card, the full card details (number, CVV, expiry) are submitted directly to Basis Theory's PCI-DSS-certified vault and are never transmitted to or stored by Lobster.cash. We only receive and store a non-sensitive token that references your card within Basis Theory's system.

2.2 Information Collected Automatically

- Transaction data: Records of payments made through virtual cards or stablecoin wallets, including amounts, merchant names, timestamps, and transaction status.
- Usage data: Information about how you interact with the Service, including pages visited, features used, and session duration.
- Device and technical data: IP address, browser type, operating system, and other technical identifiers collected when you access the Service.

2.3 Blockchain Data

Stablecoin transactions conducted via the Service are recorded on the Solana blockchain. Because blockchain ledgers are public and immutable, transaction data associated with your wallet address is publicly visible and outside our control. We do not have access to your private keys at any time.

2.4 Information from Third Parties

We may receive information about you from our infrastructure partners — including Visa, Stytch, Circle, and Basis Theory — in the course of providing the Service, such as card transaction records or identity verification results.

---

3. How We Use Your Information

We use the information we collect to:

- Provide, operate, and maintain the Service.
- Issue and manage virtual payment cards and facilitate stablecoin transactions.
- Authenticate your identity and secure your account.
- Display transaction history and audit logs in your dashboard.
- Detect and prevent fraud, abuse, and unauthorized access.
- Communicate with you about your account, service updates, and security notices.
- Comply with applicable legal and regulatory obligations.
- Improve and develop the Service based on usage patterns and feedback.

We do not use your data for advertising purposes, and we do not sell your personal information to third parties.

---

4. How We Share Your Information

We share your information only as necessary to provide the Service or as required by law:

- Crossmint: As the operator of Lobster.cash, Crossmint processes your data in accordance with this policy.
- Basis Theory: Full payment card details are stored exclusively in Basis Theory's PCI-DSS-certified vault. Lobster.cash never sees or stores raw card data — only a non-sensitive token is held on our side. Basis Theory's privacy policy governs how they handle card data.
- Visa: To process virtual card transactions using the token provided by Basis Theory.
- Stytch: To authenticate your identity and manage your account session.
- Circle: To facilitate USDC stablecoin transactions.
- Solana network: Stablecoin transaction data is broadcast to the public Solana blockchain and is inherently public.
- Legal and regulatory authorities: We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights or the safety of others.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections.

We do not share your personal information with AI agent providers or third-party applications you connect to the Service, beyond what is technically required to execute an authorized transaction.

---

5. Non-Custodial Wallets and Your Data

Stablecoin wallets on Lobster.cash are non-custodial. We never store, have access to, or transmit your private keys. Your wallet credentials are your sole responsibility. We cannot recover funds, reverse transactions, or access your wallet on your behalf under any circumstances.

---

6. Data Retention

We retain your account and transaction data for as long as your account is active, and for up to 5 years after account closure to comply with financial regulations and legal obligations. Usage and technical data may be retained for shorter periods. Blockchain transaction data is permanently recorded on the Solana ledger and cannot be deleted by us or by you.

---

7. Data Security

We implement industry-standard security measures to protect your data, including:

- Encryption of data in transit (TLS) and at rest.
- Payment card details are never stored by Lobster.cash. Raw card data is submitted directly to Basis Theory's PCI-DSS-certified vault; we store only a token reference.
- Access controls limiting employee access to personal data on a need-to-know basis.
- Regular security reviews of our infrastructure and third-party partners.

No method of transmission over the internet is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

---

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

- Access: Request a copy of the personal data we hold about you.
- Correction: Request that we correct inaccurate or incomplete data.
- Deletion: Request deletion of your personal data, subject to legal retention requirements.
- Portability: Request a machine-readable export of your data.
- Objection: Object to certain types of processing, such as processing based on legitimate interests.
- Restriction: Request that we limit how we process your data in certain circumstances.

To exercise any of these rights, contact us at legal@crossmint.com. We will respond within 30 days. Note that some requests may be limited where we have legal obligations to retain data or where data is recorded on a public blockchain.

---

9. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember your preferences, and understand how the Service is used. We do not use third-party advertising cookies. You can control cookie settings through your browser, though disabling certain cookies may affect Service functionality.

---

10. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

---

11. International Data Transfers

Lobster.cash is operated from the United States. If you access the Service from outside the US, your data may be transferred to and processed in the United States or other countries where our partners operate. We take steps to ensure that any such transfers comply with applicable data protection laws.

---

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by sending you a notification. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

---

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:

Lobster.cash — operated by Crossmint
Website: https://www.lobster.cash
Email: legal@crossmint.com

---

Last updated: March 30, 2026.