Thank you for choosing to be part of the open-source protocol, supported by a global community of developers, individuals, and other contributors.

We are the World Foundation (“we”, “us”, “our”, or “Foundation”), the steward behind the development and growth of the World protocol. This Privacy Notice covers the data you provide to us through your use of our protocol and other services linked to this Privacy Notice (collectively, the “Services”). This Privacy Notice is incorporated into and governed by the User Terms and Conditions (“User Terms”).

For information on how we collect, use, store, and delete your images and biometric data collected through our Orb (“Orb Data”), please review the Data Consent Form, incorporated by reference. We will not collect your biometric data at the Orb unless you agree and consent to the Data Consent Form.

We are the Data Controller of all Protocol Data (defined below) and Orb Data: Suite 3119 9 Forum Lane, Camana Bay, PO Box 144, George Town, Grand Cayman KY1-9006, Cayman Islands. Foundation has a sole establishment in the European Union (“EU”).

“Protocol Data” means all personal data collected and processed through your use of the World protocol or the Worldcoin tokens.

We update this Privacy Notice sometimes. If we make major changes, such as how we use your personal information, then we'll let you know via a message in your App.

We are deeply committed to protecting your privacy and securing your data. We recognize that we can only fulfill our mission of distributing our digital tokens fairly to as many people as possible if people trust us, and privacy and data security are central to earning your trust.

We have designed our products and services with your privacy in mind. We collect data to improve our product and services. We will always tell you, here in this Privacy Notice or in data consent forms for specific products or services, what data we are collecting, why we are collecting that data, and what we do with it.

We have a dedicated team to look after your data and have implemented physical and electronic safeguards that protect your data both in transit and at rest. At the same time, no service can be completely secure. If you have any concerns about your data, please contact us through our Request Portal at world.org/requestportal or write to us at [email protected].

You may need to provide us with certain data in order to use a feature within the Services. Depending on the jurisdiction and on the purpose for processing the data, the legal grounds for processing in the cases below are the user’s consent, the performance of a contract (our commitment to provide the Services) and in some cases our legitimate interest. Below is a list of data that you may provide and what we may use the data for:

From time to time, we may obtain and analyze public blockchain data to ensure parties utilizing our Services are not engaged in illegal or prohibited activity under the User Terms, and to analyze transaction trends for research and development purposes. The legal basis for processing this data is compliance with legal obligations. This data constitutes Protocol Data.

We will only collect and use your biometric data after you agree to the Data Consent Form, which details the types of biometric data we process and why. The biometric data is not linked to the Protocol Data.

We must have a valid reason (or “lawful basis for processing”) to use your personal information. In instances when you'd reasonably expect us to use your personal information and our use of that information complies with applicable laws, we don't ask for your express permission. When it comes to your biometric data, we ask for your explicit and informed consent.

● To provide and maintain our products and services under the User Terms. These services include:

○ The World ID – a Privacy Preserving Proof of Personhood which is only granted to each individual human once as a pair of a public and a private key. The World ID can be used at the user’s discretion to prove their uniqueness in the context of other services;

○ The airdrop of the digital tokens;

○ To use your wallet address to send you digital tokens we support;

● To enable you to publish information on a blockchain to prove your uniqueness.

● To improve and develop our products and services, including to debug and repair errors in our Services. The legal basis of this processing are legitimate interests.

● To conduct data science research.

● To analyze your use of our Services to provide better support.

● To comply with applicable law such as anti-money-laundering law and sanctions. This entails:

○ Using your IP address to block individuals whose country does not allow them to access the Services;

○ To answer data subject requests under the applicable data protection laws like requests for access or deletion;

○ Monitor potentially illicit financial flows e.g. from blacklisted wallets; and

● To handle your customer service requests, complaints and inquiries.

● To resolve disputes, troubleshooting issues, and enforcing our agreements with you, including this Privacy Notice and the User Terms.

● To contact you regarding updates to the Services.

When you provide us with your data, it may be transferred, stored, or processed in a location outside of where your data was originally collected. The country in which your data is transferred, stored, or processed may not have the same data protection laws as the country in which you initially provided the data.

We make the best efforts to adhere to the principles stated in each jurisdiction regarding privacy laws. We only share data with data processors outside of your jurisdiction if such a transfer is lawful and if we are confident that the data processor will protect your data as required under applicable laws and, further, in accordance with our standards.

Below is a list of possible risks that may arise if we transfer your data (in case the data is considered personal data) to the United States and the European Union. Below we also summarize how we mitigate the respective risks. We do not transfer your personal data to the Cayman Islands.

Please note that this list contains examples, but may not include all possible risks to you.

We will never sell your data.

When we share your data outside of our organization, we will always:

We do share your data in these limited ways:

Transaction information related to your use of our Services may be recorded on a public blockchain.

Please note: Blockchains are public ledgers of transactions that are maintained on decentralized networks operated by third parties that are not controlled or operated by World. Due to the public and immutable nature of blockchain ledgers, we cannot guarantee the ability to amend, erase, or control the disclosure of data that is uploaded and stored on a blockchain.

We use cookies to help our Services work better. In addition to cookies, we may use other similar technologies, like web beacons, to track users of our Services. Web beacons (also known as "clear gifs") are tiny graphics with a unique identifier, similar in function to cookies. Our Cookie Policy, incorporated herein by reference.

We also use Google Analytics. More information on how Google uses your data when you use its partners’ websites and applications: https://policies.google.com/technologies/partner-sites. By using the Services, you consent to our storing and accessing cookies and other data on your computer or mobile device and the use of Google Analytics in connection with such activities. Please read the information at the link provided so you understand what you are consenting to.

We retain your data for as long as is reasonably necessary to provide our Services to you, serve our legitimate business purposes, and comply with our legal and regulatory obligations. If required by law, we will continue to retain your personal data as necessary to comply with our legal and regulatory obligations, including fraud monitoring, detection, and prevention, as well as tax, accounting, and financial reporting obligations. If you would like us to delete your personal data, including your biometric information, then please refer to Section 13 below.

Please note: Blockchains are decentralized third-party networks that we do not control or operate. Due to the public and immutable nature of blockchain technology, we cannot amend, erase, or control the disclosure of data that is stored on blockchains.

Individuals under the age of 18 are not allowed to use the Services, and we do not knowingly collect data from individuals under the age of 18. If you believe that your child under the age of 18 has gained access to the Services without your permission, you may request the deletion of all their personal data by contacting us through our Request Portal at world.org/requestportal.

We have taken commercially reasonable steps to restrict use of the Services to those who are at least 18 years old. We do not market products or services for purchase by children.

You may choose to delete your data from within the App under the Settings menu. If you have questions or concerns regarding this Privacy Notice, wish to exercise your rights, or to contact our Data Protection Officer (DPO), please submit your request through our Request Portal at world.org/requestportal or write to us at Worldcoin Foundation, Suite 3119, 9 Forum Lane, Camana Bay, PO Box 144, George Town, Grand Cayman KY1-9006, Cayman Island.. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can also delete your data from within the App.

If you have an unresolved privacy or data use concern that we have not satisfactorily addressed, please contact the data protection regulator in your jurisdiction. If you reside in the EU, then you can find your data protection regulator  here.

In the following, several addenda provide legally required information for the respective markets we operate in. This information forms part of the consent depending on the region the data subject resides in. This information might differ from your location’s information because we block certain services in certain jurisdictions. In case of any inconsistency with the above the more special statement about the particular jurisdiction prevails:

If you are in the EEAor the UK the following applies to you: You have at least the following rights You may have additional rights under General Data Protection Regulation, EU Regulation 2016/679 of 27.04.2016 (“GDPR”) as listed below. To exercise your rights available under GDPR, please contact us at our Request Portal. Apart from exceptional cases, we will resolve your request within the statutory deadline of one month. The use of the word GDPR in the following section also entails the UK-GDPR transposed into UK national law as the UK Data Protection Act of 2018 and retained as part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

This section applies if the processing of your data falls under the GDPR’s scope of application (e.g., if you are a resident of the EEA or in the UK). You may have additional rights under GDPR as listed below. To exercise your rights available under GDPR, please contact us at world.org/requestportal.

When transferring data to a country that does not have an adequacy decision, we utilize the EU Standard Contractual Clauses. Currently, we only transfer personal data to the European Union.

If you reside in Japan, additionally, the following applies to you.

We comply with Japanese laws and regulations, including the Act on the Protection of Personal Information of Japan (“APPI”).

Unless otherwise permitted by applicable laws, we do not disclose, sell, provide, share, or transfer your personal information to any third party.

We take necessary and appropriate measures to prevent any leakage or loss of, or damage to, your personal information being handled, and to otherwise maintain the security of personal information, such as by establishing rules for the handling of personal information, regular monitoring of the handling of personal information, regular training of employees in the handling of personal information, prevention of theft or loss of equipment used to handle personal information, and implementation of access controls. We also appropriately supervise our contractors and employees who handle personal information. You can obtain further details about the security control measures in place in relation to the handling of your personal information by contacting us at our Request Portal.

Your personal data is only processed in the European Union.

If you are domiciled in the Argentine Republic, we inform you that the AGENCY OF ACCESS TO PUBLIC INFORMATION, in its capacity as Control Agency of Law No. 25,326, has the power to hear complaints and claims filed by those whose rights are affected by non-compliance with the rules in force regarding personal data protection.

The Agency can be contacted as follows:

Address: Av. Pte. Gral. Julio A. Roca 710, 5th floor - Autonomous City of Buenos Aires

Postal Code: C1067ABP

Phone number: (54-11) 3988-3968

E-mail: [email protected]

If you are a resident of Singapore the following applies to you:

If you are a resident of Singapore and with your consent, we will collect, use or otherwise disclose your personal data for each of the purposes as set out in our privacy notice. You may exercise your right to withdraw your consent at any time, but please note that we may not be able to continue providing our services to you depending on the nature and scope of your request. Please also note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclosure without consent is permitted or required under applicable laws.

You may control the personal data that we have collected and exercise any of the rights by contacting us at our Request Portal. We aim to respond to your request as soon as we can, typically within 30 days. We will inform you in advance if we are not able to respond to your request within 30 days, or if we are not able to fulfill your request and the reasons.

Where permitted by law, we may charge you an administrative fee to fulfill your request.

If you are a resident of Singapore and we have collected your data, we may also transfer your data outside of Singapore from time to time. However, we will always ensure your personal data continues to receive a standard of protection that is at least comparable to that provided under the Singapore Personal Data Protection Act 2012[, such as through the use of ASEAN Model Contractual Clauses]

This Addendum for Korean Data Subjects explains our practices with respect to personal information we process in connection with your relationship with us where you are a Korean data subject.

We provide personal information to or outsource the processing thereof to third parties as specified below:

- Outsourcing of the Processing of Personal Information to Third Parties

For information regarding our subprocessors, please refer to Tools for Humanity’s privacy notice at the following link: https://worldcoin.pactsafe.io/rkuawsvk5.html

We may outsource the processing of your personal information and/or transfer your personal information for storing purposes to third parties located outside of Korea:

- Cross-border Storage/Outsourcing of Personal Information to Third Parties

If you do not want to transfer your personal information overseas, you can refuse by not agreeing to the transfer of personal information, or by requesting us to stop the cross-border transfer, but if you refuse, you may not be able to use our services. The legal basis for the cross-border transfer of personal information above is the fact that it constitutes “outsourced processing or storage of personal information that is necessary for the conclusion and fulfillment of a contract with the data subject” and statutorily-prescribed matters have been disclosed in the privacy policy (Article 28-8(1)(iii) of the Personal Information Protection Act).

When personal information becomes unnecessary due to the expiration of the retention period or the achievement of the purpose of processing, etc., the personal information shall be destroyed without delay. The process and method for destruction are set forth below:

1) Destruction Process: We select certain items of personal information to be destroyed, and destroy them with the approval of the DPO.

2) Destruction Method: We destroy personal information recorded and stored in the form of electronic files by using a technical method (e.g., overwriting) to ensure that the records may not be reproduced, while personal information recorded and stored in the form of paper documents would be shredded or incinerated.

The collection of the face and iris photos n are stored in the RAM memory of the Orb for an average time of 2 minutes until completion of the calculation of the iris code. No further storage is required.

You may exercise your rights related to personal information against us, including a request for access to, modification or deletion of, or suspension of processing of, your personal information as provided by applicable law including the Personal Information Protection Act. You may also exercise your right of withdrawal of consent to collection/use/provision of personal information, right to portability, and rights relating to automated decision-making. Such rights may also be exercised through your legal representatives or other duly authorized persons.

You may exercise any applicable rights described above by contacting us at world.org/requestportal.

We will implement technical, organizational, and physical security measures prescribed by applicable Korean laws in order to protect personal information, such as those listed below:

1) Managerial measures: Designation of a Data Protection Officer, establishment and implementation of an internal management plan, regular training of employees on data protection, etc.;

2) Technical measures: Management of access authority to the personal information processing system, installation of an access control system, installation of security programs, etc.; and

3) Physical measures: Restriction of access to personal information storage facilities and equipment such as computer rooms and data storage rooms, etc.

For questions or inquiries related to privacy and data protection, please contact our Data Protection Team at [email protected].

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, does not presently apply to us.

This Addendum for Kenyan Data Subjects explains our practices with respect to personal information we process in connection with your relationship with us where you are a Kenyan data subject.

We comply with the Data Protection Act 2019 and ensuing regulations.

Your personal data may be shared with the following recipients:

If you reside in Brazil, if your personal data was collected in Brazil, or if you use our Services in Brazil, the applicable legislation is Law No. 13,709/2018 (General Data Protection Law, or “LGPD”). Under the LGPD, Tools For Humanity is the operator and World is the controller responsible for your personal data when you use our Services.

Under the LGPD, biometric data is considered sensitive personal information. We will only process this data if you provide us with explicit, specific consent for clearly defined purposes. In certain circumstances, we may process your biometric data without your consent when it's absolutely necessary, such as to comply with legal or regulatory obligations, exercise our rights (including in contracts or legal proceedings), or to prevent fraud and protect the integrity of the data subject.

We employ advanced security measures and techniques to safeguard your personal information, including encryption and anonymization to ensure that your sensitive data is protected and cannot be associated with an individual, as the case may be.

We also aggregate data, combining large datasets to remove individual identifiers or references to a single individual. We use anonymized data or aggregated data for our commercial purpose, such as help us understand user behavior and necessity, improve our services, conduct activities of business intelligence and marketing, detect security threats, and train our algorithms. We also process your biometric data for custody of your personal information, authentication, and creating the Iris Code.

We will only use your biometric data for the purposes mentioned above if you provide us with explicit, specific consent through the Data Consent Form.

By opting for Self-Custody or Data Custody, as outlined in the Biometric Data Consent Form, your biometric data will be stored on your device. In this case, you must adopt additional safeguards to ensure the security of your biometric data stored on your device, as we do not have access or control over your device's storage system outside of our World App

You have the right to object to the use of your personal data for purposes that do not depend on consent if the purpose is inconsistent with the LGPD, including those related to biometric data. If your objection is upheld, we will no longer use your personal information to develop and improve the features and experiences of our Services.

Note that if you do not provide or do not allow the collection or processing of certain personal data, it may affect the quality of your experience, we may not be able to fulfill the objectives of our Services, or we may not be able to provide certain Services to you.

In some cases, your data is anonymized, meaning it no longer identifies you. You cannot object to the use of anonymized data because it does not allow for your identification, as provided for in the LGPD. We use this anonymized data to improve our products and services.

According to the LGPD, you have the right to confirm the existence of processing, access, rectification, or request the portability of data processed. Moreover, you can request information of public and private entities with which we jointly use your personal data. You can also request information regarding the possibility of not giving consent and the negative consequences, and request the deletion of data processed with consent. You can choose the deletion of your information in the World App in the Settings menu.

Under certain circumstances, you have the right to object to or restrict how we process your personal data, or to withdraw your consent, which we rely on to process the information you provide.

You can exercise your rights under the LGPD by submitting a request to our DPO using the contact details in section H.5 below or through our online request portal. If you feel that your rights have not been adequately addressed, you can file a complaint with the Autoridade Nacional de Proteção de Dados Pessoais (ANPD) by completing the form available at this link: https://www.gov.br/anpd/pt-br/canais_atendimento/cidadao-titular-de-dados.

If the LGPD applies to you, the information about our DPO is as follows:

DPO: Marcin Czarnecki

Contact Information: [email protected]

If the LGPD applies to you, and we have collected your personal data, we may also transfer it outside of the country. However, we will always ensure that your personal data is only transferred to foreign countries or international organizations that provide a level of protection adequate to that provided for in the LGPD, as recognized in adequacy decisions issued by the ANPD. In the absence of an adequacy decision, we will continue to follow a standard of protection that is at least equivalent to that provided for in the LGPD using Standard Contractual Clauses established in the ANPD's regulations or when we obtain your specific and highlighted consent for the international transfer.

WFPS20241112