SpaceRouter ('we,' 'our,' or 'us') is operated by Space Labs Ltd. We provide a decentralized residential IP proxy network and related services accessible through spacerouter.org, our APIs, SDKs, and applications (collectively, the 'Services').

This Privacy Policy describes how we collect, use, disclose, and protect personal information about users of our Services, including both service users (clients) and node operators. It applies globally to all users regardless of location.

Where applicable local law imposes additional requirements — including but not limited to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Brazil's LGPD, and Japan's APPI — we comply with those requirements to the fullest extent required.

By creating an account or using our Services, you confirm that you have read and understood this Privacy Policy. You will be asked to affirmatively accept this Policy via a clickwrap mechanism ('I Agree' button) during account registration.

Space Labs Ltd. is the data controller responsible for the personal information described in this Privacy Policy. For clarity, Space Labs Ltd. acts as a data controller with respect to account, billing, and service management data, and operates as a limited intermediary in facilitating network traffic routing.

• Registered Name: Space Labs Ltd.
• Privacy Contact Email: router.support@spacenetwork.com
• General Support Email: router.support@spacenetwork.com

For users in the European Economic Area (EEA) or the United Kingdom, Space Labs Ltd. is the data controller within the meaning of the GDPR and UK GDPR. If required, we will appoint an EU representative under Article 27 GDPR and a UK representative under Article 27 UK GDPR, whose details will be communicated upon request at router.support@spacenetwork.com.

We collect the following categories of information that you provide to us, along with the purpose and legal basis for each:

• Account information (email address and password) — Purpose: account creation, authentication, and security notifications. Legal basis: contract performance (GDPR Art. 6(1)(b)). Retention: duration of account plus 90 days after deletion request.
• Payment information (credit card details processed by Stripe, Inc.; billing address) — Purpose: payment processing and fraud prevention. Legal basis: contract performance (GDPR Art. 6(1)(b)); legitimate interests for fraud prevention (GDPR Art. 6(1)(f)). Retention: we do not store full card numbers; Stripe retains payment data per its DPA; transaction records retained for up to 7 years per applicable tax law.
• Cryptocurrency wallet addresses used for staking or reward collection — Purpose: staking verification, reward distribution, and sanctions screening. Legal basis: contract performance (GDPR Art. 6(1)(b)); legal obligation for sanctions screening (GDPR Art. 6(1)(c)). Retention: duration of account; on-chain records are permanent and immutable (see Section 3.3).
• Home Node configuration data including Identity Key metadata, Staking Address, and Collection Address — Purpose: node registration, performance monitoring, and reward calculation. Legal basis: contract performance (GDPR Art. 6(1)(b)). Retention: duration of active node plus 90 days.
• Communications and support requests — Purpose: customer support and legal rights protection. Legal basis: contract performance (GDPR Art. 6(1)(b)); legitimate interests (GDPR Art. 6(1)(f)). Retention: until dispute resolution or 3 years, whichever is later.

We automatically collect certain information when you access or use the Services. This information is used to ensure the security, functionality, and performance of the Services.

• IP address and approximate geographic location derived from IP — Purpose: network security, fraud detection, and sanctions compliance. Legal basis: legitimate interests (GDPR Art. 6(1)(f)); legal obligation (GDPR Art. 6(1)(c)). Retention: 90 days.
• Device and browser information: type, version, and operating system — Purpose: service optimization and security. Legal basis: legitimate interests (GDPR Art. 6(1)(f)). Retention: 90 days.
• Usage data: pages visited, features used, session duration, and interaction logs — Purpose: service improvement and analytics. Legal basis: legitimate interests (GDPR Art. 6(1)(f)). Retention: 90 days (aggregated/anonymized data may be retained indefinitely).
• API request logs: timestamps, endpoints accessed, and response codes — Purpose: billing, abuse prevention, and debugging. Legal basis: contract performance (GDPR Art. 6(1)(b)); legitimate interests (GDPR Art. 6(1)(f)). Retention: 90 days.
• Node operational metadata: connectivity status, uptime metrics, response latency, and health probe results — Purpose: reward calculation and network stability. Legal basis: contract performance (GDPR Art. 6(1)(b)). Retention: duration of active node plus 90 days.

Important clarification: We collect and process only node operational METADATA (connectivity, uptime, latency). We do NOT routinely monitor, inspect, decrypt, or analyze the CONTENT of traffic routed through Home Nodes. We do not collect or retain destination URLs, payload data, or content-level information of routed traffic. However, we may take limited and proportionate measures necessary to: comply with applicable law, respond to valid legal requests, and enforce our Terms of Service. This distinction is material under applicable data protection laws.

When you interact with smart contracts on the Creditcoin blockchain (e.g., staking SPACE tokens or claiming rewards), your transaction data is permanently and immutably recorded on a public ledger. This includes wallet addresses, transaction amounts, and timestamps.

Blockchain Immutability and Your Rights: Due to the cryptographic and decentralized nature of the Creditcoin blockchain, on-chain data cannot be modified, corrected, or deleted by us or any single party. This means:

• GDPR Article 17 (Right to Erasure): On-chain data falls within the exception under Article 17(3)(b) (compliance with a legal obligation requiring processing) and Article 17(3)(e) (establishment, exercise, or defense of legal claims). We cannot technically delete blockchain records. We inform you of this limitation BEFORE you initiate any on-chain transaction.
• Off-chain data: All personal information stored in our databases (not on the blockchain) is fully subject to deletion requests. Upon account deletion, we will delete or anonymize your off-chain personal information within 30 days, except where retention is required by applicable law.

You are informed of this limitation during account registration and must acknowledge it before initiating any staking transaction.

We use cookies and similar technologies, categorized as follows:

• Strictly Necessary Cookies (no consent required): session management, CSRF protection, security tokens, and fraud detection. These cookies are essential for the operation of the Services and cannot be disabled.
• Analytics Cookies (consent required): used to understand usage patterns and improve the Services. These are only set after you provide affirmative opt-in consent.
• Preference Cookies (consent required): used to remember your language and display preferences. These are only set after you provide affirmative opt-in consent.

Cookie Consent Mechanism: On your first visit to spacerouter.org, a cookie consent banner will be presented with the following options, none of which are pre-selected (in compliance with EDPB Guidelines 05/2020 and the ePrivacy Directive): 'Accept All' — enables all cookie categories; 'Reject All' — enables only strictly necessary cookies; 'Manage Preferences' — allows granular category-by-category selection.

Withdrawing Consent: You may withdraw cookie consent at any time through methods that are equally as easy as giving consent (GDPR Article 7(3)): (a) click the cookie settings icon available on every page of spacerouter.org; (b) update your browser settings to refuse cookies; or (c) email router.support@spacenetwork.com. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

We do not use third-party advertising or tracking cookies. We do not use Google Analytics, Facebook Pixel, or similar cross-site tracking technologies.

For users in the EEA and UK, we process personal information only where we have a valid legal basis under GDPR Article 6(1):

Processing necessary to provide the Services you have requested, including: account creation and management, payment processing, node registration, staking reward calculation, API access, and customer support.

Processing required to comply with applicable laws, including: sanctions screening (OFAC, EU, UN), anti-money laundering obligations, tax record-keeping, law enforcement requests, and data breach notification requirements.

We rely on legitimate interests for the following purposes, having conducted a three-part balancing test for each:

• Fraud prevention and network security — Our interest: protecting the Services and users from unauthorized access, DDoS attacks, and abuse. Necessity: contract performance alone is insufficient to address malicious activity outside the contractual relationship. Balancing: our security interest outweighs the minimal privacy impact of processing IP logs and access patterns, which are retained for only 90 days. Your right to object: you may object under Article 21; however, we may demonstrate compelling legitimate grounds.
• Service improvement analytics — Our interest: understanding usage patterns to improve functionality and performance. Necessity: aggregated statistics alone are insufficient to identify specific usability issues. Balancing: we minimize privacy impact through pseudonymization and 90-day retention limits. Your right to object: you may object at any time, and we will cease processing for analytics purposes.
• Enforcement of Terms of Service — Our interest: detecting and preventing prohibited uses (Section 8 of Terms). Necessity: contractual terms alone cannot technically detect violations. Balancing: we intervene only upon detection of specific violations, not through general surveillance of all users. Your right to object: you may object under Article 21.

We rely on consent for: (a) non-essential cookies (analytics and preference cookies); and (b) marketing communications, where you have provided explicit, freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time, and withdrawal is as easy as giving consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

• To create and manage your account
• To process payments and prevent fraudulent activity
• To operate, maintain, and improve the Services
• To verify node registration and calculate staking reward eligibility based on node operational metadata
• To conduct sanctions screening and comply with applicable legal requirements including OFAC, EU, and UN sanctions regimes
• To communicate with you about your account, service updates, and security notices (not marketing — marketing requires separate consent)
• To respond to lawful legal process and enforceable government requests
• To enforce our Terms of Service and protect our legal rights
• To conduct pseudonymized internal analytics and improve user experience
• To detect and prevent abuse, fraud, and prohibited uses of the Services

We share your information with trusted third-party service providers who act as data processors on our behalf. Each provider has entered into a Data Processing Agreement (DPA) compliant with GDPR Article 28, which contractually obligates them to: (a) process personal data only on our documented instructions; (b) ensure confidentiality; (c) implement appropriate technical and organizational security measures (GDPR Article 32); (d) assist us in fulfilling data subject rights requests; and (e) delete or return all personal data upon termination of the service relationship.

Key service providers:

• Stripe, Inc. (payment processing) — Status: data processor. DPA: available at stripe.com/legal/dpa. Data processed: payment card data (we do not store full card numbers). Location: US/EU; SCCs applied for EEA/UK transfers.
• MailerLite (transactional email delivery) — Status: data processor. DPA: executed separately. Data processed: email addresses only (no other PII). Location: EU. Purpose: transactional emails only (account verification, security alerts), NOT marketing unless separate consent obtained.
• Microsoft Azure (cloud infrastructure) — Status: data processor. DPA: available at microsoft.com/licensing/docs/view/…. Data processed: all service data. SCCs applied as needed.

A complete list of sub-processors is available upon request at router.support@spacenetwork.com and is updated with at least 14 days' advance notice before adding new sub-processors.

We may disclose your information when required by applicable law, court order, subpoena, regulation, legal process, or enforceable governmental or regulatory request. We may also disclose information where we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Space Labs Ltd., our users, or the public, or to prevent fraud or illegal activity. Where legally permitted, we will make reasonable efforts to notify you before disclosing your information in response to legal process.

We are legally required to screen users against applicable sanctions lists maintained by the U.S. Office of Foreign Assets Control (OFAC), the United Nations Security Council, the European Union, the UK Office of Financial Sanctions Implementation (OFSI), and other relevant authorities. Our screening process includes:

• Automated screening at account registration against SDN (Specially Designated Nationals) and other applicable lists
• Periodic re-screening of existing users against updated sanctions lists
• We may share limited information (name, email, wallet address) with compliance service providers for screening purposes
• Users identified on applicable sanctions lists will have their accounts suspended and may be reported to relevant authorities as required by law (e.g., 31 CFR Part 501)

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide at least 30 days' advance notice before your information becomes subject to a materially different privacy policy, and will give you the opportunity to delete your account before the transfer takes effect.

• Sale: We do not sell your personal information to third parties for monetary or other valuable consideration, as defined under the California Consumer Privacy Act (CCPA Section 1798.140(ad)).
• Sharing: We do not share your personal information with third parties for cross-context behavioral advertising purposes, as defined under the California Privacy Rights Act (CPRA Section 1798.140(ah)).

Service provider relationships described in Section 6.1 do not constitute 'selling' or 'sharing' under the CCPA/CPRA, as these providers act solely on our instructions and are contractually prohibited from using your data for their own commercial purposes.

California residents may exercise their right to opt out of sale or sharing (even though we do not engage in such activities) by contacting us at router.support@spacenetwork.com or visiting spacerouter.org/privacy.

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, as described in this Privacy Policy. We implement data minimization principles and limit the collection, use, and retention of personal data to what is necessary for providing the Services, ensuring security, and complying with legal obligations. Specific retention periods are:

• Account information: duration of active account plus 90 days after deletion request, unless longer retention is required by law
• Payment transaction records: up to 7 years as required by applicable tax and financial record-keeping laws
• Automatically collected data (IP, device, usage, API logs): 90 days from collection; aggregated/anonymized analytics data may be retained indefinitely
• Node operational metadata: duration of active node plus 90 days
• Support communications: until dispute resolution or 3 years, whichever is later
• On-chain blockchain data: permanent and immutable (see Section 3.3)

Upon account deletion, we will delete or anonymize your off-chain personal information within 30 days, except where retention is required by applicable law. We will confirm deletion to you in writing upon completion.

SpaceRouter is a global service. Your information may be transferred to and processed in countries other than your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

For transfers of personal data from the EEA or UK to countries without an adequacy decision from the European Commission or UK Secretary of State, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the SCCs approved by the European Commission (Implementing Decision 2021/914), specifically Module Two (controller-to-processor) for transfers to our service providers. Copies of executed SCCs are available upon request at router.support@spacenetwork.com.
• Supplementary measures (Schrems II compliance): In accordance with the CJEU judgment in Case C-311/18 (Schrems II) and EDPB Recommendations 01/2020, we implement the following additional technical and organizational measures: (a) encryption of all data in transit using TLS 1.3 or higher; (b) encryption of data at rest using AES-256; (c) strict access controls based on the principle of least privilege; (d) contractual prohibition on service providers from complying with mass surveillance requests without notifying us; and (e) periodic transfer impact assessments.

Due to the decentralized nature of the SpaceRouter network, traffic may be routed through Home Nodes operated by independent participants in various jurisdictions. Such routing is performed automatically based on network conditions and does not involve the transfer of personal data by Space Labs Ltd. to those operators in a controlled processor relationship. Home Node operators do not receive personal data from Space Labs Ltd. in a structured or controlled manner, and do not act as data processors on behalf of Space Labs Ltd.. Instead, they function as independent network participants providing connectivity infrastructure. This architectural distinction is relevant for purposes of determining data transfer obligations under GDPR Chapter V and equivalent international data protection frameworks.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption in transit: TLS 1.3 or higher for all communications; mTLS for internal service-to-service communications
• Encryption at rest: AES-256 for stored data
• Access controls: role-based access control (RBAC) with the principle of least privilege; multi-factor authentication for administrative access
• Regular security assessments: periodic vulnerability scanning, penetration testing, and security audits
• Incident response: documented incident response procedures with defined roles and escalation paths

In the event of a personal data breach:

• Supervisory authority notification (GDPR Article 33): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons. The notification will include: the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.
• Data subject notification (GDPR Article 34): Where the breach is likely to result in a HIGH risk to your rights and freedoms, we will notify affected users without undue delay.
• CCPA notification: For California residents, we will provide notice as required under California Civil Code Section 1798.82.

No method of electronic transmission or storage is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security.

• Right to access the personal information we hold about you
• Right to correct inaccurate or incomplete information
• Right to request deletion of your personal information, subject to legal retention obligations and blockchain immutability (Section 3.3)
• Right to withdraw consent where processing is based on consent

To exercise any right, contact us at router.support@spacenetwork.com. We will verify your identity before processing any request and will respond within the timeframe required by applicable law.

In addition to the general rights above, EEA and UK users have the following rights:

• Right to data portability (Article 20): receive your personal data in a structured, commonly used, and machine-readable format
• Right to object to processing based on legitimate interests (Article 21): we will cease processing unless we demonstrate compelling legitimate grounds that override your interests
• Right to restrict processing (Article 18): request that we limit processing in certain circumstances
• Rights related to automated decision-making and profiling (Article 22): we do not currently make decisions based solely on automated processing that produce legal effects concerning you
• Right to lodge a complaint with your local data protection supervisory authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany)

Response time: We will respond to all requests within one month of receipt (GDPR Article 12(3)). This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

California residents have the following rights under the CCPA and CPRA:

• Right to know: what personal information is collected, the sources, business purposes, categories of third parties with whom we share it, and specific pieces of personal information collected about you (CCPA Section 1798.100)
• Right to delete: request deletion of personal information (CCPA Section 1798.105)
• Right to opt out of sale/sharing: we do not sell or share personal information as defined under the CCPA/CPRA; however, you may submit an opt-out request at spacerouter.org/privacy or by emailing router.support@spacenetwork.com
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights (CCPA Section 1798.125)
• Right to correct: request correction of inaccurate personal information (CPRA Section 1798.106)
• Right to limit use of sensitive personal information: we do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA

To submit a verifiable consumer request, contact us at router.support@spacenetwork.com. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice).

The Services are not directed to individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from minors. If we become aware that a minor has provided us with personal information without verifiable parental consent, we will take steps to delete that information within 30 days. If you believe a minor has provided us with personal information, please contact us immediately at router.support@spacenetwork.com.

The Services may contain links to or integrations with third-party websites, services, or platforms (including the Creditcoin blockchain, Stripe payment pages, and third-party websites accessed through our proxy network). This Privacy Policy does not apply to those third parties. We are not responsible for their privacy practices and strongly encourage you to review their privacy policies independently before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

• Material changes: We will provide at least 30 days' advance notice by: (a) prominently posting the updated Policy on spacerouter.org; (b) notifying you by email to your registered account email address; and (c) displaying an in-app notification where applicable.
• Minor changes (formatting, clarifications with no adverse impact on your rights): may take effect with 14 days' notice or immediately.

If you do not agree to the updated Policy, you may delete your account before the effective date of the changes without penalty. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

To exercise your rights, submit a data request, file a complaint, or ask questions about this Privacy Policy:

• Privacy inquiries and data subject requests: router.support@spacenetwork.com
• General support: router.support@spacenetwork.com
• Website: spacerouter.org
• Operated by: Space Labs Ltd.

We will respond to all requests within the timeframes required by applicable law: within 30 days for GDPR requests (extendable by 2 months) and within 45 days for CCPA requests (extendable by 45 days).

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.