Privacy
Policy

BayLeaf OÜ, operating as Tomorrow's Wallet ("we", "us", or "our"), is committed to protecting your personal information and being transparent about how we collect, use, and share it.

This Privacy Policy applies to the Tomorrow's Wallet platform, mobile application, and all related services (collectively, the "Service"). BayLeaf OÜ is incorporated under the laws of the Republic of Estonia and is subject to the General Data Protection Regulation (EU) 2016/679 (GDPR). Where our users are residents of India, we additionally comply with the Digital Personal Data Protection Act, 2023 (DPDPA).

By using our Service, you acknowledge that you have read and agree to this Privacy Policy. If you do not agree, please discontinue use immediately.

The data controller for your personal information is:

BayLeaf OÜ
Trading as: Tomorrow's Wallet
Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551
Republic of Estonia
Email: privacy@tomorrowswallet.in

3.1 Information You Provide Directly

• Account registration data: Full name, email address, mobile number, date of birth, and government-issued identity documents (PAN, Aadhaar reference number) required for KYC/AML compliance.
• Financial account data: Bank account details, UPI handles, and financial institution credentials accessed through India's Account Aggregator (AA) framework with your explicit, revocable consent.
• Communication data: Support messages, feedback, and any content you send us directly.
• Wallet and automation preferences: Rules, automation instructions, yield allocation settings, and subscription management preferences you configure within the Service.

3.2 Information Collected Automatically

• Device and technical data: IP address, device identifiers, operating system, browser type, and app version.
• Usage data: Pages visited, features used, interaction timestamps, session duration, and clickstream data.
• Transaction data: Records of yield accruals, rule triggers, payment events, and balance changes.
• Analytics data: Behavioral patterns collected via first-party and third-party analytics tools (see Section 9 and our Cookie Policy).

3.3 Information from Third Parties

• Account Aggregator partners: Financial data shared by licensed AA entities under the RBI's AA Framework, solely on the basis of your active, informed consent.
• Email signal data: With your explicit permission, limited metadata from connected email accounts (e.g., Gmail) is processed to identify billing and subscription signals. We do not read, store, or index the full content of your emails. We access only structured signals relevant to your financial automation rules.
• Screen Time / Device Activity data: With your explicit permission on supported devices, app usage duration data is accessed locally on your device to power subscription management rules. This data is processed on-device where possible and is not transmitted to our servers unless strictly necessary for rule execution.
• Blockchain and on-chain data: Public transaction data associated with connected wallets, which is inherently public on the Solana blockchain and not considered private data under applicable law.
• Identity verification partners: KYC/AML verification data from licensed identity verification providers.

We use collected information to:

• Provide, operate, and improve the Service
• Execute your automation rules and yield allocations
• Complete KYC/AML verification as required by law
• Detect fraud, abuse, and security threats
• Send transactional notifications and — with consent — marketing communications
• Comply with legal obligations under Estonian, EU, and Indian law
• Analyse anonymized, aggregated data to improve product quality
• Establish, exercise, or defend legal claims

We do not sell your personal data. We do not use your financial data for targeted advertising.

• Public ledger: All on-chain transactions are recorded permanently on a public blockchain. This data is outside our control and cannot be deleted.
• Wallet addresses: When you connect a non-custodial wallet, your address is visible on-chain. We associate it with your account for service functionality only.
• No private key storage: We never store, access, or transmit your private keys or seed phrases.

All third-party processors are bound by Data Processing Agreements (DPAs) under GDPR Article 28. For transfers outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

We retain your personal data for as long as:

• Your account remains active, or
• Required by law (financial records: typically 7 years under Estonian Accounting Act and Indian PMLA), or
• Necessary to resolve disputes or enforce agreements.

On account deletion, personal data is anonymized or deleted within 30 days, except where legally required to retain it. Blockchain records are permanent and cannot be deleted by any party.

Under GDPR (All Users)

• Access (Art. 15): Request a copy of your data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion, subject to legal retention obligations
• Restriction (Art. 18): Restrict processing in certain circumstances
• Portability (Art. 20): Receive your data in a machine-readable format
• Objection (Art. 21): Object to processing based on legitimate interests
• Withdraw consent (Art. 7(3)): Revoke consent at any time without affecting prior processing
• Lodge complaint: With the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee or your local EU supervisory authority

Additionally Under DPDPA 2023 (Indian Users)

• Nomination: Nominate another person to exercise your rights in case of death or incapacity
• Grievance redressal: File a complaint with our Grievance Officer or the Data Protection Board of India

To exercise any right: privacy@tomorrowswallet.in — we respond within 30 days.

We use analytics tools to understand how users interact with our Service. See our Cookie Policy for full details. You may opt out of non-essential analytics at any time via our Cookie Preference Centre.

We implement:

• AES-256 encryption at rest; TLS 1.3 in transit
• Role-based access controls with least-privilege principles
• Regular penetration testing and security audits
• Multi-factor authentication on internal systems
• Incident response and breach notification procedures

In the event of a breach affecting your rights, we will notify you and the Estonian Data Protection Inspectorate within 72 hours as required by GDPR Article 33.

The Service is not directed to individuals under 18. We do not knowingly collect data from minors. Contact us immediately at privacy@tomorrowswallet.in if you believe a minor has registered.

Material changes will be communicated at least 14 days before taking effect via email or in-app notification. Continued use constitutes acceptance.

Data Protection Officer:
[INSERT DPO NAME]
dpo@tomorrowswallet.in
BayLeaf OÜ, Ahtri tn 12, 15551, Tallinn, Estonia

Grievance Officer (India — IT Act):
[INSERT NAME]
grievance@tomorrowswallet.in

Estonian Supervisory Authority:
Andmekaitse Inspektsioon | www.aki.ee | +372 627 4135