Privacy Policy

Effective Date: March 10, 2026

1. Scope

This Privacy Policy describes how Aetherum, Inc. (“Aetherum,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with the Aetherum platform and our website at aetherum.ai.

Aetherum is a business-to-business (B2B) platform. We do not offer services directly to individual consumers. When we process member data on behalf of a credit union or institutional partner, we act as a data processor under the direction of the Institution (the data controller).

2. Information We Collect

Institutional Contact Information

We collect names, email addresses, phone numbers, and job titles of authorized representatives at partner institutions for account management, communications, and support.

Member Data (Processed as Data Processor)

When a credit union member uses the Aetherum-powered lending workflow, the Institution may transmit member data to our platform for processing. This may include identity information, financial account data, digital asset holdings, and loan application details. Aetherum processes this data solely on behalf of and under the instructions of the Institution.

Website Visitors

When you visit aetherum.ai, we may collect standard web analytics data such as IP address, browser type, pages visited, and referring URL.

3. How We Use Information

We use information to:

• Provide, maintain, and improve the Aetherum platform
• Process loan origination workflows and generate DACS risk assessments on behalf of partner institutions
• Communicate with institutional partners about their accounts and our services
• Ensure platform security and prevent fraud
• Comply with legal obligations
• Analyze website usage to improve our online presence

4. Legal Bases for Processing

We process information based on the following legal bases:

• Contractual necessity — To fulfill our obligations under Master Service Agreements with partner institutions
• Legitimate interests — To operate, improve, and secure our platform and business
• Legal obligations — To comply with applicable laws and regulatory requirements
• Consent — Where specifically required, such as for certain marketing communications

5. How We Share Information

We share information only as necessary to provide our services. Our sub-processors include:

• BitGo — Institutional digital asset custody and transaction processing
• Plaid — Financial account connectivity, identity verification, and consumer reporting
• Sardine — KYC/AML identity verification and fraud prevention
• Railway — Cloud infrastructure and application hosting
• MongoDB Atlas — Cloud database services
• Kraken — Digital asset pricing data and market information

We do not sell personal information. We may disclose information if required by law, regulation, legal process, or governmental request.

6. Data Retention

We retain institutional contact information for the duration of the business relationship and for a reasonable period thereafter for record-keeping purposes.

Member data processed on behalf of partner institutions is retained in accordance with the terms of the applicable MSA and regulatory requirements. Unless otherwise specified, we retain transaction and loan records for seven (7) years following the end of the business relationship, consistent with financial services record-keeping requirements.

7. Cookies

Our website uses cookies limited to:

• Essential cookies — Required for basic website functionality and security
• Analytics cookies — Used to understand website traffic and usage patterns

We do not use advertising or tracking cookies. We do not participate in cross-site tracking or behavioral advertising.

8. Security

We implement industry-standard security measures to protect information, including:

• TLS encryption — All data in transit is encrypted using TLS 1.2 or higher
• Role-based access controls — Access to data is restricted based on job function and need-to-know
• Multi-factor authentication (MFA) — Required for all platform access and administrative functions

While we take reasonable precautions to protect information, no method of electronic transmission or storage is 100% secure.

9. Your Rights

Depending on your jurisdiction, you may have rights regarding your personal information, including the right to access, correct, delete, or port your data, and the right to restrict or object to certain processing.

If you are a credit union member whose data is processed through our platform, please contact your credit union directly to exercise your rights, as the credit union is the data controller for your information.

Institutional contacts may exercise their rights by contacting us at legal@aetherum.ai.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

California residents may contact us at legal@aetherum.ai to exercise their rights under the CCPA/CPRA.

11. GLBA Notice

Aetherum operates as a service provider to credit unions and financial institutions under the Gramm-Leach-Bliley Act (GLBA). The credit union or financial institution using our platform is the covered financial institution responsible for providing privacy notices to its members and customers as required by GLBA and Regulation P.

Our handling of nonpublic personal information received from partner institutions is governed by our MSA and applicable data processing agreements.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days’ prior written notice to partner institutions. The updated policy will be posted on this page with a revised effective date.

13. Contact

For questions about this Privacy Policy or our data practices, please contact:

Aetherum, Inc.
Email: legal@aetherum.ai