Privacy Policy

Last Updated:

Introduction

This Privacy Policy (“Policy”) describes how Terminal 3 HK Limited (“Terminal 3”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data across our websites, applications (web and mobile), software development kits, application programming interfaces, and related services (collectively, the “Services”), and sets out your privacy rights.

Terminal 3 provides confidential computing infrastructure that enables enterprises and developers to store, process, and verify sensitive data without taking custody of it. Our guiding principle is that access to data should never require its transfer: data remains encrypted within hardware-secured environments, and computation returns results without exposing the underlying data.

We understand that you care about your personal privacy, and we take that responsibility seriously. Terminal 3 manages, collects, uses, and discloses personal data in compliance with the Personal Data (Privacy) Ordinance of Hong Kong (“PDPO”) and the European Union General Data Protection Regulation (“GDPR”). We recognize that information privacy is an ongoing responsibility, and we will update this Policy from time to time as we undertake new personal data practices or adopt new procedures.

Who this Policy applies to

This Policy applies to:

  • Website visitors — individuals who browse our websites, subscribe to communications, or contact us;
  • Identity end users — individuals who hold a Terminal 3 identity account that is accessed through one of our enterprise customers (each, a “Relying Organization”); and
  • Developers — individuals who register for and use our developer products, including the Agent Developer Kit.


Where you access Terminal 3 through a Relying Organization, that organization’s own privacy notice also applies to the data it handles in its relationship with you. Where personal data is processed by a developer’s application or agent, the developer (and not Terminal 3) is the controller of that data, and Terminal 3 acts as the developer’s processor, processing such data only to provide the Services.

Your use of the Services is also governed by the Terminal 3 Terms of Service, which set out the terms on which you may use our website and Services.

How our infrastructure protects your data

All Terminal 3 products are built on T3 Network, our confidential computing layer. As a result, the following protections apply to personal data processed through our products:

  • Client-side encryption. Each value is encrypted using AES-256-GCM within the client software development kit before it leaves your device.
  • Threshold key management. Encryption keys are split across multiple independent nodes using threshold cryptography (ML-KEM, FIPS 203). Decryption requires a quorum of nodes, which means that no single party — including Terminal 3 — can decrypt your data on its own, and the compromise of any single node does not expose your data.
  • Hardware-secured computation. Computation is performed inside Trusted Execution Environments (Intel TDX), which are hardware-isolated regions where data is processed without plaintext being accessible to applications, to the surrounding operating system, or to Terminal 3’s infrastructure operators.
  • Jurisdictional data residency. Data can be pinned to a specific jurisdiction (for example, the EU, APAC, or North America) so that it is stored and processed within that region, helping to meet residency requirements under the GDPR, PDPA, APPI, and similar laws.
  • Verifiable audit trail. Every data access, computation, policy evaluation, and credential verification is recorded in a tamper-evident, cryptographically linked audit ledger that can be independently verified by third parties.
  • Post-quantum cryptography. The encryption and key-management standards we use (AES-256-GCM and ML-KEM, FIPS 203) are designed to remain secure against future quantum-computing attacks.

Collection of personal data

Terminal 3 may collect and process personal data about you directly from you, from your interactions with the Services, by combining information we collect through service providers and partners, or from publicly available sources such as social media or other third-party sites.

The personal data we collect may include:

  • Identifiers — such as your real name, email address, date of birth, gender, national identification number, or other similar identifiers;
  • Digital identity information — such as your public virtual wallet addresses, decentralized identifiers (DIDs), on-chain transactions, and holdings;
  • Credential data — verifiable credentials we issue, verify, or revoke, and related metadata;
  • Preference data — such as demographic information and interests;
  • Behavioral data — such as your online interactions with the Services;
  • Website and device data — such as your IP address, the region or general location from which you access the internet, browser type, operating system, and information about your use of our website, including the pages you view;
  • Developer account data — such as registration details, account identifiers, and API credentials; and
  • Any other personal data you choose to provide.


We will not collect or process sensitive personal data unless we have obtained your explicit consent as may be required under applicable law.

Two categories of identity data

For identity end users, your account may hold two categories of data, which are treated differently:

  • Private User Data — identity data that is protected by cryptographic controls that you authorize. You control access to it. Terminal 3 cannot access, change, or delete your Private User Data without your authorization, except where technically necessary to provide, secure, or support the Services, or where required by law. It is held in protected, access-controlled environments.
  • Regulated User Data — identity data that the law requires to be collected and retained, such as data used for identity verification, anti-money-laundering, counter-terrorist-financing, sanctions screening, or fraud prevention. This data is held in controlled record-keeping environments (“Regulatory Vaults”) and may be accessed, retained, or disclosed only as required by law or by valid and verified legal or regulatory process. Because the law requires its retention, you may not be able to delete Regulated User Data on request.

Use of personal data

We use your personal data to fulfill the purposes of our Services and to provide and improve them, including:

  • to deliver the products and services that you or your organization have requested;
  • to standardize data and make it interoperable across systems;
  • to enrich data with additional profile information, where authorized;
  • to issue, verify, and revoke verifiable credentials;
  • to verify your digital identity;
  • to allow you to manage and share access to your personal data, at your discretion;
  • to operate, maintain, secure, and improve the Services, including troubleshooting and analytics;
  • to communicate with you, including to send service messages and, where permitted, marketing messages, offers, and notifications, in a privacy-preserving manner;
  • to comply with our legal and regulatory obligations; and
  • for other purposes with your consent or as permitted by applicable law.


Possible future capability: Terminal 3 may in the future offer features that allow you to monetize or receive rewards in connection with authorized access to data that you control. Any such feature would be optional and subject to additional terms and your consent at that time. We do not currently offer data-monetization or rewards features.

Sharing data with third parties

Your personal data is accessed in a privacy-preserving manner and shared only as described below.

With your permission, Terminal 3 can perform queries on your encrypted data using confidential computing, which means results can be produced and shared without revealing the underlying data. The results of those queries, together with cryptographic proofs of authenticity, may be presented to parties you have authorized — without exposing your underlying private data. For example, you may grant a company permission to contact you by email without that company ever seeing or storing your email address.

We share personal data only:

  • With parties you authorize — third parties you choose to authorize, access, or authenticate with through the Services;
  • With service providers — parties that help us provide the Services or perform business functions on our behalf, such as hosting, infrastructure, technology, communication, and identity-verification providers. These providers are authorized to use your personal data only as necessary to provide their services to us and are required to implement appropriate security measures; and
  • Where required by law — to comply with applicable law, regulation, or valid legal process, or to protect the rights, safety, and security of Terminal 3, our users, or others.


Verification of your identity may be performed by independent third-party providers (such as document-verification or sanctions-screening services). Terminal 3 does not control, and is not responsible for, the methods or accuracy of those third-party providers.

Cookies and similar technologies

We use cookies and similar technologies to recognize you when you visit our website. We use cookies to distinguish you from other users, identify access, monitor web traffic on our website, and improve our services. Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by website owners in order to make their websites work, or to work more efficiently, as well as to provide reporting information.

We use the following types of Cookies:

  • Necessary Cookies: These cookies are strictly necessary to provide you with services available through our website and to use some of its features, such as access to secure areas. Without these cookies, the services that you have asked for cannot be provided, and we only use these cookies to provide you with those services.
  • Functional Cookies: These cookies allow our website to remember choices you make (such as your language) and provide enhanced, more personal features. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.
  • Analytics Cookies: These cookies collect information about how you use our website, including which pages you visited and which links you clicked on. We use this information to compile reports and to help us improve our website. The cookies collect information in a way that does not directly identify anyone.


You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how to manage your cookie settings, please check your browser’s help menu.

Data storage and retention

Terminal 3’s operations are supported by hardware-secured confidential computing infrastructure. Personal data is encrypted and stored within access-controlled environments and, where applicable, pinned to a specific jurisdiction. Private user data is not stored on any public blockchain, even in encrypted form.

We retain personal data only for as long as necessary for the purposes set out in this Policy and to comply with our legal and regulatory obligations. You may request deletion of your Private User Data at any time (see “Your rights” and “Accounts created through organizations”), subject to legally required retention of Regulated User Data. When we delete data, we remove it from active storage; where complete destruction is not technically possible, we render the data permanently inaccessible.

Accounts created through organizations

If you create or hold a Terminal 3 identity account through an organization (such as a financial institution, employer, university, online platform, decentralized autonomous organization, service provider, or community), your account remains your own and you remain in control of your personal data. The organization may request certain information related to your relationship with it (for example, your role, membership, or eligibility), but it can access such information only if you choose to share it. Terminal 3 provides the infrastructure that allows you to manage this access and does not transfer ownership or control of your data to the organization.

You may contact Terminal 3 directly at privacy@terminal3.io at any time to access, manage, or delete your personal data, including to exercise the rights described in this Policy.

Account portability

Your Terminal 3 account is personal to you and may be used across more than one organization over time. Even if the organization through which you first signed up discontinues its use of Terminal 3, your account and associated personal data will remain under your control and continue to be governed by this Policy, until you instruct otherwise (subject to legally required retention of Regulated User Data). Where technically feasible, we will provide your personal data to you, or transfer it, at your request.

Information we collect through our website

As is true of most websites, our website automatically collects certain information and stores it in log files. This information may include internet protocol (IP) addresses, the region or general location from which your device accesses the internet, browser type, operating system, and other usage information, including a history of the pages you view. We use this information to administer and secure the website, to diagnose problems with our servers, to analyze trends and visitor movements, and to gather broad demographic information that helps us understand visitor preferences and design the site to better suit our users’ needs.

In addition, our website may collect personal data from you when you request assistance through our “Contact Us” form, subscribe to newsletters, or request other information from us. Terminal 3 has a legitimate interest in understanding how members, customers, and potential customers use its website so that it can provide more relevant products and services and communicate effectively.

The terms on which you may use our website and its content are set out in the Terminal 3 Terms of Service.

Children's data

The Services are not directed to minors, and we do not knowingly solicit or collect personal data from children. If you believe a minor has provided us with personal data, please contact us so that we can take appropriate action.

Your rights

The GDPR and other applicable privacy laws provide data subjects with certain rights. Subject to applicable law, these include:

  • Right to be informed — to know what personal data we collect and how we use it.
  • Right of access — to confirm whether we are processing your personal data and to obtain a copy of it.
  • Right to rectification — to have inaccurate personal data corrected.
  • Right to erasure — to request deletion of your personal data, subject to certain exceptions (including legally required retention of Regulated User Data).
  • Right to restrict processing — to request that we limit how we process your data in certain circumstances.
  • Right to data portability — to receive your data in a portable format or have it transferred where technically feasible.
  • Right to object — to object to certain processing, including processing for direct marketing.
  • Rights relating to automated decision-making and profiling — to not be subject to decisions based solely on automated processing where those decisions produce legal or similarly significant effects.


If you wish to confirm that Terminal 3 is processing your personal data, to access that data, or to exercise any of these rights, please contact us. You may also request information about the purposes of processing, the categories of personal data concerned, the recipients of the data, the source of the data (if you did not provide it directly), and how long it will be stored.

Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, we will provide you with a date by which the information will be provided. If access is denied, we will explain why. In many jurisdictions, you also have the right to lodge a complaint with the appropriate data protection authority if you have concerns about how we process your personal data.

To exercise your rights or raise a concern, email us at privacy@terminal3.io. If you are located in the European Union, you may also have recourse to your national data protection authority or the European Data Protection Supervisor.

Data Protection Officer

Terminal 3 is headquartered in Hong Kong and has appointed a Data Protection Officer whom you may contact with any question or concern about our personal data practices, or to exercise your privacy rights, by email at privacy@terminal3.io.

Changes to this Policy

We may update this Policy from time to time. We will indicate the date of the most recent revision in the “Last Updated” field above. We encourage you to review this Policy periodically.