1. Who we are

This notice is issued by LMTS Development Ltd ("LMTS", "we", "us", or "our"), a private limited company incorporated under the laws of England and Wales on 10 April 2026, with company number 17148125 and registered office at 128 City Road, London, EC1V 2NX, United Kingdom.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, LMTS is the data controller for personal data processed in connection with this website, our future applications, and our business operations.

The dedicated point of contact for any matter relating to your personal data is privacy@lmts.app.

2. Scope of this notice

This notice describes how we process personal data in the following contexts:

• your visit to lmts.app and any associated subdomains;
• email or postal correspondence you initiate with us;
• applications that we publish on the Apple App Store, Mac App Store, and other distribution channels once they become available; and
• any beta, TestFlight, or developer-preview programme operated by us.

As of the effective date of this notice, LMTS has not yet released any consumer-facing application. Where this notice describes data processing that is application-specific, those provisions will only apply from the date the relevant application is made available, and will then be supplemented by an application-specific privacy disclosure presented in-app and on the App Store product page in accordance with Apple App Review Guideline 5.1.1.

3. Our privacy principles

• Data minimisation. We only request access to data that is necessary for the feature you are using, in line with App Review Guideline 5.1.1(iii).
• Purpose limitation. We process personal data only for purposes that are clearly identified to you at the point of collection.
• On-device by default. Wherever technically feasible, sensitive data — including cryptographic keys, recovery phrases, biometric templates, and authentication secrets — is stored exclusively on your device and never transmitted to us.
• No advertising tracking. Our products do not contain advertising SDKs and do not participate in cross-app or cross-site tracking of any kind.
• No sale of personal data. We do not sell, rent, or otherwise commercially disclose personal data to third parties.

4. Personal data we collect

The categories below describe data we may process. Not all categories apply at all times; the actual data processed depends on which of our services you use.

4.1 Website usage data

When you visit lmts.app, our content-delivery provider (bunny.net) automatically logs limited technical data needed to deliver the page and protect the service against abuse. This includes your truncated/anonymised IP address, user-agent string, requested URL, HTTP status code, and timestamp. This information is processed on the basis of our legitimate interest in operating a secure website and is retained for no longer than is necessary for that purpose.

4.2 Correspondence data

If you write to us at one of our published email addresses, we will receive the content of your message, your email address, and any other information you choose to include. We process this on the basis of our legitimate interest in responding to enquiries, or — for matters relating to a future contract — on the basis of pre-contractual steps you have requested.

4.3 Application data (future products)

When you install and use an LMTS application, we may process the categories of data set out below. Each category is shown together with the purpose for which it is processed and whether it leaves your device.

Category	Purpose	Leaves device?
Device identifiers (vendor-scoped only, e.g. identifierForVendor)	Securely associate in-app state with the installation	No (used locally) unless you opt-in to cloud sync
Application diagnostics (crash logs, performance metrics)	Detect and fix software defects	Only with your explicit opt-in, via Apple's built-in diagnostics framework
App preferences and settings	Preserve your configuration between sessions	Stored on device; synced via iCloud only if you enable it in iOS Settings
Public blockchain addresses you choose to use in the app	Display balances, transaction history, and signing requests	Yes — queried against public blockchain nodes; addresses are pseudonymous public identifiers
Email address (only if you create an optional account)	Account recovery and service-related communications	Yes — stored on EU-based infrastructure

5. Data we do not collect

The following categories of data are never transmitted to LMTS or to any third party acting on our behalf:

• Private keys, seed phrases, or recovery phrases associated with any digital-asset wallet generated or imported in our applications. These are generated on your device, stored in the platform's secure enclave or equivalent hardware-backed key store, and never leave your device by design.
• Biometric data (Face ID / Touch ID templates). Biometric authentication is performed entirely by the operating system; we receive only a yes/no signal.
• Contents of the iOS Keychain other than items the application itself wrote.
• Photos, contacts, location, microphone, camera, health, or motion data — unless a specific feature explicitly requests one of these permissions, in which case it will request it through the standard iOS permission prompt and will function strictly within the scope you grant.
• Advertising identifiers (IDFA). We do not collect or process the IDFA and will not present the App Tracking Transparency prompt unless required by a future feature, in which case the prompt and any associated processing will be limited to what is strictly disclosed.

6. Purposes & legal bases

Purpose	Legal basis (UK GDPR Art. 6)
Delivering this website and protecting it from abuse	Art. 6(1)(f) — legitimate interests
Responding to your correspondence	Art. 6(1)(b) pre-contractual steps; or Art. 6(1)(f) legitimate interests
Providing the functionality of an LMTS application that you have installed	Art. 6(1)(b) — performance of a contract (our Terms of Service)
Optional analytics or diagnostics	Art. 6(1)(a) — your explicit consent, withdrawable at any time
Complying with legal obligations (e.g. tax, accounting, lawful requests from competent authorities)	Art. 6(1)(c) — legal obligation
Defending or asserting legal claims	Art. 6(1)(f) — legitimate interests

7. Digital-asset features (when offered)

LMTS is engaged in the research and development of self-custodial software relating to digital assets. We consider it important to be unambiguous about how such software is intended to work and what it is not.

• Self-custodial. Any wallet generated or imported in an LMTS application is non-custodial: the private keys are generated on, and held exclusively by, your device. LMTS has no ability to access, freeze, recover, or transfer funds held in your wallet. If you lose your device and your recovery phrase, neither LMTS nor any third party can restore access.
• No custody. We do not, and do not intend to, operate as a custodian, exchange, broker, money services business, money transmitter, or virtual asset service provider. Our applications do not hold customer funds or facilitate trades on our own account.
• No tokens, no offerings. LMTS has not issued, and does not intend to issue, any token, coin, or other digital asset. We do not facilitate, and our applications do not facilitate, Initial Coin Offerings, securities trading, or any other regulated activity within the meaning of Apple App Review Guideline 3.1.5(iv).
• Public addresses are pseudonymous, not anonymous. Where you choose to query an address in the app, that address is transmitted to a public blockchain node (operated either by us or by a reputable third-party RPC provider) to retrieve balances and transaction history. We do not link the address to your identity unless you voluntarily provide identifying information.
• No on-device mining. Our applications do not, and will not, perform cryptocurrency mining on the user's device, in compliance with Apple App Review Guideline 3.1.5(ii).
• Regional availability. Any feature that requires a licence or registration in a particular jurisdiction will be made available only in jurisdictions where we hold, or rely on a properly licensed partner that holds, the necessary permissions, in compliance with Apple App Review Guideline 3.1.5(iii) and 5.1.1(ix).

8. Third parties & sub-processors

We rely on a small number of carefully selected sub-processors to operate our services. Each is bound by a written data-processing agreement that requires it to provide a level of protection equivalent to that set out in this notice, in line with App Review Guideline 5.1.1(i).

Sub-processor	Purpose	Region
BunnyWay d.o.o. (bunny.net)	Static website hosting and CDN; edge server logs	European Union (Slovenia / EU PoPs)
Apple Inc. / Apple Distribution International	App distribution, TestFlight, App Store Connect, Sign in with Apple, iCloud (only if enabled by you)	Ireland / United States
Public blockchain RPC providers (used only when a digital-asset feature is invoked)	Read-only queries of public ledgers	Varies; selected for jurisdictional suitability

We do not share personal data with advertising networks, data brokers, or any third-party AI service for model training. We do not engage in the sale of personal data within the meaning of any applicable privacy law.

9. Retention & deletion

• Website edge logs: retained for up to 30 days for security and abuse-detection purposes, then deleted or fully anonymised.
• Correspondence: retained for up to 24 months from the last interaction, unless a longer period is required by law or to defend a legal claim.
• Application data stored on your device: retained until you delete it from within the application or uninstall the application.
• Optional account data (if you create one): retained for the lifetime of the account and deleted within 30 days of account closure, except for records we are required to retain by law.
• Records required by company law: retained for the period prescribed by the Companies Act 2006 and applicable tax legislation (typically six years from the end of the relevant accounting period).

You may request deletion of personal data we hold about you at any time by writing to privacy@lmts.app. Deletion requests are normally completed within 30 days.

10. International transfers

Personal data is processed primarily within the United Kingdom and the European Economic Area. Where personal data is transferred to a country outside the UK or EEA — for example, in connection with Apple's services — we rely on an adequacy regulation, the UK International Data Transfer Agreement, or the European Commission's Standard Contractual Clauses, supplemented where appropriate by additional technical and organisational measures.

11. Your rights

Subject to the conditions set out in the UK GDPR, you have the right to:

• obtain confirmation of, and access to, personal data we hold about you;
• have inaccurate personal data corrected;
• request erasure of personal data ("right to be forgotten");
• restrict or object to certain processing;
• receive personal data in a portable, machine-readable format;
• withdraw consent at any time where processing is based on consent; and
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not currently carry out any such processing).

Requests are free of charge in the ordinary course and will be answered within one month, with the possibility of a two-month extension for complex requests. To exercise any of these rights, write to privacy@lmts.app.

12. Withdrawing consent

Where we rely on your consent — for example, for optional diagnostics or for marketing-style communications — you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. In our applications, consent can be withdrawn from the in-app Privacy settings; via the iOS system permission screen; or by writing to us.

13. Children

Our website and our future applications are not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal data from such children. If you believe that a child has provided personal data to us, please contact privacy@lmts.app and we will take appropriate steps to delete it.

14. Security

We implement technical and organisational measures appropriate to the risk, including: transport encryption (TLS 1.2+) for all network communication; storage of sensitive material in hardware-backed key stores on the user's device; principle of least privilege for engineering access; secret rotation; mandatory two-factor authentication for administrative accounts; and a documented incident-response procedure. Suspected vulnerabilities can be reported confidentially to security@lmts.app.

15. Tracking & App Tracking Transparency

We do not engage in "tracking" within the meaning of Apple's App Tracking Transparency (ATT) framework. We do not link data collected from our applications to data collected by other companies for advertising or measurement purposes, and we do not share data with data brokers. Our applications will not present the ATT prompt unless a future feature genuinely requires it; if and when that becomes the case, this notice will be updated and the in-app disclosure will explain the specific reason.

16. Changes to this notice

We may update this notice from time to time to reflect changes in our products, in the law, or in the expectations of regulators and platform operators. Material changes will be communicated by updating the effective date at the top of this page and, where appropriate, by a more prominent notice within our applications.

17. Contact & complaints

If you have a question, concern, or complaint about how we handle your personal data, please write to us first at privacy@lmts.app. We will do our best to resolve the matter promptly.

You also have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, ico.org.uk. If you are located in the European Economic Area, you may lodge a complaint with your local data-protection authority.