Legal

S3 Markets, Inc. Privacy Policy

Last Updated: April 20, 2026

S3 Markets, Inc. ("S3 Markets," "S3," "Company," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and protect information about you when you access or use our website located at https://www.s3markets.com, the S3 Markets platform, registry, marketplace, dashboards, APIs, smart contracts, records, reports, and related services that S3 Markets makes available from time to time (collectively, the "Platform").

This Privacy Policy is incorporated into and subject to the S3 Markets Terms of Use available at https://www.s3markets.com/terms-of-use or such other URL as we may designate from time to time (the "Terms"). Capitalized terms not defined in this Privacy Policy have the meanings given to them in the Terms.

Please read this Privacy Policy carefully. By accessing or using the Platform, you acknowledge that we may collect, use, disclose, retain, and protect your information as described in this Privacy Policy. If you do not want us to process your Personal Data as described in this Privacy Policy, you should not access or use the Platform.

This Privacy Policy is intended to address applicable privacy laws, which may include, depending on your location and interaction with us, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and other applicable privacy and data protection laws.

1. Scope of this Privacy Policy

This Privacy Policy applies to information we collect through or in connection with the Platform, including information collected from:

visitors to our website;
users who create or access Platform accounts;
buyers, producers, channel partners, auditors, observers, administrators, and other approved Platform participants;
individuals who communicate with us by email, form submission, meeting, support request, or other channel;
individuals associated with companies or organizations that use or evaluate the Platform;
individuals whose information is included in EAC documentation, transaction records, retirement records, compliance records, or public-facing retirement certificates.

This Privacy Policy does not apply to third-party websites, applications, services, or platforms that we do not control. If you access third-party services through links or integrations on the Platform, your use of those services is governed by the applicable third party’s privacy policy and terms.

2. Personal Data We Collect

"Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual or household.

The Personal Data we collect depends on how you interact with us and the Platform.

2.1 Categories of Personal Data We May Collect

Category of Personal Data	Examples	Sources	Purposes
Account and contact information	Name, business email address, phone number, company name, title, role, username, account credentials, authorized user information	You, your employer or organization, authorized users, business partners	Account creation, account administration, user authentication, customer support, communications, Platform access
Business and organizational information	Company profile, business address, role in a transaction, buyer or producer status, channel partner status, project affiliation, authorized representatives	You, your organization, transaction counterparties, onboarding materials	Onboarding, project setup, user permissions, transaction administration, buyer and producer relationship management
KYC, compliance, and eligibility information	Identity verification information, sanctions screening information, jurisdiction, compliance questionnaires, transaction purpose information, authorized signatory information, beneficial ownership or control information where applicable	You, your organization, compliance vendors, public records, sanctions lists, counterparties	Compliance screening, sanctions compliance, fraud prevention, transaction eligibility, legal and regulatory compliance
Platform usage information	Login history, pages viewed, actions taken, dashboard activity, session data, feature usage, support interactions	Automatically from your activity on the Platform	Operating the Platform, security, analytics, troubleshooting, improving the Platform, auditability
Device and internet activity information	IP address, browser type, device identifiers, operating system, referring and exit pages, access times, log files, cookie identifiers	Automatically from your browser or device	Security, fraud prevention, analytics, eligibility determinations, Platform performance, troubleshooting
Approximate geolocation information	Approximate location inferred from IP address	Automatically from your browser or device	Security, sanctions and geographic access controls, analytics, eligibility determinations
Transaction and EAC lifecycle information	EAC allocations, transfers, retirements, cancellations, expirations, balances, project IDs, batch IDs, token IDs, transaction IDs, retirement IDs, claim status, payment status, lifecycle event history	You, Platform activity, producers, buyers, channel partners, Platform records, smart contracts, databases	EAC lifecycle management, registry administration, auditability, reporting, transaction records, claim support, Platform integrity
Managed custody and blockchain-related information	Managed Custody Wallet addresses, custody vault records, public blockchain addresses, token balances, token IDs, smart contract interactions, transaction hashes, blockchain network information	Platform records, blockchain networks, smart contracts, service providers	Custody administration, EAC issuance, allocation, transfer, retirement, recordkeeping, auditability, reconciliation
Buyer Hash and pseudonymous identifier information	Buyer Hashes, hash inputs, anonymized buyer names, actual buyer names if approved, internal buyer IDs, account IDs, pseudonymous identifiers	You, your organization, Platform records, onboarding process	Privacy-preserving recordkeeping, lifecycle tracking, public or private registry records, reconciliation, auditability
Documentation and supporting records	Lifecycle assessments, environmental product declarations, production reports, sales reports, delivery records, contractual representations, certificates, verification materials, audit files, project documentation, uploaded files	You, producers, buyers, channel partners, verifiers, auditors, consultants, service providers	Project configuration, EAC issuance, EAC allocation, EAC retirement, audit support, claim substantiation, reporting, recordkeeping
Communications information	Emails, meeting notes, support requests, form submissions, feedback, survey responses, call notes, correspondence with S3 Markets	You, your organization, S3 Markets personnel, communication tools	Responding to inquiries, customer support, relationship management, legal and business recordkeeping, improving the Platform
Marketing and event information	Marketing preferences, newsletter signups, webinar or event registrations, meeting requests, campaign interactions	You, event platforms, marketing tools, referral sources	Marketing, business development, event management, communications, measuring engagement
Payment and billing information	Billing contact, invoice information, payment status, tax information, wire details, payment processor records	You, your organization, payment processors, banks	Billing, payment processing, accounting, tax compliance, collections
Public registry and retirement certificate information	Buyer name or approved buyer identifier, producer name where applicable, project name, EAC quantity, commodity, vintage, retirement date, retirement purpose, retirement certificate ID, Buyer Hash, transaction hash, public registry entries	You, producers, buyers, Platform records, transaction documentation	Public retirement certificates, registry transparency, auditability, claim support, standards alignment, market integrity

We may also collect other information you choose to provide to us or that is reasonably necessary to operate, secure, improve, or administer the Platform.

3. Public Blockchain Records, Buyer Hashes, and Retirement Certificates

The Platform may use blockchain-based records, tokenized representations, cryptographic hashes, smart contracts, off-chain databases, supporting documentation, and other technical controls to maintain records of EAC lifecycle events.

3.1 Public or Semi-Public Blockchain Records

Certain Platform activity may be recorded on public or semi-public blockchain networks. This may include Managed Custody Wallet addresses, smart contract addresses, token IDs, transaction hashes, lifecycle event records, metadata, Buyer Hashes, and other blockchain-related identifiers.

Blockchain records may be public, persistent, immutable, difficult or impossible to delete, and visible to third parties. Even where records are pseudonymous or hash-based, third parties may be able to correlate blockchain activity with other information and infer information about a user, transaction, or EAC.

3.2 Buyer Hashes

S3 Markets may use cryptographic hashes, including buyer-specific hashes or other pseudonymous identifiers (each, a "Buyer Hash"), to designate, identify, or associate EAC balances, allocations, retirement records, and other Platform activity with a buyer or account.

A Buyer Hash may be generated from a buyer name, anonymized buyer name, internal buyer identifier, or other information approved or provided through the Platform or associated onboarding process. Buyer Hashes are intended to support privacy, auditability, record integrity, and lifecycle tracking, but they do not eliminate all risks of re-identification or correlation.

3.3 Public-Facing Retirement Certificates

When an EAC is retired, S3 Markets may generate a retirement certificate, retirement record, public registry entry, or similar documentation. Retirement certificates may be public-facing documents.

Public-facing retirement certificates may include information such as:

the name of the buyer or an approved buyer identifier;
the name of the producer or project, where applicable;
the commodity or intervention type;
the EAC quantity retired;
the vintage, production period, or reporting period;
the retirement date;
the retirement purpose or claim category;
the retirement certificate ID;
the relevant Buyer Hash;
relevant token IDs, transaction hashes, or registry identifiers;
other information required by Platform rules, transaction documents, standards, market practices, or applicable law.

Because retirement certificates may be public-facing and may be used to support market transparency, auditability, claim substantiation, and registry integrity, S3 Markets may be unable to delete, redact, or modify certain retirement certificate information after publication, except where S3 Markets determines that correction is appropriate and technically and legally feasible.

4. How We Collect Personal Data

We may collect Personal Data from the following sources:

directly from you when you create an account, complete onboarding, submit forms, upload documents, communicate with us, or use the Platform;
from your employer, organization, authorized representatives, or other users associated with your account;
from producers, buyers, channel partners, auditors, verifiers, consultants, transaction counterparties, and other Platform participants;
automatically from your browser, device, and Platform activity;
from public blockchain networks and smart contracts;
from public sources, sanctions lists, regulatory databases, company registries, and compliance screening tools;
from service providers, including analytics, hosting, compliance, security, payment, customer support, and communication providers;
from third parties you authorize or direct to provide information to us.

5. How We Use Personal Data

We may use Personal Data for the following purposes:

to provide, operate, maintain, secure, and improve the Platform;
to create and administer user accounts;
to authenticate users and manage access permissions;
to conduct onboarding, KYC, sanctions screening, eligibility review, and other compliance checks;
to configure projects, producers, buyers, EAC batches, and Platform workflows;
to issue, allocate, transfer, retire, cancel, expire, reconcile, and report EACs;
to administer the Managed Custody Solution;
to generate, maintain, and reconcile Buyer Hashes and other pseudonymous identifiers;
to generate retirement certificates, public registry entries, transaction records, reports, and audit trails;
to process payments, invoices, taxes, and accounting records;
to provide customer support and respond to inquiries;
to communicate with you about the Platform, transactions, updates, security issues, legal notices, and administrative matters;
to send marketing, event, or business development communications where permitted by law;
to analyze usage, improve Platform performance, and develop new features;
to detect, prevent, and investigate fraud, abuse, unauthorized access, cybersecurity incidents, sanctions risks, and illegal activity;
to enforce our Terms, transaction documents, Platform rules, and other agreements;
to comply with legal, regulatory, tax, accounting, sanctions, audit, and reporting obligations;
to protect the rights, safety, property, and integrity of S3 Markets, users, counterparties, and the public;
to evaluate or complete a merger, financing, acquisition, reorganization, sale, or other corporate transaction.

6. Legal Bases for Processing Personal Data

If GDPR, UK GDPR, or similar laws apply, our legal bases for processing Personal Data may include:

Performance of a contract: where processing is necessary to provide the Platform, administer the Terms, process transactions, or provide requested services.
Legitimate interests: where processing is necessary for our legitimate business interests, including operating and improving the Platform, ensuring security, preventing fraud, maintaining records, conducting analytics, supporting auditability, and communicating with users.
Legal obligation: where processing is necessary to comply with laws, regulations, sanctions requirements, tax rules, legal process, or regulatory obligations.
Consent: where we ask for and receive your consent, such as for certain marketing communications or optional processing activities.
Public interest or substantial public interest: where applicable law permits or requires processing for compliance, fraud prevention, sanctions screening, or similar purposes.

Where we rely on consent, you may withdraw your consent at any time, but withdrawal will not affect the lawfulness of processing conducted before withdrawal or processing based on another lawful basis.

7. How We Disclose Personal Data

We do not sell Personal Data in the ordinary sense of exchanging Personal Data for money. We may disclose Personal Data as described below.

Category of Recipient	Why We Disclose Personal Data
Service providers and contractors	To support hosting, cloud infrastructure, analytics, email, customer support, security, compliance screening, payment processing, document storage, communications, and Platform operations
Cloud hosting and infrastructure providers	To host the Platform, store data, operate databases, maintain backups, support security, and provide technical infrastructure
Blockchain networks and infrastructure providers	To record or support EAC lifecycle events, smart contract interactions, token IDs, transaction hashes, and related blockchain activity
KYC, sanctions, and compliance vendors	To verify identity, screen users, assess eligibility, prevent fraud, and comply with legal and regulatory requirements
Payment processors, banks, and accounting providers	To process payments, invoices, taxes, accounting records, and financial administration
Producers, buyers, channel partners, and transaction counterparties	To support onboarding, project configuration, EAC transactions, allocations, transfers, retirements, reporting, claim support, and auditability
Auditors, verifiers, assurance providers, consultants, and professional advisers	To support project review, documentation review, audit processes, legal advice, accounting advice, tax advice, environmental review, and business operations
Public registry users and members of the public	To publish public-facing retirement certificates, public registry records, and other information intended to support transparency, auditability, and market integrity
Law enforcement, regulators, courts, and government authorities	To comply with applicable law, legal process, regulatory inquiries, sanctions requirements, investigations, or requests from government authorities
Corporate transaction parties	In connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, diligence process, or similar transaction
Affiliates and internal personnel	To operate our business, administer the Platform, provide services, secure systems, support users, and manage legal, compliance, and operational matters
Other parties with your direction or consent	Where you direct us to disclose information or consent to a disclosure

We may also disclose aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, subject to applicable law.

8. Cookies and Similar Technologies

We may use cookies, pixels, tags, log files, software development kits, and similar technologies to collect information about your use of the website and Platform.

We may use these technologies to:

operate and secure the website and Platform;
remember preferences and settings;
authenticate users and manage sessions;
measure website and Platform performance;
understand usage patterns;
improve the Platform and user experience;
detect and prevent fraud, abuse, and unauthorized access;
support marketing and business development activities, where permitted by law.

Depending on the tools we use, cookies and similar technologies may collect information such as IP address, browser type, device type, operating system, referring pages, pages viewed, links clicked, and time spent on pages.

You can control cookies through your browser settings. Blocking cookies may affect your ability to use certain website or Platform features.

We do not currently respond to "Do Not Track" browser signals. Where required by applicable law, we will provide mechanisms to manage cookie preferences or opt out of certain tracking technologies.

If we use analytics or advertising tools that constitute "sharing" or "targeted advertising" under applicable privacy laws, we will provide any required disclosures and opt-out mechanisms.

9. Marketing Communications

We may send you marketing, event, newsletter, or business development communications where permitted by law. You may opt out of marketing emails by using the unsubscribe link in the email or contacting us at help@s3markets.com.

Even if you opt out of marketing communications, we may still send you non-marketing communications, including legal notices, security alerts, account messages, transaction notices, Platform updates, and administrative communications.

10. How Long We Retain Personal Data

We retain Personal Data for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods may depend on:

the nature of the information;
the purpose for which it was collected;
legal, tax, accounting, audit, and regulatory requirements;
sanctions, fraud prevention, and compliance obligations;
contractual obligations;
dispute resolution and enforcement needs;
Platform security needs;
EAC lifecycle, registry, retirement, and auditability requirements;
the need to preserve public-facing retirement certificates and registry records.

Because the Platform is designed to support EAC lifecycle management, auditability, market integrity, and public retirement records, we may retain certain transaction records, registry records, Buyer Hashes, blockchain identifiers, retirement certificates, and supporting documentation for extended periods.

Certain blockchain records may be public, immutable, and technically impossible for S3 Markets to delete.

If you request deletion of your Personal Data, we will evaluate the request in accordance with applicable law. We may retain information where necessary or permitted for legal, compliance, audit, security, fraud prevention, tax, accounting, dispute resolution, Platform integrity, registry integrity, or public record purposes.

11. How We Protect Personal Data

We use reasonable administrative, technical, and physical safeguards designed to protect Personal Data against loss, misuse, unauthorized access, disclosure, alteration, and destruction.

These safeguards may include access controls, authentication, encryption, logging, monitoring, vendor review, backup procedures, security policies, and personnel access limitations.

No method of transmission or storage is completely secure. We cannot guarantee absolute security of Personal Data, blockchain records, Platform records, or internet communications.

You are responsible for maintaining the confidentiality and security of your account credentials, devices, email accounts, authorized users, passwords, and multi-factor authentication methods.

12. International Data Transfers

S3 Markets is based in the United States. If you access or use the Platform from outside the United States, your Personal Data may be transferred to, stored in, or processed in the United States and other jurisdictions that may not provide the same level of data protection as your jurisdiction.

Where required by applicable law, we use appropriate safeguards for international transfers, which may include standard contractual clauses, data processing agreements, or other lawful transfer mechanisms.

By using the Platform or providing information to us, you acknowledge that your information may be transferred to and processed in the United States and other jurisdictions.

13. California Privacy Rights

If you are a California resident, the CCPA may provide you with certain rights regarding your Personal Data, subject to exceptions and limitations.

13.1 Categories of Personal Data Collected

In the preceding 12 months, we may have collected the categories of Personal Data described in Section 2 of this Privacy Policy, which may include identifiers, commercial information, internet or electronic network activity information, geolocation information, professional or employment-related information, sensitive Personal Data where applicable, and inferences drawn from other information.

13.2 Categories of Sources

We collect Personal Data from the sources described in Section 4.

13.3 Purposes for Collection, Use, and Disclosure

We collect, use, and disclose Personal Data for the purposes described in Sections 5 and 7.

13.4 Categories of Third Parties

We may disclose Personal Data to the categories of recipients described in Section 7.

We do not sell Personal Data in the ordinary sense of exchanging Personal Data for money.

Depending on the analytics, advertising, or marketing technologies we use, certain disclosures may be considered a "sale," "sharing," or "targeted advertising" under applicable privacy laws. If applicable, we will provide any required opt-out mechanism.

13.6 Sensitive Personal Data

We do not use or disclose sensitive Personal Data for purposes other than those permitted by applicable law, such as providing the Platform, security, fraud prevention, compliance, and other authorized purposes.

13.7 Your California Rights

Subject to applicable exceptions, California residents may have the right to:

know what Personal Data we collect, use, disclose, sell, or share;
access specific pieces of Personal Data we maintain about you;
request deletion of Personal Data;
request correction of inaccurate Personal Data;
opt out of sale or sharing of Personal Data, where applicable;
limit the use and disclosure of sensitive Personal Data, where applicable;
not be discriminated against for exercising privacy rights.

To exercise these rights, contact us at help@s3markets.com or write to us at:

S3 Markets, Inc.
249 Third Street
Cambridge, MA 02142

We may verify your identity before responding to your request. We may deny requests where permitted by law, including where we need to retain information for legal, compliance, audit, security, tax, accounting, dispute resolution, registry integrity, public retirement certificate, or blockchain record purposes.

13.8 Authorized Agents

You may designate an authorized agent to submit a privacy request on your behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly with us.

We will not ask you or your authorized agent to provide your password to verify a privacy request.

If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar privacy rights, you may have the right to:

access your Personal Data;
correct inaccurate Personal Data;
request deletion of Personal Data;
object to processing;
restrict processing;
request portability of Personal Data;
withdraw consent where processing is based on consent;
object to direct marketing;
lodge a complaint with a data protection authority.

You may exercise these rights by contacting us at help@s3markets.com.

These rights may be subject to exceptions and limitations. For example, we may retain information where necessary for legal compliance, contract performance, legitimate business purposes, public registry records, blockchain records, auditability, security, fraud prevention, sanctions compliance, dispute resolution, or EAC lifecycle integrity.

15. Automated Decision-Making

We do not currently make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you, unless we determine that such processing is permitted under applicable law and subject to appropriate safeguards.

We may use automated or semi-automated tools to support security, fraud prevention, sanctions screening, access controls, analytics, and Platform administration. Where required by law, we will provide applicable notices and rights related to such processing.

16. Children’s Privacy

The Platform is not intended for children. We do not knowingly collect, use, sell, or share Personal Data from anyone under the age of 16.

If we learn that we have collected Personal Data from a child under 16, we will take reasonable steps to delete that information, subject to applicable law and technical limitations.

17. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, platforms, or services. We are not responsible for the privacy practices, security, content, or policies of third parties.

Your use of third-party services is governed by the applicable third party’s privacy policy and terms. We encourage you to review those policies before providing Personal Data to third parties.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, Platform functionality, or business operations.

If we make material changes, we may notify you by email, Platform notice, website posting, or another reasonable method. The revised Privacy Policy will be effective when posted or as otherwise stated in the notice.

Your continued use of the Platform after the revised Privacy Policy becomes effective means you acknowledge the revised Privacy Policy.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

S3 Markets, Inc.
249 Third Street
Cambridge, MA 02142
Email: help@s3markets.com