5. Wallet Security

Unlike traditional banking, most crypto wallets are self-custodial — meaning users are responsible for storing their own wallet credentials. If a mnemonic (seed) phrase is lost, access to the wallet and its funds can be permanently lost, with no way to recover them through a third party.

Many users underestimate this responsibility and rely on insecure storage methods such as screenshots, notes apps, unencrypted files or emails — all of which pose serious security risks if a device is lost, hacked or shared.

APPROACH

The THAT app is designed as a non-custodial wallet. Users generate and control their own keys, and the Company does not have access to, or the ability to recover, a user’s mnemonic phrase or private keys.

The Company encourages users to:

• create secure backups of their mnemonic phrase using offline methods (for example, writing it down and storing it in a safe place), and

• avoid storing seed phrases in cloud-synced locations or easily accessible formats such as screenshots, plain text notes or other unencrypted documents.

To help protect access on a given device, the THAT app supports local security features such as a PIN code and, where available, biometric authentication (for example, Face ID or fingerprint). These protections are enforced by the device’s operating system and are intended to reduce the risk of unauthorized access to the app on that device. They do not replace the need for users to keep a secure backup of their mnemonic phrase.

Where supported by device manufacturers or operating systems, the THAT app may provide optional interfaces to system-level security features (for example, secure hardware modules or user-controlled encrypted backups). Any such features will be optional, will not give the Company access to users’ keys, and may not be available on all devices.

Users always retain full control over their wallet credentials and are responsible for maintaining secure backups. The Company cannot restore access to a wallet if a user loses their mnemonic phrase or private keys, and does not guarantee the security of any particular storage method, device feature or third-party service.