Privacy Policy
Introduction
In Onchain Foundation (“Onchain”, “Foundation”, “we”, “our”, “us”) we are committed to protecting and respecting your privacy. We are a foundation established in Switzerland with a registered office at Dammstrasse 16, 6300 Zug, and for the purpose of the EU General Data Protection Regulation (the “GDPR”), if not specified otherwise in this privacy policy, we are the data controller.
We will process your personal data in accordance with the Swiss Federal Data Protection Act (the “FDAP”). The GDPR would apply to processing of your personal data as well if you are residing in the EU and such processing is done in connection with us offering you goods or services, irrespective of whether a payment of the data subject is required, or if your behavior is anyhow monitored. The GDPR would also apply, if any of the third-party service providers we use for processing of your personal data is based in the EU (e.g. Lightcurve GmbH).
This privacy policy (“Policy”) sets out the basis on which we will process any personal data or usage information we collect from you, or that you provide to us, in connection with:
- your use of our website under the domain www.onchain.org (the “Website”);
- your use of our online store (the “Online store”);
- Your use and/or subscription of reports (the “Reports”);
- your use of our newsletter (the “Newsletter”);
- and your participation in events and activities organized by Onchain, such as conferences, meetups, trainings etc. (collectively: “Events”).
Please read this Policy policy carefully so that you understand your rights in relation to your personal data, and how we will collect, use and process it. If you do not agree with this Privacy Policy in general or any part of it, you should not access the Website, use our store, purchase Reports, subscribe to Newsletter or participate in our events.
For every processing activity we provide you with information on the legitimate basis for such processing under the GDPR. The Swiss FDAP, on the other hand, does not require us to do so.
Changes and updates
This version of the Privacy Policy is effective as of March 6th, 2024, and applies to any new user of Website, Newsletter, online store, Reports, Events. For those who had been using the abovementioned services prior to that date the previous version of the Privacy Policy applies, if they consider it (or parts of it) as more favorable and protecting their interests to a higher extent.
Representative and Joint-controllership
Lightcurve GmbH, postal address: Köpenicker Strasse 126, 10179 Berlin, Germany; email: legal@lightcurve.io, (“Lightcurve”) is our representative in the European Economic Area (the “EEA”) for the purpose of communications and all issues related to data processing under the GDPR. In regards to some of the processing activities, Onchain and Lightcurve act as joint-controllers since they jointly determine the purposes and means of processing of your personal data. Regarding any issues related to such processing of your personal data or the execution of your rights (see section Your rights), feel free to contact either Onchain or Lightcurve (“Joint-controllership”). Appropriate information is provided in the description of the processing activities in this Policy whenever Joint-controllership occurs.
Lightcurve may also act as a sole data controller for particular processing activities. Each situation of that kind is always clearly specified in this Policy. Should that be the case, your personal data would be processed in accordance with this Policy and you will have the same rights and obligations as stated in this Policy. For further information about the processing of personal data by Lightcurve, please visit Lightcurve’s Privacy Policy.
Therefore, regarding any issues related to the processing of your personal data by Onchain or jointly by Onchain and Lightcurve, issues related to this Policy or execution of your rights (see: Your rights), feel free to contact either Onchain (legal@onchain.foundation) or Lightcurve (legal@lightcurve.io).
How do we process your personal data
- Personal data you give to us
- Website
What is collected:
Our Website collects certain information automatically and stores it in log files. The information may include:
- IP addresses,
- the region or general location where your computer or device is accessing the internet,
- preferred language used to display the website,
- device screen resolution,
- device type, browser type and operating system,
- mouse events (movements, locations and clicks),
- referring URL and domain,
- keypresses,
- date and time when the page was accessed,
- pages visited,
- model of your CPU and GPU.
In general, the above mentioned information is necessary to enter any website on the Internet with Hypertext Transfer Protocol (http); the applicable legal basis is the performance of the contract under GDPR Art.6.1(b) (terms and conditions of using the website).
We also use this information to help us design our Website to improve the user experience; the applicable legal basis for this is our legitimate interests under GDPR Art.6.1(f). For this purpose, we may also use tools provided by third parties, in particular analytical tools serving improvement of user experience.
As for the log files – we keep the haproxy logs for 52 days and cloudfront logs for a year.
The Website contains links to other websites. This Privacy Policy applies only to our Website, so if you click on a link to another website, you should read its privacy policy.
Social media sharing buttons:
You can share different content from our Website on your social media accounts by simply clicking on sharing buttons. Therefore, when clicking on the sharing buttons no personal data would be collected from you and shared with the social media providers.
Cookies:
When entering for the first time any of the websites we host you will be provided with a cookie notice. It will explain what type of cookies we use and will allow you to grant us consent on using them.
Cookies are text files placed on your device to collect standard Internet log information and visitor behavior information.
More information about the cookies we use and how we process information collected with their use may be found in our https://onchain.org/privacy-policy/.
We use Matomo as a third party analytics service, and to track our advertising campaigns on third party websites and services. We use Matomo to collect information about how our Website performs and how our users, in general, navigate through it. Types of information which may be collected from you vary and may include:
- your device and browser information;
- user ID (given to you by Matomo);
- anonymized IP-address;
- geolocation data;
- date, time, and duration of use of the Website;
- links you visited;
- links, by which you were addressed to the Website.
Matomo provides further information about its own privacy practices and cookieless tracking https://matomo.org/cookie-consent-banners/.
Furthermore, we use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes:
- a device’s IP address (processed during your session and stored in a de-identified form),
- device screen size,
- device type (unique device identifiers),
- browser information,
- geographic location (country only),
- and the preferred language used to display our website.
Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
This helps us evaluate our users’ use of the Website; compile statistical reports on activity; and improve our content and Website performance; the applicable legal basis is your consent under GDPR Art.6.1(a).
Your personal data will be processed also by our main contractor Lightcurve. Onchain and Lightcurve act as Joint-controllers in regards to this processing activity, since Lightcurve helps us to manage the Website.
B. Contact form
You may reach out to us through a contact form available on the Website: https://onchain.org/contact.
In order to do that, apart from writing your message or request, it is necessary that you provide us with your email address so we can contact you back. Your email address will be processed solely for the purpose of communicating with you in regards to your message or request; the applicable legal basis for this is our legitimate interests under GDPR Art.6.1(f).
Your personal data will be processed also by our main contractor Lightcurve. Onchain and Lightcurve act as Joint-controllers in regards to this processing activity
CAUTION! We do not advise you to send us any data that is considered to be sensitive personal data in the meaning of Art. 9 GDPR, i.e. information on your racial or ethnic origin, sexual orientation, marital status, political affiliation, religion or any other beliefs, health, criminal records or a trade union membership.
Moreover, If you disclose personal information about others in your message, you declare and warrant that you are authorized to do so and that you will permit us to use such information in accordance with this Privacy Policy.
C. Online store
If you use our online store to purchase products offered by us, we process data necessary for the conclusion, execution, or termination of a contract between you and Onchain. This includes:
- First name, last name, title, salutation
- Billing and delivery address, if applicable, address supplement
- Email address
- Billing and payment data
- Company and VAT ID
- Telephone number, if applicable
For the execution of the purchase contract, the following data processing is also required:
For the payment methods credit card and Coinbase Commerce, we transmit the necessary payment data to an authorized payment service provider.
The processing of credit card payments is entrusted to Stripe Payments UK Ltd. All entries of credit card data are entered directly into the system of Stripe and cannot be read or stored by us.
Payments with cryptocurrency are processed by the payment service provider Coinbase Commerce. All entries of payment data are entered directly into the Coinbase Commerce system and cannot be read or stored by us. For payment processing, we transmit your name, invoice amount, and delivery address to Coinbase Commerce if you have chosen this payment method. Without the transmission of your personal data, we cannot process a payment via Coinbase Commerce, but you can choose another payment method. Further information on data processing by Coinbase Commerce can be found at: https://commerce.coinbase.com/legal/privacy-policy/
We pass on information about your delivery address to a company commissioned by us for the purpose of processing the purchase contract, Team Sunday. If the goods are not shipped by a shipping partner, we pass on information about your delivery address as well as the necessary order data to them. Further information on data processing by Team Sunday can be found at https://teamsunday.com/legal/privacy-policy/:
To ensure that the delivery of the goods meets your wishes, we use your email address to contact you in advance of the delivery to inform you of the delivery time.
The legal basis for this is Article 6(1)(b) GDPR, i.e., you provide us with the data on the basis of the contractual relationship between you and us.
If we do not use your contact data for advertising purposes, we store the data collected for contract processing until the expiration of the statutory or possible contractual warranty and guarantee rights. After this period, we keep the information required for the contractual relationship for the legally specified periods under commercial and tax law. For this period, the data are processed again solely in the event of an audit by the tax authorities.
D. Newsletter
You can subscribe to our Newsletter if you want to receive recent information. In order to do so, you will need to provide us with your email address to which the Newsletter will be sent.
By subscribing to the Newsletter, you consent to processing of your email address. We will not use these personal data for any other purpose than circulating the Newsletter.
You may unsubscribe at any time by clicking the following link: https://onchain.org/my-account/account-newsletter/ .
In order to circulate the Newsletter, we use the services provided by Hubspot with which we will share your email address.
Your personal data will be processed also by our main contractor Lightcurve. Onchain and Lightcurve act as Joint-controllers in regards to this processing activity, since Lightcurve helps us to provide content for and manage the Newsletter.
E. Reports
You can purchase our Reports if you want to receive solution-oriented research reports focused on real-world industries that are or can already be improved thanks to blockchain. In order to do so, you will need to provide us with your email address to which the Reports will be sent.
By purchasing the Reports, you consent to processing of your email address. We will not use these personal data for any other purpose than circulating the Reports.
In order to circulate the Reports, we use the services provided by Hubspot with which we will share your email address.
Your personal data will be processed also by our main contractor Lightcurve. Onchain and Lightcurve act as Joint-controllers in regards to this processing activity, since Lightcurve helps us to provide content for and manage the Reports.
F. Events
Onchain organizes different types of events, both online and offline. In order to participate in some of the Events, you may be required to register beforehand and provide us with following personal data:
- Your name;
- Your email address;
- Company Name / Employer Name
- Depending on the event, we might also process your discord username upon your prior consent.
The abovementioned personal data will be used only for the purpose of communicating with you in regards to that particular event you registered for and for verifying your identity when you join the event; the applicable legal basis is performance of contract under GDPR Art.6.1(b).
In addition to that, you may also be asked to provide your consent to reproduce your physical likeness for marketing purposes (in case the event will be filmed or photographed). In case you decide to refuse to grant such consent, this shall not harm your right to participate in any particular Event. All your personal data obtained in that form will be processed solely for the purpose you consented for.
Your personal data will be processed also by our contractor Lightcurve. Onchain and Lightcurve act as Joint-controllers in regards to this processing activity, in case of Lightcurve helping us to organize and run Events.
2. Personal data we get from third parties
In exceptional cases (such as events), we may obtain your personal data from third parties – service providers. We will process it only if it was obtained in compliance with the applicable data protection regulation.
Whenever we will process personal data obtained from third parties, this Policy shall apply.
When and how we share your data
Depending on the processing activity, we may share your personal data with our third-party service providers working on our behalf. Every third party with which we will share your personal data comes from a jurisdiction which guarantees an adequate level of protection to the one provided for in the GDPR. Furthermore, as a rule, before we share any personal data of our users with third parties, we conclude appropriate data processing agreements with the recipients that guarantee security of the data and the rights of the data subjects.
Lightcurve
Your personal data will be shared with our main partner and representative in the EEA – Lightcurve. Depending on the processing activity, Lightcurve may act either as a sole controller of your data, as a joint controller with Onchain or as a processor. Specific information about Lightcurve’s role in regards to your personal data is stated in respective sections of this Privacy Policy which refer to particular processing activity. There, you will also find information about purposes of the processing as well as about applicable lawful bases for processing.
Lightcurve is based in Berlin, Germany and its privacy policy may be found here: https://lightcurve.io/privacy-policy.
Other third-party service providers
We may also share your personal data with other third party service providers. When doing so, we make sure that your personal data is processed and transferred, if necessary, in accordance with the applicable data protection regulations (e.g. the GDPR and the Swiss Data Protection Act).
The following categories of third-party providers are used to enable / improve the work of our website:
- Cloud storage providers,
- Web hosting providers;
- Email notification provider;
- Webpage analytics providers;
- CRM Software provider;
- Internal content management systems (CMS);
- Internal collaboration tools;
- Logistic service providers;
- Shipping companies;
- Payment processors.
Should you wish to know more about the third party service providers with whom we share your personal data as well as to know the actual categories of the personal data, feel free to reach out to us at legal@onchain.foundation.
Where do we store your data
The information that we collect from you will be transferred to, and stored at/processed within the European Economic Area (EEA), Switzerland, the United Kingdom, the United States and in other countries where our third party service providers are located. We will take all steps reasonably necessary to ensure that your personal data is treated securely, with a level of protection adequate to GDPR and in accordance with this policy. We have provided further details below regarding the steps taken to ensure adequacy of the processing of your personal data.
White Listed Countries:
Switzerland was found to have an adequate level of protection for personal data under European Commission Decision 2000/518/EC of 26 July 2000.
The United Kingdom was found to have an adequate level of protection of personal data under Commission Implementing Decision of 28th June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.
Consequences of invalidation of Privacy Shield:
CAUTION! Taking into account the Court of Justice of the European Union’s decision in “Schrems II” C-311/18 in which the CJEU declared the EU-US Privacy Shield invalid, we undertake to ascertain the adequate level of protection of your personal data by entering into Model Clauses (described below) with our third-party service providers located in the US.
Model Clauses:
If we are transferring data to a third party located outside of the EEA who is not in a White Listed Country, we will enter into the European Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses pursuant to Decision 2010/87/EU – SCCs) with the relevant data importer. Prior to entering into SCCs we assess, on a case-by-case basis, as outlined in the CJEU decision in Schrems II case, whether an adequate level of data protection, comparably to the level of data protection within the EU is given in the country where the data will be transferred to. If the appropriate level of protection is not given, additional protection provisions and measures will be contractually agreed and/or implemented by us to ensure the protection of personal data.
How long do we store your data
We aim to always store your personal data for the minimal period of time thus for the time we actually need it. We may, however, keep your personal data for a longer period of time. We will do that only in order to meet legal requirements imposed on us by the applicable laws and regulations.
We regularly review our information and erase or anonymise personal data when we no longer need it.
The security of your personal data
Unfortunately, the transmission of information via the Internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted through the Website or over email; any transmission is at your own risk.
Nevertheless, once we have received your information, we will take appropriate technical and organizational measures to safeguard your personal data against loss, theft and unauthorized use, access or modification.
We will, from time to time, host links to and from the websites of our affiliates or third parties. If you follow a link to any of these websites, these websites will have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any information to those websites.
Your rights
In certain circumstances you have rights in relation to the personal data we hold about you. We set out below an outline of those rights and how to exercise those rights. Please note that we will require you to verify your identity before responding to any requests to exercise your rights.
To exercise any of your rights, please send your request by an email to: legal@onchain.foundation.
Please note that for each of the rights below we may have valid legal reasons to refuse your request, in such instances we will let you know if that is the case.
CAUTION! Please also bear in mind that we are not a data controller in regards to any personal data stored on blockchains. Therefore we will not be able to satisfy your requests if you decide to exercise your rights.
Access:
You have the right to know whether we process personal data about you, and if we do, to access data we hold about you and certain information about how we use it and who we share it with.
Correction:
You have the right to require us to correct any personal data held about you that is inaccurate and have incomplete data completed.
Erasure:
You may request that we erase the personal data we hold about you in the following circumstances:
- where you believe it is no longer necessary for us to hold the personal data,
- we are processing it on the basis of your consent and you wish to withdraw your consent,
- we are processing your data on the basis of our legitimate interest and you object to such processing,
- you no longer wish us to use your data to send you marketing or you believe we are unlawfully processing your data.
Please provide us with as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure.
Restriction of Processing to Storage Only:
You have a right to require us to stop processing the personal data we hold about you other than for storage purposes in the following circumstances:
- you believe the personal data is not accurate for the period it takes for us to verify whether the data is accurate,
- we wish to erase the personal data as the processing we are doing is unlawful but you want us to simply restrict the use of that data;
- we no longer need the personal data for the purposes of the processing but you require us to retain the data for the establishment,
- exercise or defence of legal claims; and
- you have objected to us processing personal data we hold about you on the basis of our legitimate interest and you wish us to stop processing the personal data whilst we determine whether there is an overriding interest in us retaining such personal data.
Objection:
You have the right to object at any time to our prospective processing of data about you and we will consider your request. Please provide us with details as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims.
Withdrawal of Consent:
Where you have provided your consent to us processing your personal data, you can withdraw your consent at any time.
Newsletter: You may unsubscribe at any time by clicking the following link: https://onchain.org/my-account/account-newsletter/.
Cookies: If you no longer want cookies to be stored on your device, you can withdraw your consent at any time (see: https://onchain.org/privacy-policy ) and by adjusting your browser settings, so that your browser refuses all cookies or the cookies from third parties. You can also delete the cookies that have already been placed on your device.
The European Interactive Digital Advertising Alliance website Your Online Choices allows you to install opt-out cookies across different advertising networks.
Data Portability:
In case you have provided information directly to us, you have the right to receive a copy of these data and require us to transfer it to a third party. This right, however, only applies to information you provided to us and, not to the information we collected about you.
Objection to Marketing:
At any time you have the right to object to our processing of data about you in order to send you marketing information including where we build profiles for such purposes and we will stop processing the data for that purpose.
Complain to the authority:
At any time you have the right to lodge a complaint to the competent supervisory authority.
Onchain is established in Switzerland which is not a part of the EEA. Thus, there is no lead supervisory authority over processing activities described in this Policy. Therefore, you are free to contact any data protection authority which is competent for the place of your residence or for the place where you think we have infringed your rights within the EEA. Contact details for data protection authorities in the EEA are available here.
Nevertheless, for any processing activity where joint-controllership between Onchain and Lightcurve occurs, you can lodge a complaint to the Berlin Commissioner for Data Protection (Berliner Beauftragte für Datenschutz und Informationsfreiheit).
Disclaimer
This Privacy Policy contains links to other websites. Please note that by clicking on a link you will be redirected to another website or document. These websites can be beyond Onchain’s sphere of influence. Liability is excluded. The operators of the linked websites are solely responsible for their content. We refer you to their privacy policy.
Contact
In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance at legal@onchain.foundation and we will endeavor to deal with your request as soon as possible. This is without prejudice to your right to launch a claim with the data protection supervisory authority in the EEA country in which you live or work or where you think we have infringed data protection laws.