Updated December 2022
I. Data controller
- The operator of the Web 3.0 Foundation website available under https://spec.polkadot.network (hereinafter referred to as the "Website") and offeror of blockchain-related services (such as currently e.g. the Polkadot Network, the Kusama Network and the Thousand Validators programme (hereinafter jointly and individually referred to as the "Services") and, thus, the Data Controller is the Web 3.0 Technologies Foundation, a company registered in the commercial register of the Canton of Zug, Switzerland (registration number CH-322.596.347), with the registered address Baarerstrasse 14, 6300 Zug, Switzerland (hereinafter referred to as "Controller", "we", "us").
- We nurture and steward technologies and applications in the fields of decentralized web software protocols, particularly those, which utilize modern cryptographic methods to safeguard decentralization. Data protection is important to us and Controller adheres to the applicable data protection laws and regulations. This includes both the Swiss Federal Act on Data Protection ("FADP") and privacy requirements where applicable to individuals in the European Union and the member states of EFTA under the General Data Protection Regulation (hereinafter "GDPR") and/or other applicable national laws.
- This Website contains links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or their processing of your personal information.
- For questions or requests related to data processing by us (such as request for information, deletion, revocation of consent, objection to data processing), you may revert by mail to the address above or write us an e-mail at [email protected]
II. Types of Data collected
Controller respects the privacy of the User and will not collect and process any other data (such as name, address, phone number, e-mail address, IP address, device type etc.) unless they are
- provided voluntarily by the User;
- gathered as a result of specific verifications performed by third parties included in Section X.C below based on the Personal Data provided by the User;
For further information on additional data collected through any of our blockchain-offerings, please consult Section XI below.
III. Mode of Processing
A. Use of Personal Data
Data transmitted by the User to Controller may be used as follows:
- to create a user account;
- to respond to your inquiries and your correspondence;
- for marketing analysis purposes, in particular to better understand the needs of Users and improve the Services of Controller, and to provide Users with relevant information relating to any of our networks operated;
- to ensure our Website functions correctly, in particular to ensure that content from our Website is presented in the most effective manner for you and for your computer;
- to maintain or improve our services offered through the Website.
Please consult Section XI below to get further information on additional use of your data collected on any of our network offerings.
B. Legal basis of processing
The Controller may process Personal Data of Users if one of the following applies:
- Users have given their consent for one or more specific purposes. Note: Under some legislations, the Controller may be allowed to process Personal Data until the User objects to such processing ("opt-out"), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law (GDPR);
- provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
- processing is necessary for the establishment, exercise or defence of legal claims or proceedings;
- processing is necessary for compliance with a legal and regulatory obligation to which the Controller is subject;
- processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Controller;
- processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.
In any case, the Controller will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or a contractual requirement, or a requirement necessary to enter into a contract.
Within and to the extent under the scope of application of the GDPR, the data processing described in this clause III. is justified in order to provide our contractually agreed services to you pursuant to Art. 6 para. 1 sentence 1 letter b GDPR and to comply with legal obligations to which we are subject pursuant to Art. 6 para. 1 letter c GDPR.
C. Methods of processing, access to data and disclosure to third parties
The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.
Access to Personal Data is limited to those employees and/or third parties assigned with processing tasks who therefore need to know about this data. These employees and/or third parties are subject to confidentiality undertakings and/or data processing agreements and must comply with applicable data protection laws.
Controller does not sell, transfer or market your Personal Data to third parties (who may use them for their own purposes). However, we may disclose your Personal Data to trusted third parties and/or certain types of persons in charge, involved with the operation of this Website (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies, our auditors, third parties involved in hosting or organizing events or seminars) appointed, if necessary, as Data Processors by the Controller.
Please consult Section XI below for lists of all third party processors currently assigned with processing activities on our behalf on any of our networks operated.
Your Personal Data will not be disclosed to third parties for other purposes than the ones mentioned above or the following additional reasons:
- you have given your express consent to it;
- the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data;
- in the event that a legal obligation exists for the disclosure; or
- this is legally permissible and necessary for the execution of our contractual relationship with you.
D. Place of processing and export of data
- The data is processed at the Controller's operating offices and in any other places where the parties involved in the processing are located. Depending on the User's location, data transfers may involve transferring the User's data to a country other than their own.
- Therefore, we reserve the right to transfer, store, use and process your data, including any personal information, to/by recipients in countries outside of the European Economic Area ("EEA") including the United States and possibly other countries. You should note that laws vary from jurisdiction to jurisdiction, and so laws and regulations relating to privacy and data disclosure, applicable to the places where your information is transferred to or stored, used or processed in, may not provide the same level of protection as in your place of residency. We take the legally required safeguards and contractual measures to ensure that any recipients of your Personal Data abroad undertake to comply with the level of data protection and security prescribed by your applicable local data protection legislation.
IV. Retention of data
The Controller will retain Personal Data for as long as it is required to deliver the Services described in Sections III.A above and X.B below, and/or, upon termination, as long as required by law or regulations (e.g. mandatory retention periods), whichever is longer.
- Personal Data collected for purposes related to the performance of a contract between the Controller and the User shall be retained until such contract has been fully performed;
- Personal Data collected for the purposes of the Controller's legitimate interests shall be retained as long as needed to fulfil such purposes.
The Controller may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
V. Security measures
- We take adequate technical and organizational precautions and security measures to prevent accidental or intentional manipulation, unauthorized access, disclosure, unauthorized destruction, partial or complete loss, misuse or alteration of your Personal Data. Accordingly, we store all the personal information you provide on secure (password- and firewall-protected) servers. Our security measures are continuously improved in line with technical developments. You are responsible for keeping the account information for accessing any of our networks operated confidential.
- The User is aware and acknowledges that no technical and organizational measures can fully eliminate security risks connected with transmission of information over the Internet. Once Controller has received the transmitted information, it shall adequately secure it in its systems.
VI. The rights of Users
Users may exercise certain rights regarding their Personal Data processed by the Controller.
In particular, Users have the right to do the following:
- Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data. Please note that even after you have chosen to withdraw your consent, we may be able to continue to process your Personal Data to the extent required or permitted by law.
- Object to processing of their data. Users have the right to object to the processing of their data if the processing is carried out on a legal basis other than consent (e.g. for a public interest, in the exercise of an official authority vested in the Controller or for the purpose of legitimate interests pursued by the Controller). Users may object to such processing by providing a ground related to their particular situation to justify the objection. In particular, under and to the extent of a scope of application of the GDPR, in those cases where we base processing on our legitimate interests, you have the right to object to the processing. Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification.
- Access their data. Users have the right to learn if the Controller is processing data, obtain disclosure regrading certain aspects of the processing and obtain a copy of the data undergoing processing.
- Verify and seek rectification. Users have the right to verify the accuracy of their data and ask for it to be updated or corrected. Please note that you must advise us of any changes to your personal information so that we can ensure that your personal information is accurate and up to date.
- Restrict the processing of their data. Users have the right, under certain circumstances, to restrict the processing of their data if the accuracy of the data is disputed. In this case, the Controller will not process their data for any purpose other than storing it.
- Restrict the use of Personal Data whilst complaints are resolved.
- Have their Personal Data deleted or otherwise removed.\ Users have the right, under certain circumstances, to obtain the erasure of their data from the Controller, unless the processing is justified by our legitimate interests, necessary to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. We will take reasonable steps to inform other controllers that are processing the data that you have requested the erasure of any links to, copies or replication of it.
- Receive their data and have it transferred to another controller. Users have the right to receive their data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
- Lodge a complaint. Users have the right to bring a claim before their competent data protection authority (depending on your country of residence and the applicable data protection laws – note that in certain countries you may only notify a data protection authority which may then decide to initiate legal steps based on its own discretion).
Any requests to exercise User rights can be directed to the Controller through the contact details provided in this document.
Where possible, Controller will fulfil such a request of the User within the statutory applicable timeframe, unless a delay or a retention of the relevant data is permitted by law (e.g. a lack of convincing identity proof by an information requestor), is required for another valid purpose, for example to enable the fulfilment of contractual obligations, or is covered by a valid limitation or exemption under relevant privacy or data protection regulations.
Any requests will be free of charge, provided we do not incur unexpected and inadequate costs for providing you with details of your Personal Data.
- When the User visits the Website, information can be automatically stored on his or her computer. This is done in the form of so-called "cookies" or a similar file, which help Controller in various ways, for example, to get to know the preferences of visitors and Users of the Website and to improve the Website. Both permanent cookies and functional, temporary session cookies may be used: permanent cookies remain on your computer after you close your session and until you delete them, while session cookies expire when you close your browser.
- You may refuse the use of any cookies by selecting the appropriate settings on your browser. Most browsers allow you to delete cookies, prevent their installation or generate a warning before a cookie is installed. The User can obtain further information on this subject from the relevant browser instructions. Note, however, that this may affect your experience of our Website. To find out more about cookies, including how to manage, reject and delete cookies, visit www.allaboutcookies.org.
- Controller will use automatically stored information exclusively for statistical analysis and in particular will not associate any Personal Data with the User unless necessary. This Notice does not limit our use or disclosure to third parties of Non-Personal Information, and we reserve the right to use and disclose such Non-Personal Information to our partners, advertisers, and other third parties at our discretion.
- Within and to the extent under the scope of application of the GDPR, the data processed by cookies for the aforementioned purposes is justified in order to protect our legitimate interest and those of third parties pursuant to Art. 6 para. 1 sentence 1 letter f GDPR.
- Simple Analytics. Even if we don't need to disclose it, since we aim to be as much transparent as possible with our users, we inform you that to get information about the behaviour of our user, we use Simple Analytics (https://simpleanalytics.com/). This analytics software gives us insight about our user only in general, but not about individuals, as it does not track visitors and does not store any personal identifiable information. If you would like to, please go to their website to find out what Simple Analytics collects (and most importantly what they don’t).
- Should the changes affect processing activities performed on the basis of the User's consent, Controller shall collect consent from the User, where required.
IX. Definitions and legal references
Any information that directly, indirectly, or in connection with other information – including a personal identification number – allows for the identification or identifiability of a natural person.
Information collected automatically through this Website (or third-party services employed in this Website), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Website, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Website) and the details about the path followed within the Website with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.
The individual using this Website who, unless otherwise specified, coincides with the Data Subject.
The natural person to whom the Personal Data refers.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Website. The Data Controller, unless otherwise specified, is the owner of this Website.
The Website of Controller available under https://spec.polkadot.network.
The Services (and blockchain offerings) provided by Controller.
European Union (or EU)
Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.
Small sets of data stored in the User's device.
This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).