diff --git a/src/markdown/privacy/privacy.md b/src/markdown/privacy/privacy.md index 98f2b03c48..87b4d92dad 100644 --- a/src/markdown/privacy/privacy.md +++ b/src/markdown/privacy/privacy.md @@ -4,9 +4,9 @@ Last updated: October 2024 Your privacy is important to us. It is our policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, [https://app.safe.global](https://app.safe.global), and other sites we own and operate as well as mobile applications we offer. Wherever possible, we have designed our website so that you may navigate and use our website without having to provide Personal Data. -This Privacy Policy describes how we, as a controller, collect, use and share your personal data. It applies to personal data you voluntarily provide to us, or is automatically collected by us. +This Privacy Policy describes how we, as a controller, collect, use and share your personal data. It applies to personal data you voluntarily provide to us, or is automatically collected by us. -In this policy, "we", "us" and "our" refers to Core Contributors GmbH a company incorporated in Germany with its registered address at Gontardstraße 11, 10178 Berlin, Germany. Any data protection related questions you might have about how we handle your personal data or if you wish to exercise your data subject rights, please contact us by post or at privacy@cc0x.dev. +In this policy, "we", "us" and "our" refers to Core Contributors GmbH a company incorporated in Germany with its registered address at Gontardstraße 11, 10178 Berlin, Germany. Any data protection related questions you might have about how we handle your personal data or if you wish to exercise your data subject rights, please contact us by post or at privacy@cc0x.dev. In this Policy, “personal data” means any information relating to you as an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity. @@ -14,49 +14,61 @@ In this Policy, “processing” means any operation or set of operations which [Privacy Policy](#privacy-policy) -[1\. Glossary](#glossary) +[1\. Glossary](#1.-glossary) -[2\. Your information and the Blockchain](#your-information-and-the-blockchain) +[2\. Your information and the Blockchain](#2.-your-information-and-the-blockchain) -[3\. How We Use Personal Data](#how-we-use-personal-data) +[3\. How We Use Personal Data](#3.-how-we-use-personal-data) -[4\. Use of Third Party Applications](#use-of-third-party-applications) +[3.1 When visiting our website and using Safe Interfaces](#3.1-when-visiting-our-website-and-using-safe-interfaces) -[4.1. Blockchain](#blockchain) +[3.2 Tracking & Analysis](#3.2-tracking-&-analysis) -[4.2. Amazon Web Services](#amazon-web-services) +[3.3 When Participating in User Experience Research (UXR)](#3.3-when-participating-in-user-experience-research-\(uxr\)) -[4.3. Datadog](#datadog) +[3.4 Publishing the app](#3.4-publishing-the-app) -[4.4. Mobile app stores](#mobile-app-stores) +[3.5 Use of the app](#3.5-use-of-the-app) -[4.5. Fingerprint/Touch ID/ Face ID](#fingerprint/touch-id/-face-id) +[3.6 Other uses of your Personal Data](#3.6-other-uses-of-your-personal-data) -[4.6. Google Firebase](#google-firebase) +[4\. Use of Third Party Applications](#4.-use-of-third-party-applications) -[4.7. WalletConnect](#walletconnect) +[4.1 Blockchain](#4.1-blockchain) -[4.8. Sentry](#sentry) +[4.2 Amazon Web Services](#4.2-amazon-web-services) -[4.9. Beamer](#beamer) +[4.3 Datadog](#4.3-datadog) -[4.10. Node providers](#node-providers) +[4.4 Mobile app stores](#4.4-mobile-app-stores) -[4.11. Tenderly](#tenderly) +[4.5 Fingerprint/Touch ID/ Face ID](#4.5-fingerprint/touch-id/-face-id) -[4.12. Internal communication](#internal-communication) +[4.6 Google Firebase](#4.6-google-firebase) -[4.13. MoonPay](#moonpay) +[4.7 WalletConnect](#4.7-walletconnect) -[5\. Sharing Your Personal Data](#sharing-your-personal-data) +[4.8 Sentry](#4.8-sentry) -[6\. Transferring Your data outside of the EU](#transferring-your-data-outside-of-the-eu) +[4.9 Beamer](#4.9-beamer) -[7\. Existence of Automated Decision-making](#existence-of-automated-decision-making) +[4.10 Node providers](#4.10-node-providers) -[8\. Data Security](#data-security) +[4.11 Tenderly](#4.11-tenderly) -[9\. Your Rights as a Data Subject](#your-rights-as-a-data-subject) +[4.12 MoonPay](#4.12-moonpay) + +[4.13 Spindl](#4.13-spindl) + +[5\. Sharing Your Personal Data](#5.-sharing-your-personal-data) + +[6\. Transferring Your data outside of the EU](#6.-transferring-your-data-outside-of-the-eu) + +[7\. Existence of Automated Decision-making](#7.-existence-of-automated-decision-making) + +[8\. Data Security](#8.-data-security) + +[9\. Your Rights as a Data Subject](#9.-your-rights-as-a-data-subject) [Right Information and access](#right-information-and-access) @@ -80,34 +92,36 @@ In this Policy, “processing” means any operation or set of operations which [Right to lodge a complaint with a relevant supervisory authority](#right-to-lodge-a-complaint-with-a-relevant-supervisory-authority) -[10\. Storing Personal Data](#storing-personal-data) +[10\. Storing Personal Data](#10.-storing-personal-data) -[13\. Changes to this Privacy Policy](#13.-changes-to-this-privacy-policy) +[11\. Children’s data](#11.-children’s-data) -[14\. Contact Us](#14.-contact-us) +[12\. Changes to this Privacy Policy](#12.-changes-to-this-privacy-policy) + +[13\. Contact Us](#13.-contact-us) [Contact us by post or email at:](#contact-us-by-post-or-email-at:) [Contact our Data Protection Officer by post or email at:](#contact-our-data-protection-officer-by-post-or-email-at:) -1. ### Glossary {#glossary} +# 1\. Glossary {#1.-glossary} What do some of the capitalized terms mean in this policy? -1. “Blockchain” means a mathematically secured consensus ledger such as the Ethereum Virtual Machine, an Ethereum Virtual Machine compatible validation mechanism, or other decentralized validation mechanisms. - 2. “Transaction” means a change to the data set through a new entry in the continuous Blockchain. - 3. “Smart Contract” is a piece of source code deployed as an application on the Blockchain which can be executed, including self-execution of Transactions as well as execution triggered by 3rd parties. - 4. “Token” is a digital asset transferred in a Transaction, including ETH, ERC20, ERC721 and ERC1155 tokens. - 5. “Wallet” is a cryptographic storage solution permitting you to store cryptographic assets by correlation of a (i) Public Key and (ii) a Private Key or a Smart Contract to receive, manage and send Tokens. - 6. “Recovery Phrase” is a series of secret words used to generate one or more Private Keys and derived Public Keys. - 7. “Public Key” is a unique sequence of numbers and letters within the Blockchain to distinguish the network participants from each other. - 8. “Private Key” is a unique sequence of numbers and/or letters required to initiate a Blockchain Transaction and should only be known by the legal owner of the Wallet. - 9. “Safe Account” is a modular, self-custodial (i.e. not supervised by us) smart contract-based Wallet. Safe Accounts are [open-source](https://github.com/safe-global/safe-contracts/) released under LGPL-3.0. - 10. “Safe Interfaces” refers to Safe{Wallet} a web-based graphical user interface for Safe Accounts as well as a mobile application on Android and iOS. - 11. “Safe Account Transaction” is a Transaction of a Safe Account, authorized by a user, typically via their Wallet. +1. “Blockchain” means a mathematically secured consensus ledger such as the Ethereum Virtual Machine, an Ethereum Virtual Machine compatible validation mechanism, or other decentralized validation mechanisms. + 2. “Transaction” means a change to the data set through a new entry in the continuous Blockchain. + 3. “Smart Contract” is a piece of source code deployed as an application on the Blockchain which can be executed, including self-execution of Transactions as well as execution triggered by 3rd parties. + 4. “Token” is a digital asset transferred in a Transaction, including ETH, ERC20, ERC721 and ERC1155 tokens. + 5. “Wallet” is a cryptographic storage solution permitting you to store cryptographic assets by correlation of a (i) Public Key and (ii) a Private Key or a Smart Contract to receive, manage and send Tokens. + 6. “Recovery Phrase” is a series of secret words used to generate one or more Private Keys and derived Public Keys. + 7. “Public Key” is a unique sequence of numbers and letters within the Blockchain to distinguish the network participants from each other. + 8. “Private Key” is a unique sequence of numbers and/or letters required to initiate a Blockchain Transaction and should only be known by the legal owner of the Wallet. + 9. “Safe Account” is a modular, self-custodial (i.e. not supervised by us) smart contract-based Wallet. Safe Accounts are [open-source](https://github.com/safe-global/safe-contracts/) released under LGPL-3.0. + 10. “Safe Interfaces” refers to Safe{Wallet} a web-based graphical user interface for Safe Accounts as well as a mobile application on Android and iOS. + 11. “Safe Account Transaction” is a Transaction of a Safe Account, authorized by a user, typically via their Wallet. 12. “Profile” means the Public Key and user provided, human readable label stored locally on the user's device. -2. ### Your information and the Blockchain {#your-information-and-the-blockchain} +# 2\. Your information and the Blockchain {#2.-your-information-and-the-blockchain} Blockchains, also known as distributed ledger technology (or simply ‘DLT’), are made up of digitally recorded data in a chain of packages called ‘blocks’. The manner in which these blocks are linked is chronological, meaning that the data is very difficult to alter once recorded. Since the ledger may be distributed all over the world (across several ‘nodes’ which usually replicate the ledger) this means there is no single person making decisions or otherwise administering the system (such as an operator of a cloud computing system), and that there is no centralized place where it is located either. @@ -119,89 +133,89 @@ In most cases ultimate decisions to (i) transact on the Blockchain using your Wa IF YOU WANT TO ENSURE YOUR PRIVACY RIGHTS ARE NOT AFFECTED IN ANY WAY, YOU SHOULD NOT TRANSACT ON BLOCKCHAINS AS CERTAIN RIGHTS MAY NOT BE FULLY AVAILABLE OR EXERCISABLE BY YOU OR US DUE TO THE TECHNOLOGICAL INFRASTRUCTURE OF THE BLOCKCHAIN. IN PARTICULAR THE BLOCKCHAIN IS AVAILABLE TO THE PUBLIC AND ANY PERSONAL DATA SHARED ON THE BLOCKCHAIN WILL BECOME PUBLICLY AVAILABLE -3. ### How We Use Personal Data {#how-we-use-personal-data} +# 3\. How We Use Personal Data {#3.-how-we-use-personal-data} - 1. When visiting our website and using Safe Interfaces +## 3.1 When visiting our website and using Safe Interfaces {#3.1-when-visiting-our-website-and-using-safe-interfaces} When visiting our website or using Safe Interfaces, we will collect and process personal data. The data will be stored in different instances -1. We connect the Wallet to the web app to identify the user via their public Wallet address. For this purpose we process: - 1. public Wallet address and +1. We connect the Wallet to the web app to identify the user via their public Wallet address. For this purpose we process: + 1. public Wallet address and 2. WalletConnect connection data -2. When you create a new Safe Account we process the following data to compose a Transaction based on your entered data to be approved by your Wallet: - 1. your public Wallet address, - 2. account balance, - 3. smart contract address of the Safe Account, - 4. addresses of externally owned accounts and +2. When you create a new Safe Account we process the following data to compose a Transaction based on your entered data to be approved by your Wallet: + 1. your public Wallet address, + 2. account balance, + 3. smart contract address of the Safe Account, + 4. addresses of externally owned accounts and 5. user activity -3. When you create a Profile for a new Safe Account we process the following data for the purpose of enabling you to view your Safe Account after creation as well as enabling you to view all co-owned Safes Accounts: - 1. your public Wallet address and +3. When you create a Profile for a new Safe Account we process the following data for the purpose of enabling you to view your Safe Account after creation as well as enabling you to view all co-owned Safes Accounts: + 1. your public Wallet address and 2. account balance -4. When you create a Profile for an existing Safe Account for the purpose of allowing you to view and use them in the Safe Interface, we process your - 1. public Wallet address, - 2. Safe Account balance, - 3. smart contract address of theSafe Account and +4. When you create a Profile for an existing Safe Account for the purpose of allowing you to view and use them in the Safe Interface, we process your + 1. public Wallet address, + 2. Safe Account balance, + 3. smart contract address of theSafe Account and 4. Safe Account owner's public Wallet addresses -5. When you initiate a Safe Account Transaction we process the following data to compose the Transaction for you based on your entered data: - 1. your public Wallet address and +5. When you initiate a Safe Account Transaction we process the following data to compose the Transaction for you based on your entered data: + 1. your public Wallet address and 2. smart contract address of Safe Account -6. When you sign a Safe Account Transaction we process the following data to enable you to sign the Transaction using your Wallet: - 1. Safe Account balance, - 2. smart contract address of Safe Account and +6. When you sign a Safe Account Transaction we process the following data to enable you to sign the Transaction using your Wallet: + 1. Safe Account balance, + 2. smart contract address of Safe Account and 3. Safe Account owner's public Wallet addresses -7. To enable you to execute The transaction on the Blockchain we process: - 1. your public Wallet address, - 2. Safe Account balance, - 3. smart contract address of Safe Account, - 4. Safe Account owner's public Wallet addresses and +7. To enable you to execute The transaction on the Blockchain we process: + 1. your public Wallet address, + 2. Safe Account balance, + 3. smart contract address of Safe Account, + 4. Safe Account owner's public Wallet addresses and 5. Transactions signed by all Safe Account owners -8. When we collect relevant data from the Blockchain to display context information in the Safe Interface we process: - 1. your public Wallet address, - 2. account balance, - 3. account activity and +8. When we collect relevant data from the Blockchain to display context information in the Safe Interface we process: + 1. your public Wallet address, + 2. account balance, + 3. account activity and 4. Safe Account owner's Public wallet addresses -9. When we decode Transactions from the Blockchain for the purpose of providing Transaction information in a conveniently readable format, we process: - 1. your public Wallet address - 2. account balance and +9. When we decode Transactions from the Blockchain for the purpose of providing Transaction information in a conveniently readable format, we process: + 1. your public Wallet address + 2. account balance and 3. account activity -10. When we maintain a user profile to provide you with a good user experience through Profiles and an address book we process: - 1. your public Wallet address, - 2. label, - 3. smart contract address of Safe Account, - 4. Safe Account owner's public wallet addresses, - 5. last used Wallet (for automatic reconnect), - 6. last used chain id, - 7. selected currency, - 8. theme and - 9. address format +10. When we maintain a user profile to provide you with a good user experience through Profiles and an address book we process: + 1. your public Wallet address, + 2. label, + 3. smart contract address of Safe Account, + 4. Safe Account owner's public wallet addresses, + 5. last used Wallet (for automatic reconnect), + 6. last used chain id, + 7. selected currency, + 8. theme and + 9. address format The legal base for all these activities is the performance of the contract we have with you (GDPR Art.6.1b). THE DATA WILL BE STORED ON THE BLOCKCHAIN. GIVEN THE TECHNOLOGICAL DESIGN OF THE BLOCKCHAIN, AS EXPLAINED IN SECTION 2, THIS DATA WILL BECOME PUBLIC AND IT WILL NOT LIKELY BE POSSIBLE TO DELETE OR CHANGE THE DATA AT ANY GIVEN TIME. -2. Tracking & Analysis +## 3.2 Tracking & Analysis {#3.2-tracking-&-analysis} -4.2.1 We will process the following personal data to analyze your behavior: +3.2.1 We will process the following personal data to analyze your behavior: -1. IP address (will not be stored for EU users), -2. session tracking, -3. user behavior, -4. wallet type, -5. Safe Account address, -6. Signer wallet address, -7. device and browser user agent, -8. user consent, -9. operating system, -10. referrers, +1. IP address (will not be stored for EU users), +2. session tracking, +3. user behavior, +4. wallet type, +5. Safe Account address, +6. Signer wallet address, +7. device and browser user agent, +8. user consent, +9. operating system, +10. referrers, 11. user behavior: subpage, duration, and revisit, the date and time of access In the case you have given consent, we will additionally store an analytics cookie on your device to identify you as a user across browsing sessions. The lawful basis for this processing is your consent (GDPR Art.6.1a) when agreeing to accept cookies. @@ -210,344 +224,343 @@ The collected data is solely used in the legitimate interest of improving our pr We do not track any of the following: -1. Wallet signatures +1. Wallet signatures 2. Granular transaction details -4.2.2 ***For general operational analysis of the Safe \[Wallet\] interface, monitoring transaction origins and** measuring **transaction failure rates to ensure improved service performance and reliability, we process information which constitutes the transaction service database, such as:*** +3.2.2 For general operational analysis of the Safe \[Wallet\] interface, monitoring transaction origins and measuring transaction failure rates to ensure improved service performance and reliability, we process information which constitutes the transaction service database, such as: -* *a. **signatures*** -* ***b.signature\_type*** -* ***c. ethereum\_tx\_id*** -* ***d. message\_hash*** -* ***e. safe\_app\_id*** -* ***f. safe\_message\_id*** +1. signatures +2. signature\_type +3. ethereum\_tx\_id +4. message\_hash +5. safe\_app\_id +6. safe\_message\_id ***We conduct this analysis in our legitimate interest to continuously improve our product and service and ensure increased service performance and reliability.*** -4.2.3 We conduct technical monitoring of your activity on the platform in order to ensure availability, integrity and robustness of the service. For this purpose we process your: +3.2.3 We conduct technical monitoring of your activity on the platform in order to ensure availability, integrity and robustness of the service. For this purpose we process your: -1. IP addresses, -2. meta and communication data, -3. website access and +1. IP addresses, +2. meta and communication data, +3. website access and 4. log data The lawful basis for this processing is our legitimate interest (GDPR Art.6.1f) in ensuring the correctness of the service. -4.2.4 Anonymized tracking +3.2.4 Anonymized tracking We will anonymize the following personal data to gather anonymous user statistics on your browsing behavior on our website: -1. daily active users, -2. new users acquired from a specific campaign, -3. user journeys, -4. number of users per country, +1. daily active users, +2. new users acquired from a specific campaign, +3. user journeys, +4. number of users per country, 5. difference in user behavior between mobile vs. web visitors. -The lawful basis for this processing is our legitimate interest (GDPR Art.6.1f) in improving our product and user experience. - +The lawful basis for this processing is our legitimate interest (GDPR Art.6.1f) in improving our product and user experience. -3. When Participating in User Experience Research (UXR) +## 3.3 When Participating in User Experience Research (UXR) {#3.3-when-participating-in-user-experience-research-(uxr)} When you participate in our user experience research we may collect and process some personal data. This data may include: -1. your name -2. your email -3. your phone type -4. your occupation -5. range of managed funds - +1. your name +2. your email +3. your phone type +4. your occupation +5. range of managed funds + In addition, we may take a recording of you while testing the Safe Interfaces for internal and external use. The basis for this collection and processing is our legitimate business interest in monitoring and improving our services. The lawful basis for this processing is your consent as provided before participating in user experience research. -4. Publishing the app +## 3.4 Publishing the app {#3.4-publishing-the-app} -4.4.1 Publishing the app on Google Play Store. +3.4.1 Publishing the app on Google Play Store. We process the following information to enable you to download the app on smartphones running Android: -1. google account and +1. google account and 2. e-mail address -4.4.2 Publishing the app on Apple App Store +3.4.2 Publishing the app on Apple App Store We process the following information to enable you to download the app on smartphones running iOS: -1. apple account and +1. apple account and 2. e-mail address -The lawful basis for these two processing activities is the performance of the contract we have with you (GDPR Art.6.1b). +The lawful basis for these two processing activities is the performance of the contract we have with you (GDPR Art.6.1b). -5. Use of the app +## 3.5 Use of the app {#3.5-use-of-the-app} -4.5.1 We provide the app to you to enable you to use it. For this purpose we process your: +3.5.1 We provide the app to you to enable you to use it. For this purpose we process your: -1. mobile device information, -2. http request caches and +1. mobile device information, +2. http request caches and 3. http request cookies -4.5.2 In order to update you about changes in the app, we need to send you push notifications. For this purpose we process your: +3.5.2 In order to update you about changes in the app, we need to send you push notifications. For this purpose we process your: -1. Transactions executed and failed, -2. assets sent, -3. assets received +1. Transactions executed and failed, +2. assets sent, +3. assets received -4.5.3 To provide support to you and notify you about outage resulting in unavailability of the service, we process your: +3.5.3 To provide support to you and notify you about outage resulting in unavailability of the service, we process your: 1. pseudonymized user identifier -4.5.4 In order to provide remote client configuration and control whether to inform about, recommend or force you to update your app or enable/disable certain app features we process your: - -1. User agent, -2. app information (version, build number etc.), -3. language, -4. Country, -5. Platform -6. operating system -7. Browser -8. Device category -9. User audience -10. User property -11. User in random percentage -12. Imported segment -13. date/time -14. first open +3.5.4 In order to provide remote client configuration and control whether to inform about, recommend or force you to update your app or enable/disable certain app features we process your: + +1. User agent, +2. app information (version, build number etc.), +3. language, +4. Country, +5. Platform +6. operating system +7. Browser +8. Device category +9. User audience +10. User property +11. User in random percentage +12. Imported segment +13. date/time +14. first open 15. installation ID -For all these activities (4.5.1-4.54) we rely on the legal base of performance of a contract (GDPR Art.6.1b) with you. +For all these activities (4.5.1-4.54) we rely on the legal base of performance of a contract (GDPR Art.6.1b) with you. -4.5.5 To report errors and improve user experience we process your: +3.5.5 To report errors and improve user experience we process your: -1. User agent info (Browser, OS, device), -2. URL that you were on (Can contain Safe Account address) and +1. User agent info (Browser, OS, device), +2. URL that you were on (Can contain Safe Account address) and 3. Error info: Time, stacktrace -We rely on our legitimate interest (GDPR Art.6.1f) of ensuring product quality. +We rely on our legitimate interest (GDPR Art.6.1f) of ensuring product quality. -4.5.6 We process your personal data to allow you to authenticate using your gmail account or AppleID and to create a signer wallet/owner account . For that purpose following personal data is processed: +3.5.6 We process your personal data to allow you to authenticate using your gmail account or AppleID and to create a signer wallet/owner account . For that purpose following personal data is processed: -1. Anonymised device information and identifiers, e.g. IP address, cookie IDs, device type -2. User account authentication information (e.g. username, password) -3. Unique user identifier (e.g. a random string associated with authentication, at times can be email. If so, sensitive strings are processed but hashed and not stored) +1. Anonymised device information and identifiers, e.g. IP address, cookie IDs, device type +2. User account authentication information (e.g. username, password) +3. Unique user identifier (e.g. a random string associated with authentication, at times can be email. If so, sensitive strings are processed but hashed and not stored) 4. Connection and usage Information (e.g. logins to the application) -For this processing, we rely on our legitimate interest (GDPR Art.6.1f) of facilitating the onboarding for users and ameliorating the user experience with regards to our product. - -4.5.7 Providing on and off-ramp services to enable you to top up your Safe Account with e.g. bank transfer, debit card, credit card. For this purpose MoonPay may process your: - -1. full name -2. date of birth -3. nationality -4. gender -5. signature -6. utility bills -7. photographs -8. phone number -9. home address -10. email -11. information about the transactions you make via MoonPay services (e.g. name of the recipient, your name, the amount, and/or timestamp) -12. geo location/tracking details -13. operating system +For this processing, we rely on our legitimate interest (GDPR Art.6.1f) of facilitating the onboarding for users and ameliorating the user experience with regards to our product. + +3.5.7 Providing on and off-ramp services to enable you to top up your Safe Account with e.g. bank transfer, debit card, credit card. For this purpose MoonPay may process your: + +1. full name +2. date of birth +3. nationality +4. gender +5. signature +6. utility bills +7. photographs +8. phone number +9. home address +10. email +11. information about the transactions you make via MoonPay services (e.g. name of the recipient, your name, the amount, and/or timestamp) +12. geo location/tracking details +13. operating system 14. personal IP addresses -To conduct this activity we rely on our legitimate interest (GDPR Art.6.1f) of ameliorating the onboarding process and the user experience through providing an easier option to customers to fund their account. +To conduct this activity we rely on our legitimate interest (GDPR Art.6.1f) of ameliorating the onboarding process and the user experience through providing an easier option to customers to fund their account. -4.6 Other uses of your Personal Data +## 3.6 Other uses of your Personal Data {#3.6-other-uses-of-your-personal-data} We may process any of your Personal Data where it is necessary to establish, exercise, or defend legal claims. The legal basis for this is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others. Further, we may process your Personal data where such processing is necessary in order for us to comply with a legal obligation to which we are subject. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights. -4. ### Use of Third Party Applications {#use-of-third-party-applications} +# 4\. Use of Third Party Applications {#4.-use-of-third-party-applications} - 1. ##### Blockchain {#blockchain} +## 4.1 Blockchain {#4.1-blockchain} When usingSafe Accounts your smart contract address, Safe Account Transactions, addresses of signer accounts and ETH balances and token balances will be stored on the Blockchain. See section 2 of this Policy THE INFORMATION WILL BE DISPLAYED PERMANENTLY AND PUBLIC, THIS IS PART OF THE NATURE OF THE BLOCKCHAIN. IF YOU ARE NEW TO THIS FIELD, WE HIGHLY RECOMMEND INFORMING YOURSELF ABOUT THE BLOCKCHAIN TECHNOLOGY BEFORE USING OUR SERVICES. -2. ##### Amazon Web Services {#amazon-web-services} +## 4.2 Amazon Web Services {#4.2-amazon-web-services} We use [Amazon Web Services (AWS)](https://aws.amazon.com/) to store log and database data as described in section 4.1. -3. ##### Datadog {#datadog} +## 4.3 Datadog {#4.3-datadog} We use [Datadog](https://www.datadoghq.com/) to store log data as described in section 4.1. -4. ##### Mobile app stores {#mobile-app-stores} +## 4.4 Mobile app stores {#4.4-mobile-app-stores} Safe{Wallet} mobile apps are distributed via [Apple AppStore](https://www.apple.com/app-store/) and [Google Play Store](https://play.google.com/). They most likely track user behavior when downloading apps from their stores as well as when using apps. We only have very limited access to that data. We can view aggregated statistics on installs and uninstalls. Grouping by device type, app version, language, carrier and country is possible. -5. ##### Fingerprint/Touch ID/ Face ID {#fingerprint/touch-id/-face-id} +## 4.5 Fingerprint/Touch ID/ Face ID {#4.5-fingerprint/touch-id/-face-id} We enable the user to unlock the Safe{Wallet} mobile app via biometrics information (touch ID or face ID). This is a feature of the operating system. We do not store any of this data. Instead, the API of the operating system is used to validate the user input. If you have any further questions you should consult with your preferred mobile device provider or manufacturer. -6. ##### Google Firebase {#google-firebase} +## 4.6 Google Firebase {#4.6-google-firebase} We use the following [Google Firebase](https://firebase.google.com/) services: -* Firebase Cloud Messaging: Provide updates to the user about changes in the mobile apps via push notifications. -* Firebase remote config: Inform users about, recommend or force user to update their mobile app or enabling/disabling certain app features. These settings are global for all users, no personalization is happening. +* Firebase Cloud Messaging: Provide updates to the user about changes in the mobile apps via push notifications. +* Firebase remote config: Inform users about, recommend or force user to update their mobile app or enabling/disabling certain app features. These settings are global for all users, no personalization is happening. * Firebase crash reporting: Report errors and crashes to improve product and user experience. - 7. ##### WalletConnect {#walletconnect} +## 4.7 WalletConnect {#4.7-walletconnect} + +[WalletConnect](https://walletconnect.com/) is used to connect wallets to dapps using end-to-end encryption by scanning a QR code. We do not store any information collected by WalletConnect. -[WalletConnect](https://walletconnect.com/) is used to connect wallets to dapps using end-to-end encryption by scanning a QR code. We do not store any information collected by WalletConnect. +## 4.8 Sentry {#4.8-sentry} -8. ##### Sentry {#sentry} +We use [Sentry](https://sentry.io/) to collect error reports and crashes to improve product and user experience. -We use [Sentry](https://sentry.io/) to collect error reports and crashes to improve product and user experience. +## 4.9 Beamer {#4.9-beamer} -9. ##### Beamer {#beamer} +We use [Beamer](https://www.getbeamer.com/) providing updates to the user about changes in the app.Beamer's purpose and function are further explained under the following link [https://www.getbeamer.com/showcase/notification-center](https://www.getbeamer.com/showcase/notification-center). -We use [Beamer](https://www.getbeamer.com/) providing updates to the user about changes in the app.Beamer's purpose and function are further explained under the following link [https://www.getbeamer.com/showcase/notification-center](https://www.getbeamer.com/showcase/notification-center). We do not store any information collected by Beamer. -10. ##### Node providers {#node-providers} +## 4.10 Node providers {#4.10-node-providers} We use [Infura](https://www.infura.io/) and [Nodereal](https://nodereal.io/) to query public blockchain data from our backend services. All Safes are monitored, no personalization is happening and no user IP addresses are forwarded. Personal data processed are: -* Your smart contract address of the Safe; -* Transaction id/hash +* Your smart contract address of the Safe; +* Transaction id/hash * Transaction data - - 11. ##### Tenderly {#tenderly} +## 4.11 Tenderly {#4.11-tenderly} We use [Tenderly](https://tenderly.co/) to simulate blockchain transactions before they are executed. For that we send your smart contract address of your Safe Account and transaction data to Tenderly. -12. ##### Internal communication {#internal-communication} +13. Internal communication -We use the following tools for internal communication. +We use the following tools for internal communication. -* [Slack](https://slack.com/) -* [Google Workspace](https://workspace.google.com/) +* [Slack](https://slack.com/) +* [Google Workspace](https://workspace.google.com/) * [Notion](https://notion.so) - 13. ##### MoonPay {#moonpay} +## 4.12 MoonPay {#4.12-moonpay} -We use MoonPay to offer on-ramp and off-ramp services. For that purpose personal data is required for KYC/AML or other financial regulatory requirements. This data is encrypted by MoonPay. +We use MoonPay to offer on-ramp and off-ramp services. For that purpose personal data is required for KYC/AML or other financial regulatory requirements. This data is encrypted by MoonPay. -14. Spindl +## 4.13 Spindl {#4.13-spindl} -We use [Spindl](https://www.spindl.xyz/), a measurement and attribution solution for web3 that assists us in comprehending how users interact with different decentralized applications and our app and to enhance your experience with Safe{Wallet}. For enhanced privacy, data is stored for a period of 7 days after which it is securely deleted. +We use [Spindl](https://www.spindl.xyz/), a measurement and attribution solution for web3 that assists us in comprehending how users interact with different decentralized applications and our app and to enhance your experience with Safe{Wallet}. For enhanced privacy, data is stored for a period of 7 days after which it is securely deleted. -5. ### Sharing Your Personal Data {#sharing-your-personal-data} +# 5\. Sharing Your Personal Data {#5.-sharing-your-personal-data} We may pass your information to our Business Partners, administration centers, third party service providers, agents, subcontractors and other associated organizations for the purposes of completing tasks and providing our services to you. In addition, when we use any other third-party service providers, we will disclose only the personal information that is necessary to deliver the service required and we will ensure that they keep your information secure and not use it for their own direct marketing purposes. In addition, we may transfer your personal information to a third party as part of a sale of some, or all, of our business and assets or as part of any business restructuring or reorganization, or if we are under a duty to disclose or share your personal data in order to comply with any legal obligation. However, we will take steps to ensure that your privacy rights continue to be protected. -6. ### Transferring Your data outside of the EU {#transferring-your-data-outside-of-the-eu} +# 6\. Transferring Your data outside of the EU {#6.-transferring-your-data-outside-of-the-eu} Wherever possible we will choose service providers based in the EU. For those outside the EU, wherever possible we will configure data to be inside the EU. We concluded the new version of the Standard Contractual Clauses with these service providers (2021/914). Service providers in the US: -* Amazon Web Service Inc. -* Google LLC -* Data Dog Inc. -* Slack Technologies LLC -* Joincube Inc. (Beamer) -* Functional software Inc. (Sentry) -* Notion Labs Inc. +* Amazon Web Service Inc. +* Google LLC +* Data Dog Inc. +* Slack Technologies LLC +* Joincube Inc. (Beamer) +* Functional software Inc. (Sentry) +* Notion Labs Inc. * ConsenSys Software Inc. Service providers in other countries outside of the EU: -* Tenderly d.o.o. is based in Serbia. -* Node Real PTE Ltd. is based in Singapore. -* Torus Labs PTE. Ltd. is based in Singapore. +* Tenderly d.o.o. is based in Serbia. +* Node Real PTE Ltd. is based in Singapore. +* Torus Labs PTE. Ltd. is based in Singapore. * Eighteenth September Limited (“MoonPay”) in the Seychelles HOWEVER, WHEN INTERACTING WITH THE BLOCKCHAIN, AS EXPLAINED ABOVE IN THIS POLICY, THE BLOCKCHAIN IS A GLOBAL DECENTRALIZED PUBLIC NETWORK AND ACCORDINGLY ANY PERSONAL DATA WRITTEN ONTO THE BLOCKCHAIN MAY BE TRANSFERRED AND STORED ACROSS THE GLOBE. -7. ### Existence of Automated Decision-making {#existence-of-automated-decision-making} +# 7\. Existence of Automated Decision-making {#7.-existence-of-automated-decision-making} We do not use automatic decision-making or profiling when processing Personal Data. -8. ### Data Security {#data-security} +# 8\. Data Security {#8.-data-security} We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. -9. ### Your Rights as a Data Subject {#your-rights-as-a-data-subject} +# 9\. Your Rights as a Data Subject {#9.-your-rights-as-a-data-subject} You have certain rights under applicable legislation, and in particular under Regulation EU 2016/679 (General Data Protection Regulation or ‘GDPR’). We explain these below. You can find out more about the GDPR and your rights by accessing the [European Commission’s website](https://ec.europa.eu/info/law/law-topic/data-protection_en). If you wish to exercise your data subject rights, please contact us by post or at privacy@cc0x.dev. -##### Right Information and access {#right-information-and-access} +#### Right Information and access {#right-information-and-access} You have a right to be informed about the processing of your personal data (and if you did not give it to us, information as to the source) and this Privacy Policy intends to provide the information. Of course, if you have any further questions you can contact us on the above details. -##### Right to rectification {#right-to-rectification} +#### Right to rectification {#right-to-rectification} You have the right to have any inaccurate personal information about you rectified and to have any incomplete personal information about you completed. You may also request that we restrict the processing of that information. The accuracy of your information is important to us. If you do not want us to use your Personal Information in the manner set out in this Privacy Policy, or need to advise us of any changes to your personal information, or would like any more information about the way in which we collect and use your Personal Information, please contact us at the above details. -##### Right to erasure (right to be ‘forgotten’) {#right-to-erasure-(right-to-be-‘forgotten’)} +#### Right to erasure (right to be ‘forgotten’) {#right-to-erasure-(right-to-be-‘forgotten’)} You have the general right to request the erasure of your personal information in the following circumstances: -* the personal information is no longer necessary for the purpose for which it was collected; -* you withdraw your consent to consent based processing and no other legal justification for processing applies; -* you object to processing for direct marketing purposes; -* we unlawfully processed your personal information; and +* the personal information is no longer necessary for the purpose for which it was collected; +* you withdraw your consent to consent based processing and no other legal justification for processing applies; +* you object to processing for direct marketing purposes; +* we unlawfully processed your personal information; and * erasure is required to comply with a legal obligation that applies to us. HOWEVER, WHEN INTERACTING WITH THE BLOCKCHAIN WE MAY NOT BE ABLE TO ENSURE THAT YOUR PERSONAL DATA IS DELETED. THIS IS BECAUSE THE BLOCKCHAIN IS A PUBLIC DECENTRALIZED NETWORK AND BLOCKCHAIN TECHNOLOGY DOES NOT GENERALLY ALLOW FOR DATA TO BE DELETED AND YOUR RIGHT TO ERASURE MAY NOT BE ABLE TO BE FULLY ENFORCED. IN THESE CIRCUMSTANCES WE WILL ONLY BE ABLE TO ENSURE THAT ALL PERSONAL DATA THAT IS HELD BY US IS PERMANENTLY DELETED. We will proceed to comply with an erasure request without delay unless continued retention is necessary for: -* Exercising the right of freedom of expression and information; -* Complying with a legal obligation under EU or other applicable law; -* The performance of a task carried out in the public interest; -* Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; and/or +* Exercising the right of freedom of expression and information; +* Complying with a legal obligation under EU or other applicable law; +* The performance of a task carried out in the public interest; +* Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; and/or * The establishment, exercise, or defense of legal claims. -##### Right to restrict processing and right to object to processing {#right-to-restrict-processing-and-right-to-object-to-processing} +#### Right to restrict processing and right to object to processing {#right-to-restrict-processing-and-right-to-object-to-processing} You have a right to restrict processing of your personal information, such as where: -1. you contest the accuracy of the personal information; -2. where processing is unlawful you may request, instead of requesting erasure, that we restrict the use of the unlawfully processed personal information; +1. you contest the accuracy of the personal information; +2. where processing is unlawful you may request, instead of requesting erasure, that we restrict the use of the unlawfully processed personal information; 3. we no longer need to process your personal information but need to retain your information for the establishment, exercise, or defense of legal claims. You also have the right to object to processing of your personal information under certain circumstances, such as where the processing is based on your consent and you withdraw that consent. This may impact the services we can provide and we will explain this to you if you decide to exercise this right. HOWEVER, WHEN INTERACTING WITH THE BLOCKCHAIN, AS IT IS A PUBLIC DECENTRALIZED NETWORK, WE WILL LIKELY NOT BE ABLE TO PREVENT EXTERNAL PARTIES FROM PROCESSING ANY PERSONAL DATA WHICH HAS BEEN WRITTEN ONTO THE BLOCKCHAIN. IN THESE CIRCUMSTANCES WE WILL USE OUR REASONABLE ENDEAVORS TO ENSURE THAT ALL PROCESSING OF PERSONAL DATA HELD BY US IS RESTRICTED, NOTWITHSTANDING THIS, YOUR RIGHT TO RESTRICT TO PROCESSING MAY NOT BE ABLE TO BE FULLY ENFORCED. -##### Right to data portability {#right-to-data-portability} +#### Right to data portability {#right-to-data-portability} Where the legal basis for our processing is your consent or the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, you have a right to receive the personal information you provided to us in a structured, commonly used and machine-readable format, or ask us to send it to another person. -##### Right to freedom from automated decision-making {#right-to-freedom-from-automated-decision-making} +#### Right to freedom from automated decision-making {#right-to-freedom-from-automated-decision-making} As explained above, we do not use automated decision-making, but where any automated decision-making takes place, you have the right in this case to express your point of view and to contest the decision, as well as request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. -##### Right to object to direct marketing (‘opting out’) {#right-to-object-to-direct-marketing-(‘opting-out’)} +#### Right to object to direct marketing (‘opting out’) {#right-to-object-to-direct-marketing-(‘opting-out’)} You have a choice about whether or not you wish to receive information from us. We will not contact you for marketing purposes unless: -* you have a business relationship with us, and we rely on our legitimate interests as the lawful basis for processing (as described above) +* you have a business relationship with us, and we rely on our legitimate interests as the lawful basis for processing (as described above) * you have otherwise given your prior consent (such as when you download one of our guides) You can change your marketing preferences at any time by contacting us on the above details. On each and every marketing communication, we will always provide the option for you to exercise your right to object to the processing of your personal data for marketing purposes (known as ‘opting-out’) by clicking on the ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your data. You may also opt-out at any time by contacting us on the below details. Please note that any administrative or service-related communications (to offer our services, or notify you of an update to this Privacy Policy or applicable terms of business, etc.) will solely be directed at our clients or business partners, and such communications generally do not offer an option to unsubscribe as they are necessary to provide the services requested. Therefore, please be aware that your ability to opt-out from receiving marketing and promotional materials does not change our right to contact you regarding your use of our website or as part of a contractual relationship we may have with you. -##### Right to request access {#right-to-request-access} +#### Right to request access {#right-to-request-access} You also have a right to access information we hold about you. We are happy to provide you with details of your Personal Information that we hold or process. To protect your personal information, we follow set storage and disclosure procedures, which mean that we will require proof of identity from you prior to disclosing such information. You can exercise this right at any time by contacting us on the above details. -##### Right to withdraw consent {#right-to-withdraw-consent} +#### Right to withdraw consent {#right-to-withdraw-consent} Where the legal basis for processing your personal information is your consent, you have the right to withdraw that consent at any time by contacting us on the above details. -##### Raising a complaint about how we have handled your personal data {#raising-a-complaint-about-how-we-have-handled-your-personal-data} +#### Raising a complaint about how we have handled your personal data {#raising-a-complaint-about-how-we-have-handled-your-personal-data} If you wish to raise a complaint on how we have handled your personal data, you can contact us as set out above and we will then investigate the matter. -##### Right to lodge a complaint with a relevant supervisory authority {#right-to-lodge-a-complaint-with-a-relevant-supervisory-authority} +#### Right to lodge a complaint with a relevant supervisory authority {#right-to-lodge-a-complaint-with-a-relevant-supervisory-authority} We encourage you to contact us at privacy@cc0de.dev if you have any privacy related concerns. Should you disapprove of the response we have provided you, you have the right to lodge a complaint with our supervisory authority, or with the data protection authority of the European member state you live or work in. The details of the supervisory authority responsible for Berlin, Germany, are: @@ -556,23 +569,24 @@ Alt-Moabit 59-61 10555 Berlin Germany Phone: 030/138 89-0 -[http://www.datenschutz-berlin.de](http://www.datenschutz-berlin.de) +[http://www.datenschutz-berlin.de](http://www.datenschutz-berlin.de) You also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of our rights has taken place, if that is based in the EEA. -10. ### Storing Personal Data {#storing-personal-data} +# 10\. Storing Personal Data {#10.-storing-personal-data} We retain your information only for as long as is necessary for the purposes for which we process the information as set out in this policy. However, we may retain your Personal Data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. -12\. Children’s data -Our products and services are neither designed nor intended for use by children and persons under the age of 18\. If you suspect or discover that our products and services are being used by a child, please contact us immediately at privacy@cc0x.dev +# 11\. Children’s data {#11.-children’s-data} + +Our products and services are neither designed nor intended for use by children and persons under the age of 18\. If you suspect or discover that our products and services are being used by a child, please contact us immediately at privacy@cc0x.dev -### 13\. Changes to this Privacy Policy {#13.-changes-to-this-privacy-policy} +# 12\. Changes to this Privacy Policy {#12.-changes-to-this-privacy-policy} We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the top of this page. Each visit or interaction with our services will be subject to the new privacy policy. We encourage you to regularly review our privacy policy to stay informed about our data protection policy. Unless, we implement profound changes that we proactively notify you about, you acknowledge that it is your responsibility to review our privacy policy to be aware of modifications. If you do not agree to the revised policy, you should discontinue your use of this website. -### 14\. Contact Us {#14.-contact-us} +# 13\. Contact Us {#13.-contact-us} ##### Contact us by post or email at: {#contact-us-by-post-or-email-at:}