Last Updated: May 23, 2023
INFORMATION WE MAY COLLECT FROM YOU
From time to time, we may directly or indirectly collect or ask you to provide the following information (if any):
- the ID of your crypto wallet(s) (wallet address);
- results of your Checks according to the SELFKEY.ORG Terms and Conditions (the “Terms”);
- your Discord account name and other public information;
- contents of the message and/or attachments you may send other users or us;
- also the following information:
- on whether you have SelfKey credentials and/or NFTs (including those representing facts about our or your title to digital or real-world assets);
- on whether you meet the criteria for particular activities offered within the Services;
- on your ownership of crypto coins and crypto tokens;
- on whether a user invited third parties to use the Services;
- on decisions you may make during the usage of the Services;
- on whether you are included in sanctions lists;
- on whether you applied for Services usage previously;
- on your public posts on social networks;
- on our ENS subdomain;
- that you explicitly share with us to use the Services.
In some jurisdictions and depending on particular circumstances, the aforementioned information can be considered your personal data.
We may also receive information from the following sources:
- we work with third parties from time to time (for example, partners, sub-contractors in KYC, AML, technical, payment, and delivery services, advertising networks, analytics providers, search information providers, and credit reference agencies) who may provide us information about you;
- if you choose to link our Services to a third-party account, we may receive information about that account, such as your authentication token from a third-party account, to authorize linking. Please note that the information we may receive is governed by the privacy settings, policies, and/or procedures of a third party;
- we may also collect information from social media platforms that share information about how you interact with our social media content; and
- we may receive technical data related to your activities within the Service automatically from your browser, our servers, and our systems.
- We may receive technical data related to your activities within the Service automatically from your browser, our servers, and our systems.
THE RELIANCE FLOW
To secure your actions within our system we may obtain certain information about you within the following flow (the “Reliance Flow”), if applicable:
- you initiate an action, which is represented by an encrypted message to a third-party (credential issuer), which may contain your user wallet address and a request for specific information about you necessary to secure your further actions within the SelfKey DAO application;
- it means your wallet address and email address (stored on the local client on your computer without SelfKey DAO access to it) are directly transferred by you to a third-party (credential issuer) to initiate identity verification and other Checks;
- you transfer this encrypted message to a third-party (credential issuer);
- a third-party (credential issuer) returns to you a new encrypted message that allows you to continue your transaction within SelfKey DAO;
- SelfKey DAO may further request specific information about you from a credential issuer to ensure the security of transactions and to provide you with the Services.
The interconnection within the Reliance Flow is automatic, encrypted (without your direct access), tied to your wallet address, and made by you as an intermediary.
Please be informed that the Reliance Flow may secure all your transactions and interactions within the System. By stopping using the Service, you automatically revoke your consent to the usage of the Reliance Flow.
USES MADE OF YOUR PERSONAL DATA
We may use your personal data to:
- provide, troubleshoot, and improve the Services (using our own systems and third-party service providers);
- analyze usage and performance of the Services;
- perform market and customer researches;
- investigate and/or prevent suspected fraud, other criminal activities, or intellectual property infringement; prevent and detect abuse to protect the security of our users, the Services, and others;
- comply and enforce applicable regulations and agreements, including enforcing our Terms or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency;
- comply with our Know Your Customer (“KYC”) obligations under applicable laws and regulations, and Anti-Money Laundering (“AML”) laws and regulations (to the extent laws and regulations require);
- operate the System;
- develop aggregate analysis and business intelligence that enable us to protect, make informed decisions, and report on the performance of the System;
- disclose data to potential acquirers of the project, including legal advisors and auditing service providers in case of a merger, acquisition, or selling the whole or part of the System; and
- disclose data to our service providers, including the transfer of your personal data (including biometric data) to carry out the Check partially or wholly.
We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes, or the new purpose is compatible with the original purpose brought out above.
Our legal basis for the use of personal data:
- Performance of the Terms: when we provide you with the Services or communicate with you about them;
- Legal obligation: to comply with our legal obligations under applicable laws and regulations, including Anti-Money Laundering laws and regulations;
- Our legitimate interest in operating the System and communicating with you as necessary to provide these Services (for example, when improving our System, undertaking marketing, or for the purposes of detecting or preventing illegal activities to protect the security of our users, ourselves, or others); in addition, when processing personal data strictly necessary and proportionate to ensure network and information security; and
PERSONAL DATA TRANSFER
- We employ companies and individuals to perform certain functions, including the performance of the Checks. Examples include analyzing data, providing marketing assistance, processing payments, transmitting content, and providing KYC/AML solutions. For the purposes of the Checks, we employ various contractors and transfer your personal data to them. These third-party service providers only have access to personal data needed to perform their functions but may not use it for other purposes. Further, they must process the personal data in accordance with agreements and only as permitted by applicable data protection laws.
- Certain of your personal data may be shared with other users of the website as part of the normal operation of the Services.
- We may, from time to time, expand or reduce our project, which may involve the transfer of certain divisions to other parties, and the data we process, where relevant, may be transferred to such third parties.
- We may use industry-standard data analytics tools claimed to be GDPR-compliant and CCPA-compliant.
SOULBOUND TOKEN AND OTHER NFTS
- A SoulBound Token and other NFTs are associated with your wallet ID; please be informed that a wallet ID may be considered personal data in some jurisdictions. PLEASE DO NOT USE OUR SERVICE IF YOU DO NOT WANT TO SHARE YOUR WALLET ID(S) IRREVERSIBLY AND PUBLICLY.
- Your SoulBound Token may contain information about a legal person or individual (a credential issuer) who checked a particular information about you depending on the scope of the Check you’ve passed.
IF YOU DISCLOSE YOUR SOULBOUND TOKEN TO A THIRD PARTY, IT WOULD BE POSSIBLE FOR SUCH A THIRD PARTY TO ASK YOUR CREDENTIAL ISSUER FOR SPECIFIC INFORMATION ABOUT YOU, WHICH MEANS SUCH A THIRD PARTY MAY RECEIVE YOUR PERSONAL DATA FROM A CREDENTIAL ISSUER. THE SYSTEM MAY ALSO ALLOW YOU TO SHARE YOUR PERSONAL DATA WITH THIRD PARTIES.
- CONSENT FOR INTERNATIONAL DATA TRANSFERS TO THIRD COUNTRIES: The System and SelfKey DAO work worldwide; therefore, you hereby agree that the System or we may transfer your personal data, mentioned in these Terms, to a third country that may be made in the absence of an adequacy decision or appropriate safeguards, according to the applicable legislation. This consent also applies to specific personal data transfers: each time you disclose your SoulBound Token to a third party located outside European Economic Area, the System or a credential issuer may transfer your personal data to such a third party. In a third country, there might not be a supervisory authority, and/or data processing principles and/or data subject rights might not be provided for in the third country.
WE MAKE NO WARRANTY OR REPRESENTATION AND DISCLAIM ALL RESPONSIBILITY FOR YOUR INTERACTIONS WITH CREDENTIAL ISSUERS AND ANY THIRD PARTIES, EVEN IN CASE THEY ALSO USE THE SERVICES. THEY HAVE THEIR PRIVACY POLICIES, AND THEY ARE SOLELY RESPONSIBLE FOR THE LAWFULNESS OF YOUR PERSONAL DATA PROCESSING.
- In order for us to provide you with the best user experience, we may share your personal data with our marketing partners for the purposes of targeting, modeling, and/or analytics, as well as marketing and advertising. You may opt out of sharing personal data with our marketing partners unless we have a legitimate interest. If you wish to invoke this right, please contact us through the information we provide under the section entitled "Contact" below.
- We and/or our trusted partners may contact you from time to time with offers that may interest you and/or inform you of other products and services.
DURATION OF PERSONAL DATA PROCESSING
- The processing of your personal data may take place after you opt-out - for the purpose of the System security, according to our other legitimate interests.
- The general personal data retention period is five (5) years which is based on the applicable limitation period for enforcing legal claims and the statutory retention period in the case of accounting documents.
If you have any questions, requests, or objections regarding your personal data processing, please contact us through the information we provide under the section entitled "Contact" below.
- Right to access: you have the right to obtain confirmation that your data are processed and to obtain a copy of it as well as certain information related to its processing;
- Right to rectify: you can request the rectification of your data which are inaccurate and also add to it. You can also change your personal data in your account at any time;
- Right to delete: you can, in some cases, have your data deleted;
- Right to object: you can object, for reasons relating to your particular situation, to the processing of your data. You may ask us to restrict the processing of your personal data;
- Right to limit the processing: in certain circumstances, you have the right to limit the processing of your data;
- Right to portability: in some cases, you can ask to receive the data that you have provided to us in a structured, commonly used, and machine-readable format or, when this is possible, that we communicate your data on your behalf directly to another data controller;
- Right to withdraw your consent: for processing requiring your consent, you have the right to withdraw your consent at any time. Exercising this right does not affect the lawfulness of the processing based on the consent given before the withdrawal of the latter, nor will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent;
- Right to define the instructions relating to the use of your personal data post-mortem: you have the right to define instructions relating to the retention, deletion, and communication of your data after your death;
- Right to non-discrimination: you have the right not to receive discriminatory treatment as a result of your exercise of rights conferred by laws applicable in your jurisdiction; and
- Right to lodge a complaint to the relevant data protection authority: procedure depends on your jurisdiction and is subject to local regulations. For more information, please contact your local data protection authority.
You may have other rights according to applicable legislation in your jurisdiction.
You may unsubscribe from receiving certain promotional emails from us. If you wish to do so, follow the instructions found at the end of the email or contact us through the information we provide under the section entitled "Contact" below. Even if you unsubscribe to these types of emails, we may still contact you for informational, transactional, account-related, or similar purposes.
SECURITY OF YOUR INFORMATION
- We take reasonable industry-standard care in keeping all our data secure and in preventing any unauthorized access or unlawful use of it. We design our systems with your security and privacy in mind. We work to protect the security of your personal data during transmission by using encryption protocols and software.
- We maintain physical, technical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of your personal data.
- We do not use browser cookies to collect and store certain information when you use, access, or interact with our Services.
- Our security procedures mean we may ask you to verify your identity to protect against unauthorized access to your account.
- We recommend using unique passwords not utilized for other online accounts and signing off when you finish using a shared computer. We do not receive nor store your private keys, seed phrases, addresses, or passwords. We cannot assist you with the retrieval of any such information. You acknowledge and agree that you should safely store a backup of your addresses, passwords, private keys, and seed phrases.
THIRD-PARTY SERVICES AND CONTENT
CHILDREN UNDER EIGHTEEN
SelfKey DAO is not directed to children under the age of eighteen, and SelfKey DAO will never knowingly collect personal data from children under the age of eighteen. If you are under the age of eighteen, you must ask your parent or guardian for permission to use our Services.
AUTOMATED DECISION-MAKING AND FACIAL SCAN POLICY
- We may carry out automated decision-making following the results of the Check (as it is defined in the Terms) and to decide whether we can provide Services or their part to you and on what terms. In particular, we may use an automated engine to process the personal information you provide as part of the application process. Without this information, we are unable to secure our network and provide Services to you and other users.
- The significance and the envisaged consequences of such processing for you are limited to a potential inability to use our Services and obtain the Credentials. You hereby agree that your legal rights or legal status are not impacted by our possible automated decision-making.
- In some jurisdictions, your selfie/photographs, being subject to specific technical processing, can be considered biometric data and fall under specific regulations. Please be informed that our automated decision-making includes automated processing of your selfie/facial images (including by an artificial intelligence, if any). By extracting and comparing numerical biometric data from facial scan data, our system assesses whether a person in the photo is likely to be the same person pictured in the identity document. We may also automatically compare your different facial photos.
YOU HEREBY GIVE YOUR EXPLICIT CONSENT TO AUTOMATED DECISION-MAKING, INCLUDING THOSE BASED ON YOUR BIOMETRIC DATA. IF THE AUTOMATED DECISION-MAKING AND/OR FACIAL SCAN PROCESSING ARE PROHIBITED IN YOUR JURISDICTION, PLEASE DO NOT USE OUR SERVICES.
- After the automatic decision has been made, you have the right to contact us to review the decision, provide a more detailed explanation and exercise other rights you may have under the applicable legislation. If you wish to invoke these rights, please contact us through the information we provide under the section entitled "Contact" below.
- By proceeding to use our Service, you agree that you have read, understand, and voluntarily consent to this Automated Decision-Making and Facial Scan Policy, that you release any claims related to your facial scan data and that you confirm that you are not accessing the Services in any jurisdiction where the services are not permitted by applicable law.
ONGOING MONITORING AND DATA ACCURACY
- By using our website and Services, you acknowledge and agree that we and/or credential issuers have the right to periodically and automatically monitor your Credentials and the accuracy of the personal data you have provided. This is to ensure the security and integrity of our Services and to maintain a high-quality user experience for all users.
- In the event that our or credential issuers’ monitoring systems detect discrepancies, inaccuracies, or changes in your personal data, we reserve the right, at our sole discretion, to suspend, terminate, or restrict your access to our Services. This may include but is not limited to, situations where your personal data is outdated, incorrect, or has been altered without our knowledge.
- We are not liable for any consequences or damages you may suffer as a result of our decision to suspend, terminate, or restrict your access to our Services due to discrepancies, inaccuracies, or changes in your personal data. By using our Services, you accept this risk and agree to hold us harmless for any losses or damages you may incur.
- It is your responsibility to ensure that the personal data you provide to us is accurate, complete, and up-to-date. You agree to promptly update your personal data whenever there is a change in your information in order to maintain your eligibility for continued use of our Services.
DISTRIBUTED LEDGER TECHNOLOGIES, DAO AND DATA PRIVACY LAWS
SelfKey DAO uses distributed ledger technologies (“DLT”) while providing Services to you. Please find below the most crucial issues you should know about these technologies.
A blockchain is often structured as a chain of blocks. A single block groups together multiple transactions and is added to the existing chain of blocks through a hashing process. A hash function (or 'hash') provides a unique fingerprint that represents information as a string of characters and numbers. It is a one-way cryptographic function, designed to be impossible to revert. The blocks themselves are made up of different kinds of data, which includes a hash of all transactions contained in the block (its 'fingerprint'), a timestamp, and a hash of the previous block that creates the sequential chain of blocks. Some of this data can be qualified as personal data in some jurisdictions.
Because blocks are continuously added but never removed, a blockchain can be qualified as an append-only data structure. Cryptographic hash-chaining makes the log tamper-evident, which increases transparency and accountability. Because of the hash linking one block to another, changes in one block change the hash of that block, as well as of all subsequent blocks. It is because of DLT's append-only nature that the modification and erasure of data cannot straightforwardly be implemented. DLT freezes facts (information entered can, as a general rule, not be changed) and the future (smart contracts' execution cannot be halted even where parties change their mind). Blockchains are usually deliberately designed to render the (unilateral) modification of data difficult or impossible.
Whereas data protection laws in some jurisdictions require that personal data that is processed be kept to a minimum and only processed for purposes that have been specified in advance, these principles can be hard to apply to blockchain technologies. Distributed ledgers are append-only databases that continuously grow as new data is added. Such data is replicated on many different computers. It is moreover can be unclear how the 'purpose' of personal data processing ought to be applied in the blockchain context, specifically whether this only includes the initial transaction or whether it also encompasses the continued processing of personal data (such as its storage and its usage for consensus) once it has been put on-chain.
In public and permissionless blockchains, anyone can entertain a node by downloading and running the relevant software – no permission is needed. In such an unpermissioned system, there are no identity restrictions for participation. Permissionless blockchains rely on open-source software that anyone can download to participate in the network. Blockexplorers are a form of a search engine that moreover make such blockchain data searchable to anyone. The public auditability of these ledgers enhances transparency but minimizes privacy.
Regarding DLT usage, we should warn you about the following:
- subject to applicable laws, data typically stored on a distributed ledger, such as public keys and transactional data, generally can be qualified as personal data for the purposes of data protection laws;
- personal data that has been encrypted or hashed can also be qualified as personal data;
- usually (not always), we keep personal data private from the blockchain in an “off-chain” data store, with only its evidence (cryptographic hash) exposed to the chain;
- we believe that you are sufficiently sophisticated with regard to distributed ledger technologies, in general, to be able to safeguard yourself from the relevant risks.
IF YOU BELIEVE THAT DATA TRANSFERRED BY YOU TO A DISTRIBUTED LEDGER LIKELY DOES QUALIFY AS PERSONAL DATA FOR DATA PROTECTION LAWS PURPOSES, WE APPRECIATE YOUR POSITION AND CAN NOT RECOMMEND USING OUR SERVICES. OTHERWISE, THERE CAN BE FURTHER DIFFICULTIES IN THE EXECUTION OF ALL RIGHTS GRANTED BY DATA-PROTECTION LAWS IN YOUR JURISDICTION.
DATA TRANSFERRED TO A DISTRIBUTED LEDGER CAN BE CONSIDERED AS PERSONAL DATA WHICH ARE MANIFESTLY MADE PUBLIC BY YOU.
- SelfKey DAO is a decentralized autonomous organization ("DAO") that operates on a blockchain network. As a DAO, it is governed by its members and operates without a centralized authority. SelfKey DAO does not collect or process personal data in the traditional sense. SelfKey DAO does not have access to user data as it is decentralized and does not have a traditional data controller as defined under applicable data protection laws. Personal data may be processed and stored on the blockchain network and third-party applications or services integrated with SelfKey DAO. Therefore, you may be unable to exercise all your data protection rights as you would with a traditional data controller. SelfKey DAO is not responsible for any third-party applications or services integrated with the DAO. You are responsible for reading and understanding the privacy policies of these third-party applications or services.
- SelfKey DAO may entrust the data processing to third-party legal entities if the applicable data protection laws require so. For this purpose, personal data may be processed by the SelfKey DAO Foundation, a non-profit legal entity incorporated in the Cook Islands.
- "Personal data" is any information that can be used to identify you or that we can link to you as an individual.