SELFKEY.ORG PRIVACY POLICY

Last Updated: May 23, 2023

BY USING SELFKEY.ORG, YOU ARE CONSENTING TO THE COLLECTION, STORAGE, PROCESSING, AND TRANSFERRING OF YOUR PERSONAL DATA (IF ANY) AS DESCRIBED IN THIS PRIVACY POLICY.

This Privacy Policy applies to your use of the SELFKEY.ORG website, and any software, tools, features, or functionalities provided on or associated with the SELFKEY.ORG website (the “System”) and the services we provide that are accessible via the System (the “Services”), managed by SelfKey DAO (the “SelfKey DAO,” “we,” or “us,”). This Privacy Policy sets out the basis on which any personal data we collect from you or that you provide to us (if any) will be stored and processed by us (the “Privacy Policy”).

INFORMATION WE MAY COLLECT FROM YOU

From time to time, we may directly or indirectly collect or ask you to provide the following information (if any):

1. the ID of your crypto wallet(s) (wallet address);
2. results of your Checks according to the SELFKEY.ORG Terms and Conditions (the “Terms”);
3. your Discord account name and other public information;
4. contents of the message and/or attachments you may send other users or us;
5. also the following information:
   1. on whether you have SelfKey credentials and/or NFTs (including those representing facts about our or your title to digital or real-world assets);
   2. on whether you meet the criteria for particular activities offered within the Services;
   3. on your ownership of crypto coins and crypto tokens; 
   4. on whether a user invited third parties to use the Services; 
   5. on decisions you may make during the usage of the Services; 
   6. on whether you are included in sanctions lists;
   7. on whether you applied for Services usage previously;
   8. on your public posts on social networks;
   9. on our ENS subdomain;
   10. that we may receive according to the Reliance Flow as described in this Privacy Policy;
   11. that you explicitly share with us to use the Services.

In some jurisdictions and depending on particular circumstances, the aforementioned information can be considered your personal data.

We may also receive information from the following sources: 

• we work with third parties from time to time (for example, partners, sub-contractors in KYC, AML, technical, payment, and delivery services, advertising networks, analytics providers, search information providers, and credit reference agencies) who may provide us information about you;
• if you choose to link our Services to a third-party account, we may receive information about that account, such as your authentication token from a third-party account, to authorize linking. Please note that the information we may receive is governed by the privacy settings, policies, and/or procedures of a third party;
• we may also collect information from social media platforms that share information about how you interact with our social media content; and
• we may receive technical data related to your activities within the Service automatically from your browser, our servers, and our systems.

1. We may receive technical data related to your activities within the Service automatically from your browser, our servers, and our systems.

THE RELIANCE FLOW

To secure your actions within our system we may obtain certain information about you within the following flow (the “Reliance Flow”), if applicable:

1. you initiate an action, which is represented by an encrypted message to a third-party (credential issuer), which may contain your user wallet address and a request for specific information about you necessary to secure your further actions within the SelfKey DAO application; 
   • it means your wallet address and email address (stored on the local client on your computer without SelfKey DAO access to it) are directly transferred by you to a third-party (credential issuer) to initiate identity verification and other Checks; 
2. you transfer this encrypted message to a third-party (credential issuer);
3. a third-party (credential issuer) returns to you a new encrypted message that allows you to continue your transaction within SelfKey DAO;
4. SelfKey DAO may further request specific information about you from a credential issuer to ensure the security of transactions and to provide you with the Services.

The interconnection within the Reliance Flow is automatic, encrypted (without your direct access), tied to your wallet address, and made by you as an intermediary.

Please be informed that the Reliance Flow may secure all your transactions and interactions within the System. By stopping using the Service, you automatically revoke your consent to the usage of the Reliance Flow.

USES MADE OF YOUR PERSONAL DATA

We may use your personal data to:

1. provide, troubleshoot, and improve the Services (using our own systems and third-party service providers);
2. analyze usage and performance of the Services;
3. communicate with you, including without limitation, to inform you of updates to the System, our Terms, and/or this Privacy Policy; provide you with marketing materials; respond to your inquiries and requests;
4. perform market and customer researches;
5. investigate and/or prevent suspected fraud, other criminal activities, or intellectual property infringement; prevent and detect abuse to protect the security of our users, the Services, and others;
6. comply and enforce applicable regulations and agreements, including enforcing our Terms or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency;
7. comply with our Know Your Customer (“KYC”) obligations under applicable laws and regulations, and Anti-Money Laundering (“AML”) laws and regulations (to the extent laws and regulations require);
8. operate the System;
9. develop aggregate analysis and business intelligence that enable us to protect, make informed decisions, and report on the performance of the System;
10. disclose data to potential acquirers of the project, including legal advisors and auditing service providers in case of a merger, acquisition, or selling the whole or part of the System; and
11. disclose data to our service providers, including the transfer of your personal data (including biometric data) to carry out the Check partially or wholly.

We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes, or the new purpose is compatible with the original purpose brought out above.

LEGAL BASIS

Our legal basis for the use of personal data:

1. Performance of the Terms: when we provide you with the Services or communicate with you about them;
2. Legal obligation: to comply with our legal obligations under applicable laws and regulations, including Anti-Money Laundering laws and regulations;
3. Our legitimate interest in operating the System and communicating with you as necessary to provide these Services (for example, when improving our System, undertaking marketing, or for the purposes of detecting or preventing illegal activities to protect the security of our users, ourselves, or others); in addition, when processing personal data strictly necessary and proportionate to ensure network and information security; and
4. Your consent when we ask for your consent to process your personal data for a specific purpose that we communicate to you in this Privacy Policy. When you consent to process your personal data for a specified purpose, you may withdraw your consent at any time, and we will stop processing your data for that purpose.

PERSONAL DATA TRANSFER

1. SelfKey DAO may share users' personal data only as described below and with the subsidiaries or affiliates of SelfKey DAO that are either subject to this Privacy Policy or follow practices at least as protective as those described in this Privacy Policy.
2. We employ companies and individuals to perform certain functions, including the performance of the Checks. Examples include analyzing data, providing marketing assistance, processing payments, transmitting content, and providing KYC/AML solutions. For the purposes of the Checks, we employ various contractors and transfer your personal data to them. These third-party service providers only have access to personal data needed to perform their functions but may not use it for other purposes. Further, they must process the personal data in accordance with agreements and only as permitted by applicable data protection laws.
3. Certain of your personal data may be shared with other users of the website as part of the normal operation of the Services.
4. We may, from time to time, expand or reduce our project, which may involve the transfer of certain divisions to other parties, and the data we process, where relevant, may be transferred to such third parties.
5. We may also share information to (a) satisfy any applicable law, regulation, legal process, or governmental request; (b) enforce this Privacy Policy and our Terms, including investigation of potential violations hereof or thereof; (c) detect, prevent, or otherwise address fraud, security, or technical issues; (d) respond to your requests; or (e) protect our rights, property or safety, our users and the public. This may include exchanging information with companies and organizations for various purposes.
6. As it is mentioned in this Privacy Policy, SelfKey DAO may transfer your data outside of the European Economic Area or to locations that may have different data protection laws to your jurisdictions or no data protection laws. SelfKey DAO puts in place reasonable technical, organizational, and contractual safeguards (including Standard Contractual Clauses, if applicable) to ensure that such transfer is carried out in compliance with applicable data protection rules, except where the country to which the data is transferred has already been determined by the European Commission to provide an adequate level of protection.
7. We may use industry-standard data analytics tools claimed to be GDPR-compliant and CCPA-compliant.

SOULBOUND TOKEN AND OTHER NFTS

1. The Services may allow you to mint your unique SoulBound Token (the “SoulBound Token”) or other NFTs containing your credentials (together - “NFT” or “NFTs”). An NFT is a non-fungible, non-tradable token that is minted on the Ethereum blockchain. Due to the peculiarities of DLTs, neither you nor we can amend or erase information about your NFT once it is minted (for more details, please refer to the respective section of this Privacy Policy), even if you ‘burn’ it by sending it to a special address. Please take this into account before using our Services.
2. A SoulBound Token and other NFTs are associated with your wallet ID; please be informed that a wallet ID may be considered personal data in some jurisdictions. PLEASE DO NOT USE OUR SERVICE IF YOU DO NOT WANT TO SHARE YOUR WALLET ID(S) IRREVERSIBLY AND PUBLICLY.
3. Your SoulBound Token may contain information about a legal person or individual (a credential issuer) who checked a particular information about you depending on the scope of the Check you’ve passed. 

IF YOU DISCLOSE YOUR SOULBOUND TOKEN TO A THIRD PARTY, IT WOULD BE POSSIBLE FOR SUCH A THIRD PARTY TO ASK YOUR CREDENTIAL ISSUER FOR SPECIFIC INFORMATION ABOUT YOU, WHICH MEANS SUCH A THIRD PARTY MAY RECEIVE YOUR PERSONAL DATA FROM A CREDENTIAL ISSUER. THE SYSTEM MAY ALSO ALLOW YOU TO SHARE YOUR PERSONAL DATA WITH THIRD PARTIES.

1. CONSENT FOR INTERNATIONAL DATA TRANSFERS TO THIRD COUNTRIES: The System and SelfKey DAO work worldwide; therefore, you hereby agree that the System or we may transfer your personal data, mentioned in these Terms, to a third country that may be made in the absence of an adequacy decision or appropriate safeguards, according to the applicable legislation. This consent also applies to specific personal data transfers: each time you disclose your SoulBound Token  to a third party located outside European Economic Area, the System or a credential issuer may transfer your personal data to such a third party. In a third country, there might not be a supervisory authority, and/or data processing principles and/or data subject rights might not be provided for in the third country.
2. You hereby acknowledge and agree that before presenting your SoulBound Token  to a third party, you must review a third party’s privacy policy. By disclosing your SoulBound Token  to a third party, you confirm the transfer of your personal data from the System and/or your credential issuer to such a third party and accept processing by such a third party of your personal data received from a credential issuer.

WE MAKE NO WARRANTY OR REPRESENTATION AND DISCLAIM ALL RESPONSIBILITY FOR YOUR INTERACTIONS WITH CREDENTIAL ISSUERS AND ANY THIRD PARTIES, EVEN IN CASE THEY ALSO USE THE SERVICES. THEY HAVE THEIR PRIVACY POLICIES, AND THEY ARE SOLELY RESPONSIBLE FOR THE LAWFULNESS OF YOUR PERSONAL DATA PROCESSING.

ADVERTISING

1. In order for us to provide you with the best user experience, we may share your personal data with our marketing partners for the purposes of targeting, modeling, and/or analytics, as well as marketing and advertising. You may opt out of sharing personal data with our marketing partners unless we have a legitimate interest. If you wish to invoke this right, please contact us through the information we provide under the section entitled "Contact" below.
2. We and/or our trusted partners may contact you from time to time with offers that may interest you and/or inform you of other products and services.

DURATION OF PERSONAL DATA PROCESSING

1. Your personal data will be processed only for as long as necessary. We keep your personal data to enable your continued use of the Services for as long as it is required to fulfill the relevant purposes described in this Privacy Policy and as may be required by law, such as for compliance with Anti-Money Laundering laws or as otherwise communicated to you.
2. The processing of your personal data may take place after you opt-out - for the purpose of the System security, according to our other legitimate interests.
3. The general personal data retention period is five (5) years which is based on the applicable limitation period for enforcing legal claims and the statutory retention period in the case of accounting documents.

YOUR RIGHTS

If you have any questions, requests, or objections regarding your personal data processing, please contact us through the information we provide under the section entitled "Contact" below. 

Subject to applicable law and this Privacy Policy, you may have the following rights:

1. Right to access: you have the right to obtain confirmation that your data are processed and to obtain a copy of it as well as certain information related to its processing;
2. Right to rectify: you can request the rectification of your data which are inaccurate and also add to it. You can also change your personal data in your account at any time;
3. Right to delete: you can, in some cases, have your data deleted;
4. Right to object: you can object, for reasons relating to your particular situation, to the processing of your data. You may ask us to restrict the processing of your personal data;
5. Right to limit the processing: in certain circumstances, you have the right to limit the processing of your data;
6. Right to portability: in some cases, you can ask to receive the data that you have provided to us in a structured, commonly used, and machine-readable format or, when this is possible, that we communicate your data on your behalf directly to another data controller;
7. Right to withdraw your consent: for processing requiring your consent, you have the right to withdraw your consent at any time. Exercising this right does not affect the lawfulness of the processing based on the consent given before the withdrawal of the latter, nor will it affect the processing of your personal data conducted in reliance on lawful processing grounds other than consent;
8. Right to define the instructions relating to the use of your personal data post-mortem: you have the right to define instructions relating to the retention, deletion, and communication of your data after your death;
9. Right to non-discrimination: you have the right not to receive discriminatory treatment as a result of your exercise of rights conferred by laws applicable in your jurisdiction; and
10. Right to lodge a complaint to the relevant data protection authority: procedure depends on your jurisdiction and is subject to local regulations. For more information, please contact your local data protection authority.

You may have other rights according to applicable legislation in your jurisdiction.

You may unsubscribe from receiving certain promotional emails from us. If you wish to do so, follow the instructions found at the end of the email or contact us through the information we provide under the section entitled "Contact" below. Even if you unsubscribe to these types of emails, we may still contact you for informational, transactional, account-related, or similar purposes.

SECURITY OF YOUR INFORMATION

1. We take reasonable industry-standard care in keeping all our data secure and in preventing any unauthorized access or unlawful use of it. We design our systems with your security and privacy in mind. We work to protect the security of your personal data during transmission by using encryption protocols and software.
2. We maintain physical, technical, electronic, and procedural safeguards in connection with the collection, storage, and disclosure of your personal data.
3. We do not use browser cookies to collect and store certain information when you use, access, or interact with our Services.
4. Our security procedures mean we may ask you to verify your identity to protect against unauthorized access to your account. 
5. We recommend using unique passwords not utilized for other online accounts and signing off when you finish using a shared computer. We do not receive nor store your private keys, seed phrases, addresses, or passwords. We cannot assist you with the retrieval of any such information. You acknowledge and agree that you should safely store a backup of your addresses, passwords, private keys, and seed phrases.

THIRD-PARTY SERVICES AND CONTENT

1. Our Services may include integrated content or links to content or services provided by third parties (such as on outside Systems). This Privacy Policy does not address the privacy, security, or other practices of the third parties that provide such content or services. We are not responsible for the privacy policies and/or practices of these third parties, and we encourage you to review their privacy policies and their terms of service carefully. 
2. The Services may utilize iframes to display content, services, or products third-party entities provide. Users acknowledge and understand that the integration of such iframes is for convenience and informational purposes only and does not constitute an endorsement or recommendation of the third-party services by us. Users acknowledge and agree that any interaction with or reliance upon third-party services displayed within iframes on the Services is solely at their own risk. SelfKey DAO shall not be responsible or liable for any loss or damage incurred due to such interactions or reliance. Users acknowledge and agree that it is their responsibility to review and understand the privacy policies and terms of use of any third-party services displayed within iframes. SelfKey DAO shall not be responsible for the content, accuracy, validity, or enforceability of third-party privacy policies and terms of use.
3. The Services may incorporate a third-party AI chatbot for user convenience and to enhance the user experience. Users acknowledge and understand that the AI chatbot is provided by a third-party entity, not SelfKey DAO. Users acknowledge and agree that the third-party AI chatbot may collect information, such as messages, questions, or data users enter during their interactions with the chatbot. The third-party entity's privacy policy governs the collection and processing of such information and terms of use. Users are responsible for reviewing and understanding the third-party AI chatbot provider's privacy policy and terms of use. SelfKey DAO shall not be responsible for the content, accuracy, validity, or enforceability of third-party privacy policies and terms of use. SelfKey DAO shall not be liable for any direct, indirect, incidental, special, consequential, punitive, or exemplary damages resulting from or in connection with the use of the third-party AI chatbot or the collection and processing of user information by the chatbot provider, even if SelfKey DAO has been advised of the possibility of such damages.

CHILDREN UNDER EIGHTEEN

SelfKey DAO is not directed to children under the age of eighteen, and SelfKey DAO will never knowingly collect personal data from children under the age of eighteen. If you are under the age of eighteen, you must ask your parent or guardian for permission to use our Services.

AUTOMATED DECISION-MAKING AND FACIAL SCAN POLICY

1. We may carry out automated decision-making following the results of the Check (as it is defined in the Terms) and to decide whether we can provide Services or their part to you and on what terms. In particular, we may use an automated engine to process the personal information you provide as part of the application process. Without this information, we are unable to secure our network and provide Services to you and other users.
2. The significance and the envisaged consequences of such processing for you are limited to a potential inability to use our Services and obtain the Credentials. You hereby agree that your legal rights or legal status are not impacted by our possible automated decision-making.
3. In some jurisdictions, your selfie/photographs, being subject to specific technical processing, can be considered biometric data and fall under specific regulations. Please be informed that our automated decision-making includes automated processing of your selfie/facial images (including by an artificial intelligence, if any). By extracting and comparing numerical biometric data from facial scan data, our system assesses whether a person in the photo is likely to be the same person pictured in the identity document. We may also automatically compare your different facial photos.

YOU HEREBY GIVE YOUR EXPLICIT CONSENT TO AUTOMATED DECISION-MAKING, INCLUDING THOSE BASED ON YOUR BIOMETRIC DATA. IF THE AUTOMATED DECISION-MAKING AND/OR FACIAL SCAN PROCESSING ARE PROHIBITED IN YOUR JURISDICTION, PLEASE DO NOT USE OUR SERVICES.

1. After the automatic decision has been made, you have the right to contact us to review the decision, provide a more detailed explanation and exercise other rights you may have under the applicable legislation. If you wish to invoke these rights, please contact us through the information we provide under the section entitled "Contact" below.
2. By proceeding to use our Service, you agree that you have read, understand, and voluntarily consent to this Automated Decision-Making and Facial Scan Policy, that you release any claims related to your facial scan data and that you confirm that you are not accessing the Services in any jurisdiction where the services are not permitted by applicable law.

ONGOING MONITORING AND DATA ACCURACY

1. By using our website and Services, you acknowledge and agree that we and/or credential issuers have the right to periodically and automatically monitor your Credentials and the accuracy of the personal data you have provided. This is to ensure the security and integrity of our Services and to maintain a high-quality user experience for all users.
2. In the event that our or credential issuers’ monitoring systems detect discrepancies, inaccuracies, or changes in your personal data, we reserve the right, at our sole discretion, to suspend, terminate, or restrict your access to our Services. This may include but is not limited to, situations where your personal data is outdated, incorrect, or has been altered without our knowledge.
3. We are not liable for any consequences or damages you may suffer as a result of our decision to suspend, terminate, or restrict your access to our Services due to discrepancies, inaccuracies, or changes in your personal data. By using our Services, you accept this risk and agree to hold us harmless for any losses or damages you may incur.
4. It is your responsibility to ensure that the personal data you provide to us is accurate, complete, and up-to-date. You agree to promptly update your personal data whenever there is a change in your information in order to maintain your eligibility for continued use of our Services.

DISTRIBUTED LEDGER TECHNOLOGIES, DAO AND DATA PRIVACY LAWS

SelfKey DAO uses distributed ledger technologies (“DLT”) while providing Services to you. Please find below the most crucial issues you should know about these technologies.

A blockchain is often structured as a chain of blocks. A single block groups together multiple transactions and is added to the existing chain of blocks through a hashing process. A hash function (or 'hash') provides a unique fingerprint that represents information as a string of characters and numbers. It is a one-way cryptographic function, designed to be impossible to revert. The blocks themselves are made up of different kinds of data, which includes a hash of all transactions contained in the block (its 'fingerprint'), a timestamp, and a hash of the previous block that creates the sequential chain of blocks. Some of this data can be qualified as personal data in some jurisdictions.

Because blocks are continuously added but never removed, a blockchain can be qualified as an append-only data structure. Cryptographic hash-chaining makes the log tamper-evident, which increases transparency and accountability. Because of the hash linking one block to another, changes in one block change the hash of that block, as well as of all subsequent blocks. It is because of DLT's append-only nature that the modification and erasure of data cannot straightforwardly be implemented. DLT freezes facts (information entered can, as a general rule, not be changed) and the future (smart contracts' execution cannot be halted even where parties change their mind). Blockchains are usually deliberately designed to render the (unilateral) modification of data difficult or impossible.

Whereas data protection laws in some jurisdictions require that personal data that is processed be kept to a minimum and only processed for purposes that have been specified in advance, these principles can be hard to apply to blockchain technologies. Distributed ledgers are append-only databases that continuously grow as new data is added. Such data is replicated on many different computers. It is moreover can be unclear how the 'purpose' of personal data processing ought to be applied in the blockchain context, specifically whether this only includes the initial transaction or whether it also encompasses the continued processing of personal data (such as its storage and its usage for consensus) once it has been put on-chain.

In public and permissionless blockchains, anyone can entertain a node by downloading and running the relevant software – no permission is needed. In such an unpermissioned system, there are no identity restrictions for participation. Permissionless blockchains rely on open-source software that anyone can download to participate in the network. Blockexplorers are a form of a search engine that moreover make such blockchain data searchable to anyone. The public auditability of these ledgers enhances transparency but minimizes privacy.

Regarding DLT usage, we should warn you about the following:

1. subject to applicable laws, data typically stored on a distributed ledger, such as public keys and transactional data, generally can be qualified as personal data for the purposes of data protection laws;
2. personal data that has been encrypted or hashed can also be qualified as personal data;
3. usually (not always), we keep personal data private from the blockchain in an “off-chain” data store, with only its evidence (cryptographic hash) exposed to the chain;
4. we believe that you are sufficiently sophisticated with regard to distributed ledger technologies, in general, to be able to safeguard yourself from the relevant risks.

IF YOU BELIEVE THAT DATA TRANSFERRED BY YOU TO A DISTRIBUTED LEDGER LIKELY DOES QUALIFY AS PERSONAL DATA FOR DATA PROTECTION LAWS PURPOSES, WE APPRECIATE YOUR POSITION AND CAN NOT RECOMMEND USING OUR SERVICES. OTHERWISE, THERE CAN BE FURTHER DIFFICULTIES IN THE EXECUTION OF ALL RIGHTS GRANTED BY DATA-PROTECTION LAWS IN YOUR JURISDICTION.

DATA TRANSFERRED TO A DISTRIBUTED LEDGER CAN BE CONSIDERED AS PERSONAL DATA WHICH ARE MANIFESTLY MADE PUBLIC BY YOU.

1. SelfKey DAO is a decentralized autonomous organization ("DAO") that operates on a blockchain network. As a DAO, it is governed by its members and operates without a centralized authority. SelfKey DAO does not collect or process personal data in the traditional sense. SelfKey DAO does not have access to user data as it is decentralized and does not have a traditional data controller as defined under applicable data protection laws. Personal data may be processed and stored on the blockchain network and third-party applications or services integrated with SelfKey DAO. Therefore, you may be unable to exercise all your data protection rights as you would with a traditional data controller. SelfKey DAO is not responsible for any third-party applications or services integrated with the DAO. You are responsible for reading and understanding the privacy policies of these third-party applications or services. 
2. SelfKey DAO may entrust the data processing to third-party legal entities if the applicable data protection laws require so. For this purpose, personal data may be processed by the SelfKey DAO Foundation, a non-profit legal entity incorporated in the Cook Islands.

CHANGES TO THIS PRIVACY POLICY

1. We reserve the right to change this Privacy Policy at any time. Any changes we may make to this Privacy Policy will be posted on the System. 
2. Please check the Privacy Policy available on the System from time to time. In the event of any such change, by continuing to use the System, you agree to the relevant change.

MISCELLANEOUS

1. "Personal data" is any information that can be used to identify you or that we can link to you as an individual. 
2. This Privacy Policy is part of and incorporates, by reference, the Terms. Capitalized terms not defined in this Privacy Policy are defined in the Terms.

CONTACT

Questions, comments, and requests regarding this Privacy Policy are welcomed and should be addressed to [email protected]