Last update
July 15, 2024

Privacy Policy

This is the Privacy Policy for idOS. It governs your personal data which is processed in the context of an agreement entered into on the participation in and/or use of the idOS and all related software and applications (“idOS”), including the use of idOS website (“Website”), the idOS User Data Dashboard (“Dashboard”) and the idOS SDK (“SDK”). idOS’ Transparency Document with all Privacy Rights and Information, for example to comply with Art. 13 and 14 GDPR and CCPA/CPRA, is available here. In terms of this policy, 'processing' means any operation or set of operations which is performed on your personal data. This personal data may include personal details, details about the way you access the idOS, its website, software, among others and is described below in more detail. 

This remainder of the policy shall provide information on the processing, the legal basis upon which the Personal data is processed and how you may exercise your rights over your Personal Data. Where this Policy refers to provisions contained in the General Data Protection Regulation (GDPR), these provisions shall apply. In case of any conflict between the GDPR and the terms of the Privacy Policy, the provisions of the GDPR shall prevail. 

1. Controller and Processor 

We are your data controller only in the context of the Website and for personal information that idOS Association (“idOS Association”) is processing. 

In case users grant access to their data being stored on idOS to third-partiy viewers (e.g. dApps) (“Viewers”), which may be associated with a time-lock, then such viewers are users’ data controllers for such processing operation. 

2. Purpose and Legal basis for the processing 

In order to use idOS users may need to register and create an account. Usage of the idOS may require the submission of certain necessary information. Usage may not be possible without submitting the information stated as necessary at registration. Therefore, in case such information includes personal data, the processing of personal data in this case is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR. 

After registration, users are able to voluntarily upload personal data that should be user-encrypted, which initially is done via the relevant node operator (“Node Operator”) as the intermediary, upon user instruction, under the terms of the User Agreement users entered into in the context of idOS, and store these within idOS for different purposes, such as so that they may use certain services or software provided by viewers. The legal basis for this processing of personal data is Art. 6 (1) (b) of the GDPR. Addtionally, for users’ information that a Node Operator uploaded into idOS upon user instruction, such Node Operator is a controller while other Node Operators are processors.

In case users grant access to their data to viewers for the purpose of registering and/or maintaining an account and/or business relationship with such viewers, in such a case the viewer is the controller of such processing and the legal basis is a contractual obligation between the user and the viewer pursuant to Art. 6 (1) (b) of the GDPR or otherwise as determined by such a controller. Such access may be revoked at any time by users, depending on the existence of an associated time-lock. 

In the context of users granting access to their personal data to viewers, a record is created in the smart contract in the respective blockchain that the idOS monitors, as per user and viewer instruction under the terms of the User Agreement entered into in the context of idOS, which then checks such contracts for the existence of such a grant and it will act accordingly, sharing the corresponding data with the authorized viewer if such a grant exists. As a result, the information available on-chain is only that a certain wallet address has shared certain data with another wallet address and therefore third parties likely cannot identify users or viewers with the information written on-chain. Please be aware that it is technically impossible to delete any elements written on-chain after being written and that as technology evolves, identification could became more likely. 

In order to notify you of the “Deals” (e.g., bonuses for registering with partners, discounts in trading fees when using partners’ services, etc.) idOS Association sources for you and provide you with the information you need to participate in the Deals, as instructed by you under the terms of the idOS User Agreement entered into with you, idOS Association will process your personal data in order to send you communications. Without being able to process your personal data for this purpose, idOS Association would not be able to perform the services agreed to with you. Therefore, the processing of your personal data is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR. 

In case rewards are made available to you, under the terms of the User Agreement you entered into in the context of idOS or any other separate terms and conditions, we process your personal data in order to communicate with you results as well as to distribute rewards. Without being able to process your personal data for this purpose, we would not be able to perform the services we have agreed to with you. Therefore, the processing of your personal data is required to carry out our services to which the legal basis is Art. 6 (1) (b) of the GDPR. 

We may use your personal data in order to send you marketing information or emails if you have agreed to receive such. If you have agreed to such, then we may also use the personal data that we collect in order to send you information on the products and services offered by us or our third-party partners. The legal basis for the processing of such personal data, for which we are the controller is your consent pursuant to Art. 6 (1) (a) of the GDPR. 

If you voluntarily submit a customer support request via an email, chat or other correspondence system we will also process your personal data for the purpose of fulfilling such request. The legal basis for the processing of such personal data, for which we are the controller is your consent pursuant to Art. 6 (1)(a) of the GDPR. Further, while providing information to us, we may need to contact you to be able to provide services correctly. The

legal basis for the processing of such personal data, for which we are the controller is your consent pursuant to Art. 6 (1)(a) of the GDPR. 

Finally, we also process your personal data for the purposes of the legitimate interests, in order to ensure the integrity, security and availability of idOS and your personal data to you, us and the viewers you have authorized. The legal basis for the processing of such data, for which we are the controller is Art. 6 (1) (f) of the GDPR. 

3. Transfer to third countries 

The idOS will run a Network of Nodes at launch and foundational partners will be the first parties to this Network of Nodes. At launch, the Network of Nodes allows for personal data to be stored within the EU or, in the case that it is not and personal data is transferred to outside the territorial scope of the GDPR, it is ensured that there is either an adequacy decision by the European Commission or that a similar level of data protection compared to the GDPR is guaranteed e.g. by the use of the contractual clauses at least as protective as those provided by the EU Commission. 

Whenever your personal data is transferred outside the European Economic Area (EEA), Switzerland, or the United Kingdom, we aim to ensure it receives similar protection: (i) we or our service providers will transfer your data to countries recognized by the European Commission as having an adequate level of data protection (more information here) (ii) when certain vendors are used by us or our service providers, we may employ specific contracts approved by the European Commission that ensure the same level of protection for your personal data as in Europe: the idOS’ general terms and conditions for data protection, which include, among other things, all five versions of the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, a Data Processing Agreement governed by UK law, a CCPA-CPRA Contractor Agreement and a Data Protection and Confidentiality Agreement for suppliers, will automatically form part of all agreements entered into with us. We or our service providers will transfer your data to countries recognized by the European Commission as having an adequate level of data protection (more information here). 

If you need more details on the specific mechanism used to transfer your personal data outside your jurisdiction, please contact us. 

4. Recipients of Data 

In connection with idOS, we may use third party service providers to provide us with necessary services. We may transfer your personal data to these service providers for further processing based on the terms of this privacy policy and the transparency document or on the basis of your agreement to use idOS. All transfer of data is undertaken by way of secure connections to these service providers. These service providers only receive your personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for

which your personal data are processed. These include, but may not be limited to, the following categories of service providers: monitoring services, server hosting providers, newsletter senders, customer relationship or support services, website hosting services, email sending services, web traffic analysis providers. 

Additionally, within idOS, users may share their personal data with viewers so that they may register and/or maintain an account and/or business relationship with them, as further explained under Section 2 above. 

We employ automated systems and software to monitor usage of our website, such as Cookie3 Analytics, which is utilized for both analytical and marketing purposes. Cookie3 Analytics is a resource employed to gather information on how users interact with our website, and it helps in constructing profiles of user activities. For detailed information about how Cookie3 Analytics processes data, please consult the Cookie3 Privacy Policy. Additionally, we might use other methods of analysis to assess our website. These tools aid us in enhancing the website's functionality and the experiences of our users. These entities might use cookies and tracking methods to provide their services. Your Personal Information is not disclosed by us to these third parties. 

5. The categories of personal data we process 

Customer data, data of potential customers, data of employees and data of suppliers. 

As described above, it may be required that you provide certain information in order to register within idOS. 

Specifically, we may also collect and process information about the device you use, location settings of the device, your IP address and your contact information. 

We may send you direct advertising about our own goods or services that are similar to those you have requested, ordered or purchased. You may object to direct advertising at any time (e.g. by e-mail). In doing so, you will not incur any costs other than the transmission costs according to the basic rates. 

6. Your rights when your Personal Data are being processed 

We guarantee you the applicable rights of the applicable data protection laws. Please note that we will require you to provide us with proof of identity before we respond to any requests for the exercise of your rights. 

To exercise any of your rights, please contact us at: 

idOS Association 

Email: legal@idos.network 

As soon as personal data is being processed, you have the following rights:

(a) Right of access 

Pursuant to Art. 15 GDPR, you have the right to access the personal data concerning you. The right to access extends to all data processed by us. The right can be exercised easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing (Recital 63 GDPR). You may contact us to exercise the right to access. 

(b) Right to rectification 

In accordance with Art. 16 GDPR, you are entitled to demand that we rectify your personal data if they are inaccurate or erroneous. Moreover, you are entitled, taking into account the purposes of the processing, to have incomplete personal data completed, including by means of providing a supplementary statement. You may contact us to exercise the right of rectification. 

(c) Right to restriction of processing 

In accordance with Art. 18 GDPR, you have the right to demand a restriction of processing for your personal data if one of the conditions set out in Article 18(1) lit. a-d GDPR is fulfilled. This may result in us being no longer able to offer you services. However, if we stop processing the Personal Data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. to comply with regulatory obligations, for the defence of legal claims or for the protection of another natural or legal persons or for reasons of important public interest of the EU or a Member State). You may contact us to exercise the right to restrictions of processing. 

(d) Right to erasure (‘right to be forgotten’) 

In accordance with Art. 17 GDPR, you have the right to have your personal data erased without undue delay. This does not include your personal data that has to be stored due to statutory provisions or in order to assert, execute or defend legal claims. Please note that after deleting the Personal Data, we may not be able to provide the same level of servicing to you as we will not be aware of your preferences. You may contact us to exercise the right to erasure. 

(e) Right to data portability 

Pursuant to Art. 20 GDPR, you have the right to receive your personal data provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to a third party without hindrance from us, if: 

● The processing is based on consent pursuant to Article 6 (1)(a) GDPR or on a contract pursuant to Article 6 (1)(b) GDPR; and 

● The processing is carried out by automated means. 

The relevant subset of Personal Data is data that you provide us with your consent or for the purposes of performing our contract with you. You may contact us to exercise the right to data portability. 

(f) Right to object

Pursuant to Art. 21 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data which is based on Article 6 (1) lit. e) or lit. f) GDPR, including profiling based on those provisions. However, your personal data might continue to be processed if compelling legitimate grounds for processing which override your interest, rights and freedoms can be demonstrated or if the processing is for the establishment, exercise or defence of legal claims. You may contact us to exercise the right to object. 

(g) Right to withdraw your consent 

You have the right to withdraw your consent under the data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal of your consent regarding your personal data may lead us not be able to provide the same level of servicing to you as the whole contractual relationship between us and You is dependent on personal data. You may contact us to exercise the right to withdraw your consent. 

(h) Right to lodge a complaint with a supervisory authority 

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. You have the right to address the supervisory authority for any questions or complaints. 

7. Data Retention 

We will not retain your personal data for longer than is necessary for the purpose it was collected. Should we have a legal obligation to continue storing your personal data, either on our own behalf, or on behalf of a third party, we will delete the data as soon as that legal obligation ends. 

8. Contact Details 

idOS Association 

E-mail: legal@idos.network 

9. E-mail advertising to customers or prospective custumers 

We may send you advertising using electronic mail if the advertising is in connection with the sale of products or services from us, if we received the electronic mail address from you, and use this address for direct advertising for our own similar goods or services, and you have not objected to the use. You were clearly informed when the address was collected and will be

clearly informed each time it is used that you can object to the use at any time without incurring any costs other than the transmission costs according to the basic rates. 

10. Webinars and Online-Meetings 

We organize webinars and invite customers, prospective customers, service providers and suppliers, including their and our employees, to online meetings. We use different third-party providers (operators of online meeting applications, application providers). Which third-party provider we use for a specific webinar or online meeting is recognizable from the participation link. You can find the privacy policy and, if applicable, additional legally required information on the website of the respective third-party provider. 

By registering, accepting, and/or participating in a webinar or online meeting, you explicitly consent to your personal data being processed for the purposes of registering, planning, organizing and conducting the webinar or online meeting, which includes transfers to third-party providers (which may be located in a third country), and to audio, film or photo recordings being transmitted and/or published, and/or published to other participants as part of the webinar or online meeting. By a single action, you give multiple consents. By registering, accepting, in and/or participating, you also voluntarily give your explicit consent pursuant to 49 (1) (1) (a) GDPR for data transfers to third countries for the purposes of registration, planning, organization and implementation of the webinar or online meeting, in particular for such transfers to third countries for which an adequacy decision of the EU/EEA is absent or does exist, and to companies or other entities that are not subject to an existing adequacy decision on the basis of self-certification or other accession criteria, and that involve significant risks and no appropriate safeguards for the protection of your personal data (e.g., because of Section 702 FISA, Executive Order EO12333 and the CloudAct in the USA). We hereby inform you in advance regarding your voluntary and explicit consent that in third countries there may not be an adequate level of data protection and that your data subject rights may not be enforceable, and that published personal data may not be deleted, may not be altered or may not be made anonymous at all, only conditionally and/or with a delay. You give your consent voluntarily. You are not obligated to give consent and may choose to stay away from or not participate in the webinar or online meeting, which we will consider a refusal of our request to give consent. You have the right to withdraw your data protection consent in whole or in part at any time with effect for the future, in particular by deactivating, switching off or not activating your sound, film or photo transmissions during the webinar or online meeting. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. By your action, you also confirm that you have read and acknowledged this Privacy Policy and the transparency document linked in it. 

11. Changes to the privacy policy or the purpose of processing 

This Policy was last updated on the effective date noted above. This Policy may be amended or updated from time to time to reflect changes in our privacy practices with respect to the processing of personal data or changes in the applicable law. We encourage you to save this Privacy Policy locally on your device and to regularly check this page so that you may review

any changes we might make. If we make a material change to the Privacy Policy, you will be provided with appropriate notice.