Privacy Policy

CryptoChain Foundation ("we," "us," or "our") collects information necessary to provide, secure, and continuously improve our blockchain platform and associated services. The categories of data we collect depend on how you interact with CryptoChain.

1.1 Information You Provide Directly

• Account Registration: Full name, email address, password (hashed), date of birth, and country of residence when you create a CryptoChain account.
• KYC / AML Verification: Government-issued identity documents (passport, national ID, driver's license), proof of address, selfie or biometric data collected through our KYC partner Sumsub.
• Financial Information: Bank account details, payment card information (processed securely via our PCI-DSS-compliant payment processors — we do not store raw card numbers), and wallet addresses.
• Communications: Messages, support tickets, feedback forms, and any other correspondence you send to us.
• Staking & Governance: Validator registration information, governance votes, delegation preferences, and associated wallet public keys.

1.2 Information Collected Automatically

• Device & Browser Data: IP address, device type, operating system, browser type and version, hardware fingerprint.
• Usage Analytics: Pages visited, features used, time on platform, click paths, session duration, and error logs.
• Transaction Data: On-chain transaction hashes, wallet addresses, token amounts, timestamps, and smart contract interactions (note: on-chain data is publicly available by nature).
• Location Data: Approximate geographic location derived from IP address for fraud prevention and regulatory compliance. We do not collect precise GPS location.

1.3 Information from Third Parties

• Identity verification results from KYC/AML partners (Sumsub, Jumio)
• Risk scoring data from fraud prevention services (Chainalysis, Elliptic)
• Social profile information if you connect OAuth accounts (Google, Apple)
• Publicly available information for compliance and due diligence purposes

We use the information we collect only for specific, legitimate purposes directly related to operating and improving our platform. We do not sell your personal data to third parties for marketing or advertising purposes.

We will never use your personal data for behavioural advertising, sell it to data brokers, or share it with unrelated third parties for their own marketing purposes.

Under the General Data Protection Regulation (GDPR) and other applicable privacy laws, we rely on the following legal bases for processing your personal data:

• Contractual Necessity (Art. 6(1)(b) GDPR): Processing required to deliver our platform services and fulfil our Terms of Service obligations. This includes account management, transaction processing, and customer support.
• Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with AML/CFT regulations, FATF Travel Rule obligations, tax reporting requirements, and responses to lawful law enforcement requests.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing necessary for fraud prevention, network security monitoring, platform analytics (where such interests are not overridden by your rights), and internal business operations.
• Consent (Art. 6(1)(a) GDPR): For optional services including marketing communications, optional analytics cookies, and certain third-party integrations. You may withdraw consent at any time.
• Vital Interests (Art. 9(2)(c) GDPR): In limited emergency circumstances where processing biometric or health data is necessary to protect life.

We do not sell, rent, or trade your personal information. We may share data with third parties only in the limited circumstances described below. All third-party processors are bound by Data Processing Agreements aligned with GDPR Article 28.

4.1 Service Providers (Data Processors)

• KYC/AML Verification: Sumsub, Jumio — identity verification and compliance screening
• Blockchain Analytics: Chainalysis, Elliptic — transaction risk scoring and sanctions screening
• Cloud Infrastructure: AWS, Google Cloud — hosting, storage, and global infrastructure
• Payment Processing: Stripe, Fireblocks — fiat payments and institutional custody
• Customer Support: Zendesk — support ticket management
• Communications: SendGrid, Twilio — transactional emails and SMS alerts
• Security: Cloudflare — DDoS protection, WAF, and CDN services

4.2 Legal Disclosures

We may disclose personal data to law enforcement agencies, regulators, or courts when required by law, a valid legal process (subpoena, court order), or to protect against fraud and illegal activity. We will notify affected users of such disclosures where legally permitted to do so.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will provide notice and, where required, obtain consent prior to any such transfer.

We use cookies and similar technologies (local storage, session tokens, pixel tags) to operate, secure, and improve our platform. You can manage your cookie preferences at any time through our Cookie Settings centre.

We do not use advertising or tracking cookies. We use a self-hosted, privacy-preserving analytics solution (Plausible Analytics) which does not use cookies, does not track users across sites, and does not collect personal data.

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Upon account deletion, we will anonymise or delete your personal data within 30 days, except where retention is required by applicable law. KYC and financial records are retained as mandated by AML/CFT regulations regardless of account status.

Depending on your location, you have a range of rights regarding your personal data. We are committed to honouring these rights promptly, free of charge, and within statutory timeframes (typically 30 days).

To exercise any of these rights, submit a request through your Account Dashboard under Privacy Settings, or contact our DPO at privacy@cryptochain.io. We will verify your identity before processing requests. You may also lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, CNIL in France).

Security is foundational to CryptoChain. We implement a comprehensive, multi-layered security framework to protect your personal and financial data against unauthorised access, disclosure, alteration, or destruction.

Technical Safeguards

• Encryption at Rest: All personal data is encrypted using AES-256 at rest. Database-level encryption with Hardware Security Module (HSM)-protected keys.
• Encryption in Transit: TLS 1.3 enforced for all connections. HSTS headers with 1-year max-age. Certificate Transparency monitoring.
• Access Control: Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication mandatory for all internal staff. Zero-trust network architecture.
• Key Management: Cryptographic keys managed via AWS KMS and Thales HSM. Automated key rotation on a 90-day cycle. MPC key custody for user assets.
• Monitoring: 24/7 Security Operations Centre (SOC). Real-time anomaly detection via SIEM. DDoS mitigation via Cloudflare Enterprise.

Organisational Safeguards

• ISO 27001 certification (in progress) and SOC 2 Type II compliance
• Annual third-party penetration testing by CREST-certified firms
• Employee security awareness training and background checks
• Incident response plan with 72-hour regulatory breach notification procedures
• Active $5M bug bounty programme via HackerOne

CryptoChain Foundation is headquartered in the Cayman Islands with operational entities in Singapore, the United Kingdom, and the European Union. Your data may be transferred to and processed in countries outside your home jurisdiction.

We ensure that international transfers comply with applicable data protection laws through the following safeguards:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs incorporated into all agreements with processors in third countries.
• UK IDTA: International Data Transfer Addendum for transfers from the UK to non-adequate countries.
• Adequacy Decisions: Where the EU/UK Commission has issued an adequacy decision for the destination country (e.g., Canada, Japan, New Zealand), we rely on this as the transfer mechanism.
• Binding Corporate Rules: Our intra-group transfers across CryptoChain entities are governed by approved Binding Corporate Rules (BCRs).

You may request a copy of our transfer impact assessments and the specific safeguards applicable to your data by contacting our DPO.

CryptoChain is a financial services platform intended exclusively for adults. Our services are not directed to, and we do not knowingly collect personal data from, individuals under the age of 18 (or the applicable age of majority in your jurisdiction).

Our age verification processes, including KYC checks, are designed to identify and reject registrations from minors. We cooperate with parental requests to remove data collected from minors and take such reports seriously.

Our platform may contain links to third-party websites, decentralised applications (dApps), or services that operate independently of CryptoChain. This Privacy Policy does not apply to those third-party services.

• External dApps: When you interact with third-party dApps through CryptoChain's WalletConnect integration, those applications have their own privacy policies. Review them before connecting.
• Partner Exchanges: Liquidity aggregation partners (e.g., 1inch, Uniswap) operate their own data practices. Your on-chain interactions with their contracts are publicly visible.
• Social Login: If you use Google or Apple Sign-In, those providers' privacy policies apply to the authentication data they process. We receive only the minimum necessary data (email, unique ID).
• Bridge Protocols: Cross-chain bridging partners handle transactions through their own contracts. Review their documentation before initiating bridge transactions.

We encourage you to review the privacy policies of any third-party service you access through or in connection with CryptoChain. We are not responsible for the privacy practices or content of third-party services.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We are committed to transparent communication of any material changes.

How We Notify You

• Material Changes: In-app banner notification and email to your registered address at least 30 days before changes take effect.
• Minor Updates: Updated "Last Modified" date at the top of this page; no direct notification.
• Significant Changes Requiring Consent: Explicit re-consent prompt within the platform where required by applicable law.

Continued use of the CryptoChain platform following the effective date of any updates constitutes acceptance of the revised Privacy Policy. If you disagree with any changes, you may close your account and request data deletion before the effective date.

Version History

• v3.2 — June 15, 2025: Added FATF Travel Rule compliance section, updated third-party processor list, enhanced data retention table.
• v3.1 — March 1, 2025: Updated international transfer mechanisms post-SCCs revision. Added PIPL compliance (China).
• v3.0 — January 1, 2025: Major revision — GDPR Article 13/14 compliance, added Rights Grid, DPO contact details updated.
• v2.0 — June 1, 2024: Added KYC/AML provisions, Chainalysis integration disclosure.

For all privacy-related inquiries, data subject requests, or concerns about how we handle your personal data, please contact our dedicated Data Protection Officer. We aim to respond to all requests within 48 hours and resolve them within 30 days.

Data Controller

• Entity: CryptoChain Foundation Ltd.
• Registration: Cayman Islands (CR-2023-00847)
• Address: 94 Solaris Avenue, Camana Bay, Grand Cayman KY1-9003, Cayman Islands

EU Representative (GDPR Art. 27)

• Entity: CryptoChain EU GmbH, Frankfurt, Germany
• Email: eu-representative@cryptochain.io

Data Protection Officer

• Name: Dr. Elena Vasquez
• Email: privacy@cryptochain.io
• PGP Key: Available at cryptochain.io/pgp-dpo
• Response Time: 48 hours initial acknowledgement; 30 days full resolution

This Privacy Policy was last reviewed and approved by the CryptoChain Legal and Compliance team on June 15, 2025. It is governed by the laws of the Cayman Islands, without prejudice to mandatory provisions of applicable local data protection law.