The IOTA Foundation (“IOTA”, “we”, “us” or “our”) is a non-profit foundation having its registered seat in Berlin, Germany.
The data controller is:
This Policy is meant to inform you which Personal Data we collect, store, process, use and/or disclose, for which purposes, and on which legal basis. We further inform you about your rights to protect your Personal Data. This policy covers the use of all services provided by IOTA (“Services”), including access to the content in all websites currently operated by IOTA, such as iota.org, shimmer.network, blog.iota.org, fund.iota.org, and roadmap.iota.org (“Websites”).
This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law. We encourage you to read this Policy carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Policy. Your continued use of our Services or website constitutes your agreement to be bound by this Policy, as amended or updated from time to time.
1. Which Personal Data we process
The categories of Personal Data about you that we may process depend upon the nature of your business relationship with us and may include:
Personal details, like name, gender, date of birth/age, nationality, passport or national ID number, social security number, tax identification number;
Contact details, like address, e-mail address, telephone number, social media account details;
Corporate details: name, place of registration, registration number, transparency register number, details with respect to articles of association and other similar documents/certificates, details with respect to shareholders and/or beneficial owners (including their personal and contact details);
Technical information of your devices (e.g. IP address) which you use forcommunications, or transactions (cell phone, tablet, notebook, personal computer, etc.; and
Details concerning your transfers of cryptocurrency tokens, including IOTA tokens, insofar as these are publicly viewable on the cryptocurrency platform concerned.
2. How we collect your Personal Data
We may collect Personal Data about you from the following sources:
When you contact us via e-mail, our contact form, telephone or by any other means;
In the ordinary course of our relationship with you (e.g., Personal Data we obtain in the course of our business communication, negotiation proceedings etc.);
Where you have manifestly chosen to make such Personal Data public, including via social media profiles;
When we receive your Personal Data from third parties who legally provide it to us, such as credit reference agencies or law enforcement agencies;
When you visit any of our websites or use any features or resources available on or through our websites. When you visit our website, your device and browser may automatically disclose certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connecting to a website and other technical communications information), some of which may constitute Personal Data;
When you submit your resume/CV to us for a job application;
When you subscribe to any of our social media accounts.
3. Creation of Personal Data
In the course of your interaction with the IOTA Foundation, we may also create Personal Data about you, such as records of your interactions with us and details of your transaction history.
4. For which purposes we use your Personal Data
We use your Personal Data to provide, maintain and improve our Services, in particular, but not exclusively with regard to our further development and improvement of the IOTA Tangle and Shimmer protocol and its associated technologies. We may also use your Personal Data to communicate with you about upcoming events, inform you about news, developments, and research related to IOTA, respond to inquiries you have made, evaluate job applications, contracting quotes, partnership proposals, or funding requests you have submitted (including requests made to the Ecosystem Development Fund), or to carry out other ordinary business activities in accordance with our non-profit foundation charter.
5. Lawful basis for Processing Personal Data
In Processing your Personal Data in connection with the purposes set out in this Policy, we may rely on one or more of the following legal bases, depending on the circumstances:
we have obtained your explicit prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way), cf. Art. 6 (1) lit. a) GDPR;
the Processing is necessary in connection with any contractual relationship that you may enter into with us, cf. Art. 6 (1) lit. b) GDPR;
the Processing is required by applicable law, cf. Art. 6 (1) lit. c) GDPR;
the Processing is necessary to protect the vital interests of any individual, cf. Art. 6 (1) lit. d) GDPR; or
we have a legitimate interest in carrying out the Processing for the purpose of managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms, cf. Art. 6 (1) lit. f) GDPR.
When we are involving third party Processors into the performance of our services and contractual obligations and such involvement requires the sharing of Personal Data, we have entered with our third party Processors into data processing agreements according to Art. 28 of the European General Data Protection Regulation (“GDPR”) and, as far as required, further appropriate safeguards according to Art. 46 – 49 GDPR. The list of third party Processors to which we disclose your Personal Data can be requested by e-mail to [email protected].
6. Processing of special categories of personal data
We do not seek to collect or otherwise Process your Sensitive Personal Data, except where:
the Processing is required or permitted by applicable law;
the Processing is necessary for the establishment, exercise or defence of legal rights; or
we have, in accordance with applicable law, obtained your explicit consent prior toProcessing your Sensitive Personal Data (as above, this legal basis is only used inrelation to Processing that is entirely voluntary – it is not used for Processing that isnecessary or obligatory in any way).
7. Consequences if we may not collect your Personal Data
We need your Personal Data to provide our Services to you and/or perform our contractual obligations towards you. Without providing such Personal Data, we may not be able to provide you the services you are intending to receive.
8. Consent and withdrawal
Any consent is provided freely. If you give your consent, you have the right to withdraw your consent at any time by contacting us under the address provided below. The withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal. After your withdrawal we will stop processing your Personal Data, including storage. This paragraph is only relevant for Processing that is entirely voluntary – it does not apply for Processing that is necessary or obligatory in any way.
9. When we erase your Personal Data
We erase your Personal Data when it is no longer required for the purposes listed above and if further storage is neither required nor permitted by applicable laws. We also erase your Personal Data according to your request, provided that further storage is not required by applicable laws.
11. Use of third party tools
To improve our websites and evaluate user behaviour, we have integrated different tools from other companies into our websites. Furthermore in certain cases we have implemented content from other websites.
12. Your rights related to data privacy
You have several rights in relation to your personal data, the most important of which are:
a) Right of access (Art. 15 GDPR)
You have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed. You also have the right to obtain comprehensive insight into this data, including a right to know the purposes of the processing or the period for which the data shall be stored. The derogations of this right laid down in Sect. 34 BDSG are applicable.
b) Right to rectification (Art. 16 GDPR)
You have the right to have inaccurate personal data concerning you rectified without delay.
c) Right to erasure (Art. 17 GDPR)
You have the right to have your personal data erased without delay. The derogations laid down in Sect. 35 BDSG are applicable.
d) Right to restriction of processing (Art. 18 GDPR)
You have the right to obtain a restriction of the processing of your personal data. This includes the right to prevent for the time being any further processing of personal data, in case you have exercised your right to rectification, for the period enabling us to verify the accuracy of the data.
e) Right to data portability (Art. 20 GDPR)
You have the right to receive from us your personal data in a commonly used, machine-readable format in order to have them, if necessary, transferred to another controller. In accordance with Art. 20 para. 3 sentence 2 of the GDPR, this right is not available if the data processing serves the purpose of performing public tasks.
f) Right to object (Art. 21 GDPR)
You have the right to object, in a particular situation, to the further processing of your personal data. In this case, we will not process your data any further, unless this processing is justified by the performance of public tasks or of public and private interests.
Additionally you have the right to file a complaint with the competent authorities, in this case the Berlin Data Protection Authority (“Berliner Beauftragte für Datenschutz und Informationsfreiheit”).
13. Our contact information, Data Controller