The IOTA Foundation (“IOTA”, “we”, “us” or “our”) is a non-profit foundation having its registered seat in Berlin, Germany.
IOTA promotes science and research in the field of information technology as well as public and professional education, in particular in relation to digitization and the application of modern software. IOTA procures and transfers funds, including cryptocurrencies, to accomplish these purposes. We are focused on the development of so-called “open source” software in the field of distributed ledger technology, in particular in connection with the IOTA Tangle and its associated technologies and uses.
This Policy is meant to inform you about which Personal Data we collect, store, process, use and/or disclose, for which purposes, and on which legal basis. We further inform you about your rights to protect your Personal Data.
This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law. We encourage you to read this Policy carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Policy. Your continued use of our Services or website constitutes your agreement to be bound by this Policy, as amended or updated from time to time.
Please note that IOTA Foundation collects your Personal Data directly from the country where you are based and may stores it on servers outside EU/EEA in USA, Taiwan, Singapore and Singapore, where the standards of data protection may be lower than in the EU/EEA.
Which Personal Data we process
The categories of Personal Data about you that we may process depend upon the nature of your business relationship with us and may include:
- Personal details: name, gender, date of birth / age, nationality, passport or national ID number, social security number, tax identification number;
- Contact details: address, e-mail address, telephone number, social media account details;
- Financial details: bank information for payments, credit card information for payments, cryptocurrency wallet details for payments, utility bill, credit report, other financial details;
- Corporate details: name, place of registration, registration number, transparency register number, details with respect to articles of association and other similar documents / certificates, details with respect to shareholders and/or beneficial owners (including their personal and contact details);
- Technical information of your devices (e.g. IP address) which you use for orders, communications, or transactions (cell phone, tablet, notebook, personal computer, etc.; and
- Details concerning your transfers of cryptocurrency tokens, including IOTA tokens, insofar as these are publicly viewable on the cryptocurrency platform concerned.
How we collect your Personal Data
We may collect Personal Data about you from the following sources:
- When you contact us via e-mail, telephone or by any other means;
- In the ordinary course of our relationship with you (e.g., Personal Data we obtain in the course of our business communication, negotiation proceedings etc.);
- Where you have manifestly chosen to make such Personal Data public, including via social media profiles;
- When we receive your Personal Data from third parties who legally provide it to us, such as credit reference agencies or law enforcement agencies;
- When you visit any of our websites or use any features or resources available on or through our websites. When you visit our website, your device and browser may automatically disclose certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connecting to a website and other technical communications information), some of which may constitute Personal Data;
- When you submit your resume/CV to us for a job application;
- When you subscribe to our newsletters, circulars, social media, or other information services.
Creation of Personal Data
In the course of your interaction with the IOTA Foundation, we may also create Personal Data about you, such as records of your interactions with us and details of your transaction history.
For which purposes we use your Personal Data
We use your Personal Data to provide, maintain and improve our Services, in particular, but not exclusively with regard to our further development and improvement of the IOTA Tangle protocol and its associated technologies. We may also use your Personal Data to communicate with you about upcoming events, inform you about news, developments, and research related to IOTA, respond to inquiries you have made, evaluate job applications, contracting quotes, partnership proposals, or funding requests you have submitted (including requests made to the Ecosystem Development Fund), or to carry out other ordinary business activities in accordance with our non-profit foundation charter.
Lawful basis for Processing Personal Data
In Processing your Personal Data in connection with the purposes set out in this Policy, we may rely on one or more of the following legal bases, depending on the circumstances:
- we have obtained your explicit prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way);
- the Processing is necessary in connection with any contractual relationship that you may enter into with us;
- the Processing is required by applicable law;
- the Processing is necessary to protect the vital interests of any individual; or
- we have a legitimate interest in carrying out the Processing for the purpose of managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms.
When we are involving third party Processors into the performance of our services and contractual obligations and such involvement requires the sharing of Personal Data, we have entered with our third party Processors into data processing agreements according to Art. 28 of the European General Data Protection Regulation (“GDPR”) and, as far as required, further appropriate safeguards according to Art. 46 – 49 GDPR. The list of third party Processors to which we disclose your Personal Data can be requested by e-mail to [email protected]
Processing your Sensitive Personal Data
We do not seek to collect or otherwise Process your Sensitive Personal Data, except where:
- the Processing is required or permitted by applicable law;
- the Processing is necessary for the establishment, exercise or defence of legal rights; or
- we have, in accordance with applicable law, obtained your explicit consent prior to Processing your Sensitive Personal Data (as above, this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Consequences if we may not collect your Personal Data
We need your Personal Data to provide our Services to you and/or perform our contractual obligations towards you. Without providing such Personal Data, we may not be able to provide you the services you are intending to receive.
Consent and withdrawal
Any consent is provided freely. If you give your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal. After your withdrawal we will stop to Process your Personal Data, including storage. This paragraph is only relevant for Processing that is entirely voluntary – it does not apply for Processing that is necessary or obligatory in any way.
To withdraw your consent, please send us an e-mail to [email protected] or a letter to:
IOTA Foundation c/o Nextland Strassburgerstrasse 55 10405 Berlin Germany
We erase your Personal Data automatically when they are no longer required for the purposes listed above. We also erase your Personal Data according to your request and if further storage is neither required nor permitted by applicable laws.
Your rights related to data privacy
You have the right to request access to and rectification or erasure of your Personal Data, or restriction of their Processing. Furthermore, you have the right to object to Processing as well as to request data portability. If you are in the EU, you have the right to file a complaint to the Berlin Data Protection Authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit).
You have the right to obtain from us the information as to whether or not personal data concerning you are being processed, the purpose of the processing and the categories of personal data concerned.
A copy of the personal data undergoing process can be requested.
Our contact information, Data Controller
If you have a direct business relationship with us, we are Data Controller according to Art. 4 para. 7 GDPR. For any requests you can contact us as follows:
IOTA Foundation c/o Nextland Strassburgerstrasse 55 10405 Berlin Germany
‘Controller’ means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.
‘Data Protection Authority’ means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
‘EEA’ means the European Economic Area.
‘Personal Data’ means information that is about any individual, or from which any individual is identifiable. Examples of Personal Data that we may Process are provided above in this Policy.
‘Process’, ‘Processing’ or ‘Processed’ means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Processor’ means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).
‘Sensitive Personal Data’ means Personal Data about racial or ethnic origin, politica opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation, or any other information that may be deemed to be sensitive under applicable law.