Privacy Policy

I. Data controller

1. The operator of the Web 3.0 Foundation website available under https://web3.foundation (hereinafter referred to as the "Website") and offeror of blockchain-related services (such as currently e.g. the Polkadot Network, the Kusama Network and the Thousand Validators programm (hereinafter jointly and individually referred to as the "Services") and, thus, the Data Controller is the Web 3.0 Technologies Foundation, a company registered in the commercial register of the Canton of Zug, Switzerland (registration number CH-322.596.347), with the registered address Baarerstrasse 14, 6300 Zug, Switzerland (hereinafter referred to as "Controller", "we", "us").
2. We nurture and steward technologies and applications in the fields of decentralized web software protocols, particularly those, which utilize modern cryptographic methods to safeguard decentralization. Data protection is important to us and Controller adheres to the applicable data protection laws and regulations. This includes both the Swiss Federal Act on Data Protection ("FADP") and privacy requirements where applicable to individuals in the European Union and the member states of EFTA under the General Data Protection Regulation (hereinafter "GDPR") and/or other applicable national laws.
3. This Privacy Policy explains in particular how, for which purposes and to which extent your Personal Data is collected and processed by us through the Website or any type of Service we provide to you (whenever we are referring to you, hereinafter referred to as "User" or "you"). It also describes how your collected Personal Data can be verified, corrected or deleted. Our Services enable the collection of your Personal Data necessary for the establishment and maintenance of our blockchain-offerings.C
4. As outlined in Sections II and X.A below, if you engage with us and use any of our blockchain-offerings, we may collect, by itself or through third parties, your data including, but not limited to: name, e-mail address, usage data and any information captured automatically through cookies. Complete details on each type of Personal Data collected are provided in the dedicated sections of this Privacy Policy or by specific explanation displayed to you online prior to the data collection.
5. This Website contains links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or their processing of your personal information.
6. For questions or requests related to data processing by us (such as request for information, deletion, revocation of consent, objection to data processing), you may revert by mail to the address above or write us an e-mail at legal@web3.foundation

II. Types of Data collected

1. Controller respects the privacy of the User and will not collect and process any other data (such as name, address, phone number, e-mail address, IP address, device type etc.) unless they are

   • provided voluntarily by the User;
   • gathered as a result of specific verifications performed by third parties included in Section X.C below based on the Personal Data provided by the User;
   • automatically collected by cookies or other tracking technologies. For further information with regard to our use of cookies, please consult Section VII below.
2. For further information on additional data collected through any of our blockchain-offerings, please consult Section XI below.

III. Mode of Processing

A. Use of Personal Data

1. Data transmitted by the User to Controller may be used as follows:

   • to create a user account;
   • to respond to your inquiries and your correspondence;
   • for marketing analysis purposes, in particular to better understand the needs of Users and improve the Services of Controller, and to provide Users with relevant information relating to any of our networks operated;
   • to ensure our Website functions correctly, in particular to ensure that content from our Website is presented in the most effective manner for you and for your computer;
   • to maintain or improve our services offered through the Website.
2. Please consult Section XI below to get further information on additional use of your data collected on any of our network offerings.

B. Legal basis of processing

1. The Controller may process Personal Data of Users if one of the following applies:

   1. Users have given their consent for one or more specific purposes. Note: Under some legislations, the Controller may be allowed to process Personal Data until the User objects to such processing ("opt-out"), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law (GDPR);
   2. provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
   3. processing is necessary for the establishment, exercise or defence of legal claims or proceedings;
   4. processing is necessary for compliance with a legal and regulatory obligation to which the Controller is subject;
   5. processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Controller;
   6. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.
2. In any case, the Controller will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or a contractual requirement, or a requirement necessary to enter into a contract.
3. Within and to the extent under the scope of application of the GDPR, the data processing described in this clause III. is justified in order to provide our contractually agreed services to you pursuant to Art. 6 para. 1 sentence 1 letter b GDPR and to comply with legal obligations to which we are subject pursuant to Art. 6 para. 1 letter c GDPR.

C. Methods of processing, access to data and disclosure to third parties

1. The data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated.
2. Access to Personal Data is limited to those employees and/or third parties assigned with processing tasks who therefore need to know about this data. These employees and/or third parties are subject to confidentiality undertakings and/or data processing agreements and must comply with applicable data protection laws.
3. Controller does not sell, transfer or market your Personal Data to third parties (who may use them for their own purposes). However, we may disclose your Personal Data to trusted third parties and/or certain types of persons in charge, involved with the operation of this Website (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies, our auditors, third parties involved in hosting or organizing events or seminars) appointed, if necessary, as Data Processors by the Controller.
4. Please consult Section XI below for lists of all third party processors currently assigned with processing activities on our behalf on any of our networks operated.

5. Your Personal Data will not be disclosed to third parties for other purposes than the ones mentioned above or the following additional reasons:

   • you have given your express consent to it;
   • the disclosure is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data;
   • in the event that a legal obligation exists for the disclosure; or
   • this is legally permissible and necessary for the execution of our contractual relationship with you.

D. Place of processing and export of data

1. The data is processed at the Controller's operating offices and in any other places where the parties involved in the processing are located. Depending on the User's location, data transfers may involve transferring the User's data to a country other than their own.
2. Therefore, we reserve the right to transfer, store, use and process your data, including any personal information, to/by recipients in countries outside of the European Economic Area ("EEA") including the United States and possibly other countries. You should note that laws vary from jurisdiction to jurisdiction, and so laws and regulations relating to privacy and data disclosure, applicable to the places where your information is transferred to or stored, used or processed in, may not provide the same level of protection as in your place of residency. We take the legally required safeguards and contractual measures to ensure that any recipients of your Personal Data abroad undertake to comply with the level of data protection and security prescribed by your applicable local data protection legislation.

IV. Retention of data

1. The Controller will retain Personal Data for as long as it is required to deliver the Services described in Sections III.A above and X.B below, and/or, upon termination, as long as required by law or regulations (e.g. mandatory retention periods), whichever is longer.

   Therefore,

   1. Personal Data collected for purposes related to the performance of a contract between the Controller and the User shall be retained until such contract has been fully performed;
   2. Personal Data collected for the purposes of the Controller's legitimate interests shall be retained as long as needed to fulfil such purposes.
2. The Controller may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn.
3. Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

V. Security measures

1. We take adequate technical and organizational precautions and security measures to prevent accidental or intentional manipulation, unauthorized access, disclosure, unauthorized destruction, partial or complete loss, misuse or alteration of your Personal Data. Accordingly, we store all the personal information you provide on secure (password- and firewall-protected) servers. Our security measures are continuously improved in line with technical developments. You are responsible for keeping the account information for accessing any of our networks operated confidential.
2. The User is aware and acknowledges that no technical and organizational measures can fully eliminate security risks connected with transmission of information over the Internet. Once Controller has received the transmitted information, it shall adequately secure it in its systems.

VI. The rights of Users

1. Users may exercise certain rights regarding their Personal Data processed by the Controller.

   In particular, Users have the right to do the following:

   • Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data. Please note that even after you have chosen to withdraw your consent, we may be able to continue to process your Personal Data to the extent required or permitted by law.
   • Object to processing of their data. Users have the right to object to the processing of their data if the processing is carried out on a legal basis other than consent (e.g. for a public interest, in the exercise of an official authority vested in the Controller or for the purpose of legitimate interests pursued by the Controller). Users may object to such processing by providing a ground related to their particular situation to justify the objection. In particular, under and to the extent of a scope of application of the GDPR, in those cases where we base processing on our legitimate interests, you have the right to object to the processing. Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification.
   • Access their data. Users have the right to learn if the Controller is processing data, obtain disclosure regrading certain aspects of the processing and obtain a copy of the data undergoing processing.
   • Verify and seek rectification. Users have the right to verify the accuracy of their data and ask for it to be updated or corrected. Please note that you must advise us of any changes to your personal information so that we can ensure that your personal information is accurate and up to date.
   • Restrict the processing of their data. Users have the right, under certain circumstances, to restrict the processing of their data if the accuracy of the data is disputed. In this case, the Controller will not process their data for any purpose other than storing it.
   • Restrict the use of Personal Data whilst complaints are resolved.
   • Have their Personal Data deleted or otherwise removed.
     Users have the right, under certain circumstances, to obtain the erasure of their data from the Controller, unless the processing is justified by our legitimate interests, necessary to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims. We will take reasonable steps to inform other controllers that are processing the data that you have requested the erasure of any links to, copies or replication of it.
   • Receive their data and have it transferred to another controller. Users have the right to receive their data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
   • Lodge a complaint. Users have the right to bring a claim before their competent data protection authority (depending on your country of residence and the applicable data protection laws – note that in certain countries you may only notify a data protection authority which may then decide to initiate legal steps based on its own discretion).
2. Any requests to exercise User rights can be directed to the Controller through the contact details provided in this document.
3. Where possible, Controller will fulfil such a request of the User within the statutory applicable timeframe, unless a delay or a retention of the relevant data is permitted by law (e.g. a lack of convincing identity proof by an information requestor), is required for another valid purpose, for example to enable the fulfilment of contractual obligations, or is covered by a valid limitation or exemption under relevant privacy or data protection regulations.
4. Any requests will be free of charge, provided we do not incur unexpected and inadequate costs for providing you with details of your Personal Data.

VII. Cookies

1. When the User visits the Website, information can be automatically stored on his or her computer. This is done in the form of so-called "cookies" or a similar file, which help Controller in various ways, for example, to get to know the preferences of visitors and Users of the Website and to improve the Website. Both permanent cookies and functional, temporary session cookies may be used: permanent cookies remain on your computer after you close your session and until you delete them, while session cookies expire when you close your browser.
2. Any use of Cookies – or of other tracking tools – by this Website or by the Controller of third-party services used by this Website serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Notice, if available. Please consult Section XI below to get information on any Cookie Notices available on any of our networks operated.
3. You may refuse the use of any cookies by selecting the appropriate settings on your browser. Most browsers allow you to delete cookies, prevent their installation or generate a warning before a cookie is installed. The User can obtain further information on this subject from the relevant browser instructions. Note, however, that this may affect your experience of our Website. To find out more about cookies, including how to manage, reject and delete cookies, visit www.allaboutcookies.org.
4. Controller will use automatically stored information exclusively for statistical analysis and in particular will not associate any Personal Data with the User unless necessary. This Notice does not limit our use or disclosure to third parties of Non-Personal Information, and we reserve the right to use and disclose such Non-Personal Information to our partners, advertisers, and other third parties at our discretion.
5. Within and to the extent under the scope of application of the GDPR, the data processed by cookies for the aforementioned purposes is justified in order to protect our legitimate interest and those of third parties pursuant to Art. 6 para. 1 sentence 1 letter f GDPR.
6. Simple Analytics. Even if we don't need to disclose it, since we aim to be as much transparent as possible with our users, we inform you that to get information about the behaviour of our user, we use Simple Analytics (https://simpleanalytics.com/). This analytics software gives us insight about our user only in general, but not about individuals, as it does not track visitors and does not store any personal identifiable information. If you would like to, please go to their website to find out what Simple Analytics collects (and most importantly what they don’t).

VIII. Changes to This Privacy Policy

1. We reserve the right to make changes to this Privacy Policy at any time by giving notice to Users on this page and possibly within the Website and/or – as far as technically and legally feasible – sending a notice to Users via any contact information available to the Controller. Significant changes will go into effect 30 days following such notification. Non-material changes or clarifications will take effect immediately. It is strongly recommended to review the Website and the Privacy Notice periodically for updates.
2. Should the changes affect processing activities performed on the basis of the User's consent, Controller shall collect consent from the User, where required.

IX. Access to the Privacy Policy

1. The User can access, download, save or print this Privacy Policy in its' current/updated version at any time under the following address https://web3.foundation/privacy-and-cookies/.

IX. Definitions and legal references

1. Personal Data

   Any information that directly, indirectly, or in connection with other information – including a personal identification number – allows for the identification or identifiability of a natural person.

2. Usage Data

   Information collected automatically through this Website (or third-party services employed in this Website), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Website, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Website) and the details about the path followed within the Website with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

3. User

   The individual using this Website who, unless otherwise specified, coincides with the Data Subject.

4. Data Subject

   The natural person to whom the Personal Data refers.

5. Data Processor

   The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this Privacy Policy.

6. Data Controller

   The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Website. The Data Controller, unless otherwise specified, is the owner of this Website.

7. Website

   The Website of Controller available under https://web3.foundation.

8. Service

   The Services (and blockchain offerings) provided by Controller.

9. European Union (or EU)

   Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

10. Cookies

    Small sets of data stored in the User's device.

11. Legal information

    This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

    This Privacy Policy relates solely to this Website, if not stated otherwise within this document.

12. Effective date

    This Privacy Notice was created on and has been in effect since the 19.June 2020. We reserve the right, at our complete discretion, to change, modify, add, or remove portions of this Privacy Policy at any time. You should check back periodically at this page to read the most recent version of this Privacy Policy as your continued use of this Website following the posting of changes to these terms will mean you acknowledge these changes.

X. Special provisions

A. Web 3.0 Foundation Website

1. Current Third Party Processors

   1. The following third party processors are currently assigned with processing activities on our behalf:
   2. Parity Technologies Deutschland GmbH

   3. Gleam

      • Website: http://gleam.io
      • Privacy policy: https://gleam.io/privacy
      • Privacy email: privacy@gleam.io
        Information is disclosed to Parity Technologies GmbH for the purposes of assisting and/or following up with you, and coordinating that assistance/follow-up where you have shown interest in the Polkadot network or any of our networks operated.
   4. The updated list of these parties may be requested from the Controller at any time.
   5. Cookies on the Web 3.0 Foundation Website: The Web 3.0 Website uses cookies to help us provide you with a good experience when you browse this Website and allow us to improve our Website. For a detailed list of the cookies in use, please visit our Cookie Notice here https://web3.foundation/privacy-and-cookies/.

B. Polkadot Network

1. The following third party processors are currently assigned with processing activities on our behalf:

   • Parity Technologies Ltd. UK

   Information is disclosed to Parity Technologies Ltd. UK for the purposes of assisting and/or following up with you, and coordinating that assistance/follow-up where you have shown interest in the Polkadot network. In particular, Parity Technologies is assigned with forwarding technical updates to the Polkadot network to users.

2. Cookies on the on the (Sub-)Website www.polkadot.network: The Polkadot Network Website uses cookies to help us provide you with a good experience when you browse this Website and allow us to improve our Website. For a detailed list of the cookies in use, please visit our Cookie Notice here https://polkadot.network/privacy/.

C. Kusama Network

1. Cookies on the on the Website www.kusama.network: The Kusama Network Website uses cookies to help us provide you with a good experience when you browse this Website and allow us to improve our Website. For a detailed list of the cookies in use, please visit our Cookie Notice here https://kusama.network.
2. System logs and maintenance: For operation and maintenance purposes, the Website www.kusama.network and any third-party services may collect files that record interaction with this Website (System logs) use other Personal Data (such as the IP Address) for this purpose.

3. How "Do Not Track" requests are handled: The Website www.kusama.network does not support “Do Not Track” requests.

   To determine whether any of the third-party service providers it uses honor the “Do Not Track” requests, please read their respective privacy policies.

D. Thousand Validators Programme

1. Additional data collected in the Thousand Validators Programme: In addition to the types of data collected as set out in Section II above, the Thousand Validators Programme under the Website collects the following information:

   • information gathered as a result of the Thousand Validators Programme (such as sentry node network ID, node name on telemetry, emergency phone number, e-mail, stash account and/or riot handle(s)).

2. Additional use of Data collected on the Thousand Validators: In addition to the use of collected data as set out in Section III.A above, Controller may use Personal Data collected as follows:

   • to provide mining rewards to minders through the Thousand Validators Programme such as nominations and their implementation in rankings (and the adjustment of rankings in accordance with our rules and requirements).

3. Current Third Party Processors: The following third party processors are currently assigned with processing activities on our behalf:

   • Parity Technologies

   Notes/Explanation: Parity Technologies, a company based in UK, is Controller's service provider that builds software. Parity Technologies will have administrative access to the Thousand Validators Programme and all data provided by the User. Parity Technologies will only access such data for the purpose of and to the extent required to resolve technical issues with the Polkadot Network and users thereof participating in the Thousand Validators Programme. Parity Technologies will not retain any further data.

   All privacy and data protection requests in relation to Parity Technologies should be directed to: legal@parity.io.

   • Google

   Notes/Explanation: Google provides web, analytics and productivity services. Services used include Google Analytics and personal data that it will receive and process includes IP address. Their privacy policy can be found here.

   1. The updated list of these parties may be requested from the Controller at any time.
   2. Cookies on the Thousand Validators Programme: The website giving access to the Kusama Thousand Validators Programme https://docs.google.com/forms/d/e/1FAIpQLSewhltQOcmkIlE7Wftn0NTVuyEs6Wk8Qpx6ssCAo2BO4oQH0w/viewform and the Polkadot Thousand Validators Programme https://docs.google.com/forms/d/e/1FAIpQLSdS-alI-J2wgIRCQVjQC7ZbFiTnf36hYBdmO-1ARMjKbC7H9w/viewform use cookies to help us provide you with a good experience when you browse these Websites and allow us to improve our Websites.

   3. Web analysis services: For the evaluation of the use of the Thousand Validators Programme Controller uses the following web analysis services of third parties listed below, to whom data may also be disclosed to the extent required for the use of these services. Secondly, Controller may use the following special plugins and link icons from different providers on the website as listed below.

      We also use the web-analysing tool Google Analytics by Google (Google Inc., USA) on our Website to compile anonymous user statistics. Google Analytics uses cookies. To ensure the protection of your personal data, we use a function which processes your IP address in truncated form only in order to prevent a direct personal reference (IP-Anonymization). Your personal data collected by us may be transferred to a server of Google in the United States. Google is certified under Swiss-US and EU-US Privacy Shield, which secures that an adequate data protection level is maintained when processing your personal data. If you have any concerns in connection with the use of Google Analytics, you may block Google Analytics by installing e.g. a plug-in in your browser. A plug-in for the most common browsers can be downloaded here: http://tools.google.com/dlpage/ga-optout?hl=de. You can at any time either download and install a Google browser plug-in. In this case, an opt-out cookie is set. Both options only prevent the use of web analysis as long as you use the browser in which you installed the plugin and do not delete the opt-out cookie. Further information on Google Analytics can be found in the terms of use of Google Analytics, the data protection guidelines of Google Analytics and the data protection regulations of Google: https://policies.google.com/privacy.

      We also use social plugins of the LinkedIn network. The provider is called LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. For every access to our website that contains social plugins, a connection to LinkedIn servers is established. Linkedin is informed that you have visited our website with your IP address. If you click on the "Recommend" button from LinkedIn and are logged into your LinkedIn account, LinkedIn can link your visit to our website with you and your user account. We would like to point out that we, as the operator of this Website, have no detailed knowledge of the content of the data transmitted to LinkedIn and its internal processing. LinkedIn is responsible to you for processing your personal data as a "controller". Further information on the processing of your data by LinkedIn can be found in LinkedIn's data protection regulations at: https://www.linkedin.com/legal/privacy-policy.

      Instead of registering directly through the website https://docs.google.com/forms/d/e/1FAIpQLSewhltQOcmkIlE7Wftn0NTVuyEs6Wk8Qpx6ssCAo2BO4oQH0w/viewform you can also register with GitHub. This service is provided by GitHub, Inc, 88 Colin P Kelly Jr St, San Francisco, CA 94107. If you choose to register with GitHub, you will be automatically redirected to the GitHub platform. There you can log in with your usage data. This will link your GitHub profile to our Website and/or the Thousand Validators Programme. This link gives us access to your data stored at GitHub. These usually are GitHub Name, GitHub profile picture, Email address stored at GitHub, GitHub ID, birthday, gender and/or country of residence. This data is only used to set up, provide and personalize your account. For more information, see the GitHub Terms of Service and the GitHub Privacy Policy. You can find this at: https://help.github.com/en/github/site-policy/github-terms-of-service and https://help.github.com/en/github/site-policy/github-privacy-statement.

   4. Within and to the extent under the scope of application of the GDPR, the data processed by web analysis services for the aforementioned purposes is justified in order to protect our legitimate interests and those of third parties pursuant to Art. 6 para. 1 sentence 1 letter of GDPR.

E. Gleam.io Polkadot Decoded

1. Additional data collected

   In addition to the types of data collected as set out in Section II above, under the Website (http://gleam.io) we collect any of the following information:

   1. Full Name
   2. Email Address
   3. Country of Residence
   4. Login Location
   5. Date of Login
   6. Twitter username
   7. Discord username
   8. Reddit username
   9. YouTube username