Pass App Privacy Policy

• Introduction
• Changes and updates
• Representative and Joint-controllership
• How do we process your personal data
  1. Personal data you give to us
  1. Website
  2. App
• When and how we share your data
• Where do we store your data
• How long do we store your data
• The security of your personal data
• Your rights
• Disclaimer
• Contact

Introduction

In Onchain Foundation (“Onchain”, “Foundation”, “we”, “our”, “us”) we are committed to protecting and respecting your privacy. We are a foundation established in Switzerland with a registered office at Gotthardstrasse 26, 6300 Zug, and for the purpose of the EU General Data Protection Regulation (the “GDPR”), if not specified otherwise in this privacy policy, we are the data controller.

As part of our mission to protect your personal information, we have engaged Lightcurve GmbH (“Lightcurve”) as a service provider which will be responsible for the handling and processing of data on our behalf and as directed by us. Thus, for the purpose of the GDPR, Lightcurve will act as a data processor, if not specified otherwise in this privacy policy. We will process your personal data in accordance with the Swiss Federal Data Protection Act (the “FDAP”). The GDPR would apply to processing of your personal data as well if you are residing in the EU and such processing is done in connection with us offering you goods or services, irrespective of whether a payment of the data subject is required, or if your behavior is anyhow monitored. The GDPR would also apply, if any of the third-party service providers we use for processing of your personal data is based in the EU (e.g., Lightcurve GmbH).

This privacy policy (“Policy”) sets out the basis on which we will process any personal data or usage information we collect from you, or that you provide to us, in connection with your use of our website under the domain www.pass.app (the “Website”); your use of the Pass App (the “App”). Please read this Policy carefully so that you understand your rights in relation to your personal data, and how we will collect, use and process it. If you do not agree with this Privacy Policy in general or any part of it, you should not access the Website or the App.

Changes and updates

This version of the Privacy Policy is effective as of June 3, 2024, and applies to any new user of Website or App.

Representative and Joint-controllership

Lightcurve GmbH, postal address: Köpenicker Strasse 126, 10179 Berlin, Germany; email: legal@lightcurve.io, (“Lightcurve”) is our representative in the European Economic Area (the “EEA”) for the purpose of communications and all issues related to data processing under the GDPR. In regards to some of the processing activities, Onchain and Lightcurve act as joint-controllers since they jointly determine the purposes and means of processing of your personal data. Regarding any issues related to such processing of your personal data or the execution of your rights (see section Your rights), feel free to contact either Onchain or Lightcurve (“Joint-controllership”). Appropriate information is provided in the description of the processing activities in this Policy whenever Joint-controllership occurs.

Lightcurve may also act as a sole data controller for particular processing activities. Each situation of that kind is always clearly specified in this Policy. Should that be the case, your personal data would be processed in accordance with this Policy and you will have the same rights and obligations as stated in this Policy. For further information about the processing of personal data by Lightcurve, please visit Lightcurve’s Privacy Policy.

Therefore, regarding any issues related to the processing of your personal data by Onchain or jointly by Onchain and Lightcurve, issues related to this Policy or execution of your rights (see: Your rights), feel free to contact either Onchain (legal@onchain.foundation) or Lightcurve (legal@lightcurve.io).

How do we process your personal data

Personal data you give to us

Website

Our Website collects certain information automatically and stores it in log files. The information may include IP addresses, the region or general location where your computer or device is accessing the internet, preferred language used to display the website, device screen resolution, device type, browser type and operating system, mouse events (movements, locations and clicks), referring URL and domain, keypresses, date and time when the page was accessed, pages visited, and model of your CPU and GPU.

In general, the above mentioned information is necessary to enter any website on the Internet with Hypertext Transfer Protocol (http); the applicable legal basis is the performance of the contract under GDPR Art.6.1(b) (terms and conditions of using the website).

We also use this information to help us design our Website to improve the user experience; the applicable legal basis for this is our legitimate interests under GDPR Art.6.1(f). For this purpose, we may also use tools provided by third parties, in particular analytical tools serving improvement of user experience.

As for the log files - we keep the haproxy logs for 52 days and cloudfront logs for a year. The Website contains links to other websites. This Privacy Policy applies only to our Website, so if you click on a link to another website, you should read its privacy policy.

Cookies

When entering for the first time any of the websites we host you will be provided with a cookie notice. It will explain what type of cookies we use and will allow you to grant us consent on using them. Cookies are text files placed on your device to collect standard Internet log information and visitor behavior information.

More information about the cookies we use and how we process information collected with their use may be found in our Cookie Policy.

We use Google Analytics as a third party analytics service, and to track our advertising campaigns on third party websites and services. We use Google Analytics to collect information about how our Website performs and how our users, in general, navigate through it. This helps us evaluate our users' use of the Website; compile statistical reports on activity; and improve our content and Website performance; the applicable legal basis is your consent under GDPR Art.6.1(a). Google provides further information about its own privacy practices and offers a browser add-on to opt out of Google Analytics tracking.

Your personal data will be processed also by our main contractor Lightcurve. Onchain and Lightcurve act as Joint-controllers in regards to this processing activity, since Lightcurve helps us to manage the Website.

Additional data

We also collect other types of personal data to provide and improve our services. This includes:

• Email addresses: we collect your email address when you sign up for our services.
• Survey responses: we collect the answers you provide when you participate in our prospective surveys. This information helps us understand your preferences and make our services better.

App

When accessing our App, we collect personal data to provide and improve our services. This includes:

• Email addresses: we collect your email addresses when you sign up for our services.
• Survey responses: we collect the answers you provide when you participate in our prospective surveys.
• Device information: including the type of device, the operating system, and unique device identifiers.
• Usage Data: such as the date and time you access the app, the duration of use, the pages or screens you visit, and your interaction patterns.
• Location data: derived from GPS data or your IP address, used to provide location-based services.
• Technical data: including network information, performance metrics, and log files.
• User Preference and Settings: such as language preferences, notification settings, and other customized settings within the app.

When and how we share your data

Depending on the processing activity, we may share your personal data with our third-party service providers working on our behalf. Every third party with which we will share your personal data comes from a jurisdiction which guarantees an adequate level of protection to the one provided for in the GDPR.

Your personal data will be shared with our main partner and representative in the EEA - Lightcurve. Depending on the processing activity, Lightcurve may act either as a sole controller of your data, as a joint controller with Onchain or as a processor. Specific information about Lightcurve’s role in regards to your personal data is stated in respective sections of this Privacy Policy which refer to particular processing activity.

Other third-party service providers we use include cloud storage providers, web hosting providers, email notification providers, webpage analytics providers, CRM software providers, internal content management systems (CMS), and internal collaboration tools.

Should you wish to know more about the third party service providers with whom we share your personal data as well as to know the actual categories of the personal data, feel free to reach out to us at legal@onchain.foundation.

Where do we store your data

The information that we collect from you will be transferred to, and stored at/processed within the European Economic Area (EEA), Switzerland, the United Kingdom, the United States and in other countries where our third party service providers are located. We take all steps reasonably necessary to ensure that your personal data is treated securely, with a level of protection adequate to GDPR and in accordance with this policy.

• Switzerland was found to have an adequate level of protection for personal data under European Commission Decision 2000/518/EC of 26 July 2000.
• The United Kingdom was found to have an adequate level of protection of personal data under Commission Implementing Decision of 28th June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom.

CAUTION! Taking into account the Court of Justice of the European Union’s decision in “Schrems II” C-311/18 in which the CJEU declared the EU-US Privacy Shield invalid, we undertake to ascertain the adequate level of protection of your personal data by entering into Model Clauses with our third-party service providers located in the US.

If we are transferring data to a third party located outside of the EEA who is not in a White Listed Country, we will enter into the European Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses pursuant to Decision 2010/87/EU - SCCs) with the relevant data importer.

How long do we store your data

We aim to always store your personal data for the minimal period of time thus for the time we actually need it. We may, however, keep your personal data for a longer period of time only to meet legal requirements imposed on us by applicable laws and regulations.

We regularly review our information and erase or anonymise personal data when we no longer need it.

The security of your personal data

Unfortunately, the transmission of information via the Internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through the Website or over email; any transmission is at your own risk.

Once we have received your information, we will take appropriate technical and organizational measures to safeguard your personal data against loss, theft, and unauthorized use, access, or modification.

We will, from time to time, host links to and from the websites of our affiliates or third parties. If you follow a link to any of these websites, these websites will have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any information to those websites.

Your rights

In certain circumstances, you have rights in relation to the personal data we hold about you. We set out an outline of those rights and how to exercise them below. Please note that we will require you to verify your identity before responding to any requests to exercise your rights.

To exercise any of your rights, please send your request by email to: legal@onchain.foundation.

• Access: You have the right to know whether we process personal data about you, and if we do, to access data we hold about you and certain information about how we use it and who we share it with.
• Correction: You have the right to require us to correct any personal data held about you that is inaccurate and have incomplete data completed.
• Erasure: You may request that we erase the personal data we hold about you under certain circumstances.
• Restriction of Processing to Storage Only: You have a right to require us to stop processing the personal data we hold about you other than for storage purposes under certain circumstances.
• Objection: You have the right to object at any time to our prospective processing of data about you, and we will consider your request.
• Withdrawal of Consent: Where you have provided your consent to us processing your personal data, you can withdraw your consent at any time.
• Data Portability: You have the right to receive a copy of the data you provided to us and require us to transfer it to a third party, where applicable.
• Objection to Marketing: You have the right to object to our processing of data about you for marketing purposes.
• Complain to the Authority: You have the right to lodge a complaint with a competent supervisory authority.

CAUTION! We are not a data controller regarding any personal data stored on blockchains, and thus may not be able to satisfy your requests related to such data.

Disclaimer

This Privacy Policy contains links to other websites. Please note that by clicking on a link you will be redirected to another website or document. These websites can be beyond Onchain’s sphere of influence. Liability is excluded. The operators of the linked websites are solely responsible for their content. We refer you to their privacy policy.

Contact

In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance at legal@onchain.foundation and we will endeavor to deal with your request as soon as possible. This is without prejudice to your right to launch a claim with the data protection supervisory authority in the EEA country in which you live or work or where you think we have infringed data protection laws.