This document was last updated on February 5, 2024
Polkadot Vault
PRIVACY NOTICE
1. GENERAL INFORMATION
Novasama Technologies GmbH, Schönhauser Allee 163, 10435 Berlin, Germany (hereinafter "Novasama" or “we”) offers the mobile application Polkadot Vault (hereinafter: “Vault”), a non-custodial wallet software that allows the User to turn his/her mobile device, such as smartphone or tablet (hereinafter: “Storage Device”), into a cold storage hardware wallet by holding the User’s private cryptographic keys offline while keeping the Storage Device offline. The Vault can be downloaded from the Apple App Store and from the Google Play Store. The User can use the Vault to safekeep their Private Keys, manage their accounts and blockchain-based digital assets (hereinafter: “Digital Assets”), send and receive transactions of Digital Assets, and cryptographically sign blockchain transactions. The Vault contains certain features that, inter alia, allow the User to connect the Vault to third-party decentralized applications (hereinafter: “DApp”), protocols and services that Novasama does not operate itself (hereinafter: “Third-Party Services”). Novasama does not offer Third-Party Services in its own name. Further information about the functions offered in connection with the Vault can be found in Novasama’s General terms and conditions of business and use (hereafter “GTC”). We encourage you to read the GTC carefully as they affect your obligations and legal rights regarding the usage of the Vault.
In connection with the usage of the Vault, no personal data will be processed by Novasama since the Vault will be installed on Users’ Storage Device without Novasama having access to any personal data of the User when using the Vault. However, Novasama may process personal data of persons who visit Novasama’s website https://novasama.io/ (hereinafter each a “Website” and together “Websites”) and/or contact Novasama. Personal data is information that relates to an identified or identifiable natural person. An identifiable natural person is a person who can be identified directly or indirectly, e.g., by means of association with an online identifier (hereinafter: “Data Subject”).
Novasama takes the protection of personal data very seriously. We treat personal data confidentially, in accordance with this Privacy Notice and applicable data protection law, including, but not limited to the General Data Protection Regulation (hereinafter: “GDPR”) and the German Federal Data Protection Act (hereinafter: “FDPA”).
This Privacy Notice informs you about how we handle your personal data that is under our control.
Unless otherwise provided in this Privacy Notice, capitalised terms used herein have the meaning determined in the GTC.
2. CONTROLLER
Novasama acts as responsible party and, hence, as controller within the meaning of the GDPR with regard to the personal data processed in connection with the Websites or any contacting of Novasama. A controller is a natural or legal person who alone or jointly with others decides on the purposes and means of the processing of personal data.
If you have any questions regarding this Privacy Notice or the processing of your personal data, do not hesitate to contact us via the following contact details:
Name: Novasama Technologies GmbH
Address: Schönhauser Allee 163, 10435 Berlin, Germany
Email: admin@novasama.io
3. PURPOSES AND LEGAL BASES OF DATA PROCESSING BY NOVASAMA
a) General
The Vault was built with privacy in mind, and we expect you to use it in a privacy-friendly manner. We intend to provide you with all the necessary tools and opportunities to use the Vault while processing as little personal data as possible. In particular, no personal data will be processed by Novasama in connection with the usage of the Vault. Rather, all personal data provided by the User when using the Vault will be stored locally on the User’s Storage Device and kept offline therein. Should the Vault be used to sign a transaction or to interact with DApps no personal data will be processed or accessed by Novasama. Any data processing in connection with the use of the Vault will, therefore, either be a data processing by a third party through interaction with Third-Party Services according to Section 4.a) of this Privacy Notice or a blockchain data processing according to Section 4.b) of this Privacy Notice, which are both not controlled by Novasama. Other than described under Section 3. b) - d) below, we neither collect your personal data nor process or store it.
b) Visiting our Websites
When visiting our Websites certain personal data is automatically collected every time you call up the Websites and is automatically stored in so-called server log files. The personal data processed in this regard are browser type and version, operating system used, website from which the access is made (referrer URL), host name of the accessing computer, date and time of access as well as IP address of the requesting computer (hereafter referred to as “Access Personal Data”).
The processing of Access Personal Data is necessary for technical reasons to provide the Websites in a functional way and to ensure system security. This also applies to the storage of your IP address, which is necessary and, under further conditions, can at least theoretically enable an assignment to your person. In addition to the above-mentioned purposes, we use server log files exclusively for the needs-based design and optimisation of the Websites. We do not combine this data with other data sources, nor do we evaluate the data for marketing purposes.
The Access Personal Data is only stored for the period of time for which it is required to achieve the above-mentioned purposes. Your IP address is stored for a maximum of 7 days for IT security purposes.
The legal basis for the temporary storage and processing of Access Personal Data is Art. 6 (1) sentence 1 lit. b GDPR, which permits the processing of personal data for the fulfilment of a contract or for the implementation of pre-contractual measures. In addition, Art. 6 para. 1 sentence 1 lit. f GDPR serves as the legal basis for the temporary storage of technical Access Personal Data. Our legitimate interest here is to be able to provide you with the Websites in a technically functioning and user-friendly way and to ensure the security of our systems.
c) Contacting us
If you contact us, we may collect and process certain information related to your request, such as your name, email addresses and any other data requested by us or data that you choose to provide us with (hereafter together referred to as “Contact Data”).
Contact Data will be processed for the purpose of processing and answering your enquiry and in the event of follow-up questions.
If you contact us, our processing activities in this regard are based on our legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f GDPR to provide appropriate response to customer/contact enquiries. In addition, if you contact us within the framework of an existing contractual relationship or in advance for information about our services, the Contact Data you provide to us will be processed for the purpose of processing and answering your contact enquiry in accordance with Art. 6 (1) sentence 1 lit. b GDPR as a legal basis.
The Contact Data will remain with us until the purpose for storing/processing no longer applies (i.e., after processing your enquiry has been completed). The Contact Data will, at the latest, be deleted after one (1) year from the last date when you contacted us regarding the same matter. Mandatory legal provisions – in particular retention periods – remain unaffected.
d) Other processing purposes
i) Compliance with legal requirements: We also process your personal data to comply with other legal obligations that may apply to us in connection with our business activities, including, but not limited to compliance with mandatory retention periods under commercial, trade or tax law or regulations and laws against money laundering. We process your personal data in accordance with Art. 6 (1) sentence 1 lit. c GDPR as legal basis to fulfil a legal obligation to which we are subject.
ii) Legal enforcement: We also process your personal data in order to be able to assert our rights and enforce our legal claims, as well as to be able to defend ourselves against legal claims. Finally, we process your personal data to the extent necessary to prevent or prosecute criminal offences. In this context, we process your personal data to protect our legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR as legal basis, insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal offences.
iii) Consent: Please note that we currently do not collect your personal data based on your consent. However, in case you give us consent to process your personal data for certain purposes (e.g., sending information material and offers), the lawfulness of this processing is based on your consent. Consent given can be withdrawn at any time. Please note that the withdrawal is only effective for the future and processing up to that point is not affected.
4. OTHER DATA PROCESSING NOT CONTROLLED BY NOVASAMA
a) Interaction with Third-Party Services
Using the Vault to cryptographically sign a transaction may require the User to interact with certain Third-Party Services. Any interaction with or enabling such connections may allow such Third-Party Services providers to collect, process, or share certain personal data about you. Please note that Novasama does neither receive, process or store such personal data nor does it control, operate, or manage those Third-Party Services providers. Therefore, Novasama is not responsible for the Third-Party Services providers’ data processing or privacy documentation (policy, notice, statement) and any data protection rights in this regard would need to be exercised against the Third-Party Services provider. When you intend to interact with any such Third-Party Services providers or leave the Vault, we encourage you to read the privacy documentation of the respective Third-Party Service you use or visit.
b) Blockchain data processing
Please note that certain data, such as public addresses associated with your wallets and information about transactions associated therewith (hereafter “Transactions”), interact with public decentralised blockchain infrastructures and blockchain-based software, including smart-contracts, which work autonomously. “Decentralised” means that there is no single person, including Novasama, who controls the blockchain or stores data available thereon. “Public” means that the access is available for anyone and cannot be restricted. The data entered in a public decentralised blockchain is distributed via the nodes that simultaneously store all records entered into the blockchain. By design, blockchain records cannot be changed or deleted and are said to be “immutable”. Due to the blockchain’s nature, once you start entering information into a blockchain, particularly by carrying out any Transactions, such information, which may be considered personal data, will become publicly available on a blockchain. Please be aware that any Transaction within a blockchain is irreversible and any information, including personal data, entered into a blockchain cannot be deleted or changed. Novasama will never control such information entered in a blockchain nor manage access to it and is, therefore, not responsible for any data processing in this regard. The ultimate decision whether to transact on a blockchain or carry out any Transaction rests with you. Therefore, your ability to exercise certain data protection rights in this regard will be limited.
c) App Store data processing
The Vault can be downloaded from the Apple App Store and from the Google Play Store. Please note, that downloading the Vault from an App Store will allow the respective App Store provider to collect, process, or share certain personal data about you (e.g. account information and/or contact details). Please note that Novasama does neither receive, process or store such personal data nor does it control, operate, or manage those App Store providers. Therefore, Novasama is not responsible for the App Store providers’ data processing or privacy documentation (policy, notice, statement) and any data protection rights in this regard would need to be exercised against the App Store provider. When you intend to interact with any such App Store providers, e.g. to download the Vault, we encourage you to read the privacy documentation of the respective App Store provider you use or visit prior.
Contacting us
If you have any questions, concerns, or complaints regarding this Policy, the information we hold about you, or if you wish to exercise your rights, we encourage you to contact us using the details below: telenova@novasama.io. any event, within the timescales provided by applicable data protection laws.
5. DATA RECIPIENTS
Within Novasama those persons will get access to your personal data that need it to fulfil our contractual and legal obligations.
In individual cases we may transmit personal data to our advisors in legal or tax matters, whereby these recipients act independently in their own data protection responsibility and are also obliged to comply with the requirements of the GDPR and other applicable data protection regulations. Furthermore, they are obliged to maintain special confidentiality and secrecy due to their professional status. Other than that, we will not transfer any personal data controlled by us to any third-party recipients.
6. DATA TRANSFER TO THIRD COUNTRIES
We will not transfer any personal data to recipients located in countries outside the EU (European Union) / EEA (European Economic Area).
7. DURATION OF DATA STORAGE
We initially process and store your personal data for the duration for which the respective purpose of use requires corresponding storage (see above under Section 3 on the individual processing purposes). This may also include the periods of initiating a contract (pre-contractual legal relationship) and processing a contract. On this basis, personal data is regularly deleted as part of the fulfilment of our contractual and/or legal obligations, unless its temporary further processing is necessary for the following purposes:
Fulfilment of legal storage obligations, which result, for example, from the German Commercial Code (§§ 238, 257 para. 4 HGB) and the German Fiscal Code (§ 147 para. 3, 4 AO). The periods specified there for storage or documentation are up to ten years.
Preservation of evidence taking into account the statute of limitations. According to §§ 194 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.
8. DATA SUBJECT RIGHTS
You are entitled to the following rights as a Data Subject under the legal requirements:
Right of withdrawal: You may, in accordance with Art. 7 (3) GDPR, at any time withdraw any consent you provided to allow us to process your personal data. Please note that the withdrawal only takes effect for the future. Processing that took place before the withdrawal is not affected. However, please note that we currently do not collect your personal data based on your consent.
Right to information/access: You are entitled at any time, within the framework of Art. 15 GDPR, to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you are also entitled, within the framework of Art. 15 GDPR, to receive information about this personal data as well as certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of third country transfers, the appropriate safeguards) and a copy of your personal data. The restrictions of § 34 FDPA apply.
Right to rectification: You are entitled to request us to rectify the personal data stored about you if it is inaccurate or incorrect, in accordance with Art. 16 GDPR.
Right to erasure: You are entitled, under the conditions of Art. 17 GDPR, to demand that we delete personal data relating to you without delay. The right to erasure does not apply if the processing of the personal data is necessary, for example, to comply with a legal obligation (e.g., statutory retention obligations) or to assert, exercise or defend legal claims. Furthermore, the restrictions of § 35 FDPA apply.
Right to restrict processing: You are entitled to demand that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.
Right to data portability: You are entitled, under the conditions of Art. 20 GDPR to demand that we hand over to you the personal data concerning you that you have provided to us, in a structured, common and machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. However, we are currently not processing your personal data based on your consent or based on performance of a contract with you.
Right of objection: You are entitled to object to the processing of your personal data under the conditions of Art. 21 GDPR, so that we must stop processing your personal data. The right to object only exists within the limits provided for in Art. 21 GDPR. In addition, our interests may conflict with the termination of processing, so that we are entitled to process your personal data despite your objection.
Right of appeal to a supervisory authority: Subject to the conditions of Art. 77 GDPR, you have the right to lodge a complaint with a competent supervisory authority. A list of data protection supervisory authorities in Germany and their contact details can be found here. As a rule, the Data Subject can turn to the supervisory authority at his/her habitual residence or place of work or Novasama’s registered office. The supervisory authority responsible for Novasama is the Berlin Commissioner for Data Protection and Freedom of Information (Der Berliner Beauftragte für Datenschutz und Informationsfreiheit)
Other concerns: For further data protection questions and concerns, please contact us under the contact details provided in Section 2 above.
9. REQUIREMENT TO PROVIDE DATA
Visiting our Websites requires you to provide certain personal data to us, as described in Section 3.b) above. Other than that, you are not required to provide any personal data to us. However, if you decide not to provide your personal data to us, you may not be able to contact us and/or we will not be able to contact you, e.g., to respond to your enquiries or questions.
10. AUTOMATED DECISION MAKING / PROFILING
We do not use your personal data to make any automated decision making or profiling (meaning an automated analysis of your personal circumstances).
11. CHILDREN PERSONAL DATA
The Vault is not intended for the use of children (under 18 years old). We do not knowingly market to, solicit, process, collect, or use personal data of children.
If we become aware that a child has provided us with personal data, we will use commercially reasonable efforts to delete such information from our database within a reasonable timeframe. If you are the parent or legal guardian of a child and believe that we have collected personal data from your child, please contact us.
12. CHANGES TO THIS PRIVACY NOTICE
We keep this Privacy Notice under regular review and may update it at any time. If we make any changes to this Privacy Notice, we will change the “Last Updated” date above. Please review this Privacy Notice regularly to check for any updates. The current version of the Privacy Notice can be accessed at any time on [https://novasama.io/vault-privacy].