Aeterstate Logo

Aeterstate Platform - Privacy Policy

Effective Date: April 12, 2025

Aeterstate ("Aeterstate", "We", "Us", "Our") is committed to protecting the privacy and security of your personal information ("Personal Data"). This Privacy Policy ("Policy") describes how we collect, use, process, share, and protect Personal Data when you access or use our website, platform, applications, software, smart contract interfaces (including testnet demonstrations), documentation, content, and any related services offered by Aeterstate (collectively, the "Platform").

This Policy applies to all users ("User", "You", "Your") of the Platform. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, please do not access or use the Platform.

We adhere to applicable data protection laws, including the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

Important Note on Beta / Technology Demonstration: Parts of the Platform may operate in a beta testing or technology demonstration phase using Testnet blockchains. Data collected during these phases, including information provided during KYC Simulations and interactions with Demonstration Tokens (which have no monetary value), is treated in accordance with this Policy but is primarily used for testing, feedback, and platform improvement purposes as detailed in our Beta Testing Terms & Conditions.

1. Definitions Specific to Privacy

  • "Personal Data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purpose of this Policy, Aeterstate is the Controller.
  • "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
  • "Consent" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
  • "FADP" refers to the Swiss Federal Act on Data Protection.
  • "GDPR" refers to the EU General Data Protection Regulation 2016/679.
  • "KYC Simulation" refers to the simulated identity verification process within beta/demonstration environments.
  • "Testnet" refers to blockchain test networks where data has no real monetary value.

2. Information We Collect

We collect various types of Personal Data depending on how you interact with the Platform. This information may be collected directly from you, automatically through your use of the Platform, or from third-party sources where permitted by law.

  • Information You Provide Directly:
    1. Account Registration Data: When you create an account (if applicable), we may collect your name, email address, password, country of residence, and potentially other contact details or profile information.
    2. Beta Access Request Data: Information submitted via forms to request access to beta programs, such as your name, email address, country, and potentially information about your interests or investment capacity simulations (as provided in the `BetaAccessForm.jsx` context, noting simulated capacity).
    3. KYC Simulation Data: During simulated KYC processes in beta environments, we may collect identity document information (e.g., simulated passport number, name, date of birth, nationality), proof of address documentation (simulated), and potentially biometric data (e.g., a selfie for simulated liveness checks). This data is collected solely for testing the verification workflow and is clearly marked as simulation data.
    4. Communication Data: Information you provide when you contact us for support, provide Feedback, participate in surveys, or communicate with us through email or other channels. This may include the content of your communications and contact details.
    5. User Content: Any information or content you voluntarily submit, post, or generate on interactive areas of the Platform (if such features exist).
    6. Transaction Information (Simulated): Details related to simulated transactions you initiate on the Platform's Testnet environment, such as simulated token types, amounts, and recipient wallet addresses (pseudonymous). Note: Real financial transaction data (e.g., credit card details for fiat on-ramps in a production environment) would be processed primarily by licensed third-party payment processors, subject to their privacy policies.
  • Information Collected Automatically:
    1. Usage Data: We automatically collect information about how you access and use the Platform, including dates and times of access, features used, pages viewed, clicks, time spent on pages, interaction patterns, error logs, and referring website addresses.
    2. Technical Data: Information about the device(s) you use to access the Platform, such as IP address, browser type and version, operating system, device identifiers (e.g., IDFA, AAID), language settings, screen resolution, and network information.
    3. Location Data: We may infer your general geographic location based on your IP address. More precise location data may be collected if you grant permission through your device settings, although this is not typically required for core functionality.
    4. Cookie and Tracking Data: We use cookies, web beacons, pixels, and similar technologies to collect information about your browsing activities over time and across different websites or online services. See Section 9 ("Cookies and Tracking Technologies") for more details.
    5. Blockchain Data (Public): Interactions with public blockchains (including Testnets) generate publicly accessible data associated with your Wallet address (which is pseudonymous). This includes transaction history, token balances, and smart contract interactions. While we don't control public blockchain data, we may process publicly available blockchain data related to Platform interactions (e.g., confirming a simulated transaction). We do not link your off-chain identity to your public Wallet address unless necessary for specific services you request and consent to, or as required for compliance (e.g., linking a verified identity to a wallet for regulated activities in a potential production environment).
  • Information from Third Parties:
    1. Service Providers: We may receive information from third-party service providers who assist us with Platform operations, such as analytics providers, simulated KYC providers (in beta), cloud hosting providers, and communication tools.
    2. Public Sources: We may collect information from publicly available sources, such as public blockchain explorers.
    3. Affiliates: Information may be shared among Aeterstate affiliates for operational purposes, subject to this Policy.
    4. Other Sources: We may receive information from other sources where permitted by applicable law.

3. How We Use Your Information and Legal Basis for Processing

We use the Personal Data we collect for various purposes, relying on different legal bases under applicable data protection laws (primarily FADP and, where applicable, GDPR):

  • To Provide and Operate the Platform:
    1. Processing account registration and login.
    2. Facilitating simulated transactions and interactions on Testnet.
    3. Providing access to features, content, and services.
    4. Delivering customer support and responding to inquiries.
    5. Sending essential service-related communications (e.g., account alerts, updates to Terms/Policy, security notices).
    6. Legal Basis: Performance of a contract (our Terms of Service with you), Legitimate interests (operating and maintaining our service).
  • To Improve and Personalize the Platform:
    1. Analyzing usage patterns and technical data to understand how users interact with the Platform.
    2. Identifying areas for improvement, optimizing user experience, and developing new features.
    3. Personalizing your experience by remembering preferences or showing relevant (simulated) content (subject to consent where required).
    4. Using Feedback to enhance the Platform.
    5. Legal Basis: Legitimate interests (improving our services, understanding user needs), Consent (for certain personalization cookies/features).
  • For Security and Fraud Prevention:
    1. Monitoring for and preventing Prohibited Conduct, Malicious Acts, fraud, security incidents, and abuse.
    2. Verifying accounts and user activity (including through KYC Simulation in beta).
    3. Troubleshooting technical issues and ensuring Platform stability.
    4. Enforcing our Terms of Service.
    5. Legal Basis: Legitimate interests (protecting our Platform, users, and business), Legal obligation (in some cases).
  • To Comply with Legal Obligations:
    1. Complying with applicable laws, regulations, court orders, or governmental requests.
    2. Responding to lawful requests from public authorities (including for national security or law enforcement purposes).
    3. Conducting audits and maintaining records as required by law.
    4. Establishing, exercising, or defending legal claims.
    5. Legal Basis: Legal obligation.
  • For Communication and Marketing (with Consent):
    1. Sending promotional emails, newsletters, or updates about Aeterstate products, services, and events (only where you have opted-in or where permitted by law for existing users).
    2. Administering surveys, contests, or promotions.
    3. You can opt-out of marketing communications at any time (see Section 7).
    4. Legal Basis: Consent, Legitimate interests (for certain communications to existing users, subject to opt-out).
  • For Research and Development:
    1. Using aggregated or anonymized data for research, statistical analysis, and technology development.
    2. Analyzing data from Beta Programs to inform product strategy.
    3. Legal Basis: Legitimate interests (developing and improving our technology and services).

4. Information Sharing and Disclosure

We do not sell your Personal Data. We may share your Personal Data with third parties only in the circumstances described below and always in accordance with applicable data protection laws:

  • With Your Consent: We may share your Personal Data with third parties when we have your explicit consent to do so.
  • Service Providers (Processors): We engage trusted third-party companies and individuals to perform services on our behalf (e.g., cloud hosting providers like AWS or Google Cloud, data analytics providers like Google Analytics, email service providers like Resend, customer support tools, simulated KYC providers in beta environments, security service providers). These Processors are contractually obligated to handle your Personal Data securely, only process it for the specific purposes we instruct, and comply with data protection laws. They do not have the right to use your Personal Data for their own purposes.
  • Affiliates: We may share Personal Data with our Affiliates for purposes consistent with this Policy, such as operational support, service improvement, and internal administration. All Affiliates are required to adhere to this Policy.
  • Legal Requirements and Law Enforcement: We may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, regulation, subpoena, court order, or other valid legal process; (b) protect and defend the rights, property, or safety of Aeterstate, our users, or the public; (c) detect, prevent, or otherwise address fraud, security, or technical issues (including investigating potential violations of our Terms or Malicious Acts); or (d) respond to lawful requests by public authorities.
  • Business Transfers: In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your Personal Data may be transferred as part of that transaction, subject to standard confidentiality agreements and provided the acquiring entity agrees to adhere to commitments substantially similar to those in this Policy. We will notify you via email and/or a prominent notice on our Platform of any change in ownership or uses of your Personal Data, as well as any choices you may have.
  • Aggregated or Anonymized Data: We may share aggregated or anonymized information (data that cannot reasonably identify you) with third parties for various purposes, including research, analytics, reporting, or marketing.
  • Public Blockchain Data: Information recorded on public blockchains (including Testnets) is, by its nature, public and accessible to anyone. This includes transaction details associated with pseudonymous Wallet addresses.

5. Data Security

We take the security of your Personal Data very seriously and implement appropriate technical, administrative, and organizational measures designed to protect it from unauthorized access, disclosure, alteration, misuse, loss, and destruction. These measures include:

  • Encryption: Using encryption (such as TLS/SSL) for data in transit and implementing encryption for sensitive data at rest where appropriate.
  • Access Controls: Implementing strict access controls (role-based access, principle of least privilege) to limit access to Personal Data to authorized personnel who need it for their job functions.
  • Network Security: Utilizing firewalls, intrusion detection/prevention systems, and other network security technologies.
  • Secure Development Practices: Incorporating security considerations into our software development lifecycle, including code reviews and vulnerability testing.
  • Regular Audits and Assessments: Conducting periodic security assessments and vulnerability scanning.
  • Employee Training: Providing regular data privacy and security training to our employees.
  • Incident Response Plan: Maintaining procedures to respond to potential data breaches or security incidents.
  • Data Minimization: Collecting only the Personal Data necessary for the specified purposes.

Disclaimer: Despite our efforts, no security system is impenetrable. We cannot guarantee the absolute security of your Personal Data, and transmission of information over the internet is inherently risky. You acknowledge that you provide your Personal Data at your own risk.

User Responsibility: Your role in data security is crucial. You are responsible for keeping your Account password confidential and for securing any Wallet private keys or seed phrases associated with your use of the Platform. Do not share these credentials with anyone. Notify us immediately if you suspect any unauthorized access to your Account or compromise of your security credentials.

6. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • To provide the Platform and related services to you.
  • To comply with our legal and regulatory obligations (e.g., record-keeping requirements, tax laws).
  • To resolve disputes and enforce our agreements (including these Terms).
  • To support our legitimate business interests (e.g., platform improvement, security, fraud prevention, analytics), provided these interests are not overridden by your data protection rights.
  • For backup and archival purposes.

The retention period varies depending on the type of data and the purpose of processing. For example, account information may be retained as long as your account is active and for a reasonable period afterward for administrative or legal purposes. Usage data may be retained for shorter periods or aggregated/anonymized sooner. Data collected solely for Beta Program feedback may be retained as long as necessary to analyze the feedback and improve the Platform, or as specified in the Beta Testing Terms. KYC Simulation data collected during beta testing will typically be deleted shortly after the testing purpose is fulfilled, unless specific analysis requires longer retention (in which case it will be anonymized where possible).

When Personal Data is no longer needed for its specified purpose, or upon your valid request for erasure (subject to legal exceptions), we will securely delete or anonymize it in accordance with our data retention policies and applicable law.

7. Your Privacy Rights

Depending on your location and applicable data protection laws (such as FADP and GDPR), you may have certain rights regarding your Personal Data. These rights may include:

  • Right of Access: The right to request access to the Personal Data we hold about you and receive a copy of it.
  • Right to Rectification: The right to request correction of inaccurate or incomplete Personal Data we hold about you.
  • Right to Erasure ('Right to be Forgotten'): The right to request the deletion of your Personal Data under certain circumstances (e.g., if the data is no longer necessary for the purposes collected, if you withdraw consent and there's no other legal ground for processing). This right is not absolute and may be subject to legal exceptions.
  • Right to Restriction of Processing: The right to request the restriction of processing of your Personal Data under certain conditions (e.g., if you contest the accuracy of the data, if processing is unlawful but you oppose erasure).
  • Right to Data Portability: The right to receive the Personal Data you provided to us in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller where processing is based on consent or contract and carried out by automated means.
  • Right to Object: The right to object to the processing of your Personal Data based on legitimate interests or for direct marketing purposes. We must stop processing unless we demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
  • Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority (like the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local EU data protection authority) if you believe our processing of your Personal Data infringes applicable data protection laws.

How to Exercise Your Rights: To exercise any of these rights, please contact us using the details provided in Section 14 ("Contact Information"). We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

We aim to respond to all legitimate requests within one month (or as required by applicable law). Occasionally it may take us longer if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Marketing Opt-Out: You can opt-out of receiving promotional emails from us at any time by clicking the "unsubscribe" link in the emails or by contacting us directly. Please note that you may still receive essential service-related communications even if you opt-out of marketing emails.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (like web beacons, pixels, tags, and scripts) to collect and track information about your use of the Platform and to improve our services. Cookies are small text files stored on your device when you visit a website.

  • Types of Cookies We Use:
    1. Essential/Strictly Necessary Cookies: Required for the Platform to function properly (e.g., session management, security, load balancing). These cannot be disabled.
    2. Performance/Analytics Cookies: Help us understand how users interact with the Platform by collecting anonymous information (e.g., Google Analytics). They allow us to count visits, identify traffic sources, and measure performance.
    3. Functionality Cookies: Enable enhanced functionality and personalization (e.g., remembering your language preferences or login details).
    4. Marketing/Targeting Cookies: Used to track browsing activity and potentially deliver targeted advertising (though less common for a platform like this unless specific marketing campaigns are run). May be set by us or third-party advertising partners.
  • Your Choices: Most web browsers allow you to control cookies through their settings preferences. You can usually set your browser to refuse cookies or alert you when cookies are being sent. However, if you disable or refuse cookies, please note that some parts of the Platform may become inaccessible or not function properly. For non-essential cookies, we will seek your consent where required by law, often through a cookie consent banner or management tool when you first visit the Platform.
  • Other Technologies: We may also use web beacons (small graphic images) in emails or on the Platform to track engagement (e.g., email open rates) or verify clicks.

9. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or applications that are not operated or controlled by Aeterstate. This Policy does not apply to the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you interact with. We are not responsible for the content, privacy policies, or practices of third-party websites or services.

10. Children's Privacy

The Platform is not intended for or directed at children under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect Personal Data from children under this age. If we become aware that we have inadvertently collected Personal Data from a child without verifiable parental consent, we will take steps to delete such information promptly. If you believe we might have any information from or about a child, please contact us using the details in Section 14.

11. International Data Transfers

Aeterstate is based in Switzerland. Your Personal Data may be processed, stored, and transferred to servers located in countries outside of your country of residence, including Switzerland and potentially other locations where our service providers or Affiliates operate. These countries may have data protection laws that are different from those in your country.

When we transfer Personal Data outside of Switzerland or the European Economic Area (EEA), we take steps to ensure that appropriate safeguards are in place to protect your data in accordance with applicable laws. These safeguards may include:

  • Transferring data to countries deemed to have adequate data protection laws by relevant authorities (e.g., Switzerland is recognized as adequate by the EU).
  • Using Standard Contractual Clauses (SCCs) approved by relevant authorities (e.g., the European Commission or the FDPIC).
  • Implementing Binding Corporate Rules (BCRs) for transfers within our corporate group (if applicable).
  • Relying on your explicit consent for specific transfers.

By using the Platform, you consent to the transfer of your Personal Data to countries outside your country of residence, including Switzerland, subject to the implementation of these safeguards.

12. Blockchain Specific Privacy Considerations

Please be aware of the specific privacy characteristics related to blockchain technology:

  • Pseudonymity: While your real-world identity is not directly stored on public blockchains, your transactions are linked to your public Wallet address, which is a pseudonym.
  • Public Transparency: Most blockchain transactions (including on Testnets) are publicly viewable and recorded permanently on the distributed ledger. Anyone can potentially view the transaction history associated with a public Wallet address.
  • Immutability: Once data is confirmed on the blockchain, it generally cannot be altered or deleted. This has implications for the 'Right to Erasure'. While we cannot erase data from the public blockchain itself, we will delete the Personal Data linking your off-chain identity to that blockchain activity from our own systems upon a valid erasure request (subject to legal exceptions).
  • Off-Chain vs. On-Chain Data: We strive to minimize the amount of Personal Data stored directly on the blockchain. Sensitive information (like KYC data) is typically stored off-chain in our secure systems, with only necessary references or statuses potentially interacting with smart contracts.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by posting the updated Policy on the Platform, updating the "Effective Date" at the top, and/or by sending you an email notification or other communication where required by law. We encourage you to review this Policy periodically to stay informed about how we are protecting your Personal Data.

Your continued use of the Platform after the effective date of the revised Policy constitutes your acceptance of the changes.

14. Contact Information

If you have any questions, comments, or concerns about this Privacy Policy, our data practices, or if you wish to exercise your privacy rights, please contact us at:

Aeterstate [Your Company's Legal Name, if different] [Your Company's Registered Address - Placeholder] Email: [Provide Privacy Contact Email - e.g., privacy@aeterstate.ch]

If you are located in the EU/EEA and have concerns, you may also contact our designated EU representative (if applicable - provide details here) or your local data protection authority.

Last Updated: April 12, 2025