Privacy Policy

Cardano Foundation (referred to as “Foundation” “We” “Our” or “Us”) is committed to innovating in digital identity management while prioritising user privacy and data protection. This Privacy Policy specifically applies to the Identity Wallet developed by the Cardano Foundation (the “Identity Wallet”) and the website http://identity.cardanofoundation.org/ (the “Products”). The Identity Wallet is a product designed to facilitate the creation and management of digital identities using Key Event Receipt Infrastructure (KERI) and Decentralized Identifiers (DIDs), operating without linking to any real-world names or personal identifiable information (PII). The Identity Wallet does not require users to submit emails, names, phone numbers, or any documents. Instead, it provides a framework for users to manage their own digital identities autonomously. This is achieved by securely storing private key material on the user's device for identification purposes, enabling users to control their own identity information and securely communicate with other users and entities. This policy outlines our practices regarding the collection, use, disclosure, and protection of any data associated with the Identity Wallet. Note that this policy may differ from other privacy policies pertaining to different CF products or services.

Please read this Privacy Policy carefully.

1. Data controller and contact details

The controller of the data processing described in this Privacy Policy is Cardano Foundation, unless we inform you otherwise in certain cases. You can notify Us of any data protection-related concerns using the following contact details:

Cardano Foundation
Dammstrasse 16
6300 Zug
gdpr@cardanofoundation.org

2. Types of Data Collected

For the Identity Wallet, We collect and manage data differently, aligning with our commitment to user privacy and secure identity management. We do not collect typical personal data like names, addresses, or contact information.

When using the Products, the Foundation may ask you to provide certain information that can be used to identify or contact you (“Personal Data”). The types of Personal Data that We collect from you depend on the circumstances of collection, the nature of the Product used or the transaction undertaken.

Data We collect may include, but is not limited to:

1. Device/ Network Data: Information regarding your interaction with a Product. This includes technical information (e.g., IP Address, MAC Address, SSIDs, etc.), online user ID, device characteristics (such as browser/OS version), web server logs, browser plug-ins, your time zone application logs and language settings, cookie data, usage data. It also includes practical information like any login information, information about how you use Our Products and interact with Us and limited technical information necessary for the operation and security of the wallet, such as device type and operating system version. This is to ensure the proper functioning of the wallet and to provide security features

To clarify, We do not collect the following data, which remains stored on the user's device:

• Identity Data: This includes any personal details users choose to employ for setting up or supporting their digital identities, like their names, physical addresses, identification documents, or proofs of residency and credentials.
• Digital Identity Data: Information related to the digital identities created using the wallet, including KERI and DIDs. This does not include real-world names or personal details, unless the user opts to incorporate these details
• Private Key Material: This comprises private keys, which are essential for identity management and verification purposes
3. How we collect your Personal Data

You may give Us personal information when you use, apply or register for a Foundation product or otherwise submit information to use through the Products or other communications with Us. For example:

1. We may collect information when you create a profile on Our Products;
2. We may collect Device/Network Data when you access and use Our websites. Some of this data is necessary for Us to run Our website or to respond to your requests, like ticket bookings. Other data is huge help to Us in providing you with better services and maintaining a well-run organisation;
3. We may collect information about you from third parties; and other channels including Our support.
4. We may collect data under any other contractual agreement or arrangement;
4. Use of Personal Data

We may use your Personal Data for the following purposes:

1. For legitimate business purposes and to provide the Products you request. This includes but is not limited to: fulfilling Our obligations to you and to financial or other institutions, compliance with laws, audits, protect rights, prevent fraud, and for business improvement, including sending relevant information, responding to law enforcement, gathering feedback, and addressing complaints or disputes;
2. to protect the safety and the well being of yourself and/or other users;
3. for business development purposes such as statistical and marketing analysis, systems testing, maintenance and development, customer surveys or to help Us in any future dealings with you, for example by identifying your requirements and preference; for all other purposes ancillary to any of the purposes stated above ("Ancillary Purposes");
4. based on your consent: If you have given us consent to process your personal data for certain purposes, we process your personal data within the scope of and based on this consent, unless we have another legal basis and we require such a basis. Consent given can be revoked at any time, but this has no effect on data processing that has already taken place.
   
   (collectively, "Purposes")
5. Data Security and Transfer

While no system is absolutely secure, We use reasonable technical and organisational precautions to protect your data and to respect your privacy.

We employ measures like encryption, secure physical storage, limited access zones, confidentiality agreements, and routine assessments for timely data deletion to safeguard your information.

The Identity Wallet is designed to store Digital Identity Data and Private Key Material directly on the user’s device. As such, no transfer of this data occurs to Cardano Foundation servers or external entities, providing an additional layer of privacy and security.

Personal Data may be transferred to, and stored at a destination outside the European Economic Area (“EEA“) where there are appropriate safeguards in place pursuant to Article 46 of the GDPR. This data might be handled by Our staff or Our suppliers outside the EEA for various tasks, including service provision. By providing your personal data, you consent to such transfers, storage, or processing.

6. Retention

The Foundation will hold onto your Personal Data only as long as needed based on the reasons outlined in this Privacy Policy.

Digital Identity Data and Private Key Material will be retained on the user's device and will not be stored on Cardano Foundation servers. Users have full control over this data, including its deletion.

Device/Network Data will be retained only as long as necessary for operational and security purposes. This data will be subject to regular review and deletion as per our data minimization principles.

We will store and utilize your Personal Data as long as it's required to meet legal obligations, address disagreements, and uphold Our legal agreements and policies. Additionally, We will keep usage data for Our internal analysis purposes. Typically, usage data is kept for a shorter duration unless it aids in enhancing product security or functionality, or when legal requirements necessitate longer retention.

7. Data Disclosure

We will not trade or sell your Personal Data to third parties.

We will not disclose any Digital Identity Data or Private Key Information to third parties, as this data is stored solely on the user's device.

Your other Personal Data, if any, shall only be disclosed or transferred to the following third parties appointed or authorised by the Foundation for the fulfilment of the Purposes described herein, in accordance with GDPR principles such as consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. This may include third party processors, such as:

1. Data warehouses;
2. IT service providers;
3. Data analytics and/or marketing agencies;
4. Third party service providers, tools or plugins that enable a better user experience for Products, such as social media plugins or online marketing tools, newsletter providers
5. Auditors

We shall take practical steps to ensure that their employees, officers, agents, consultants, contractors and such other third parties mentioned above who are involved in the collection or processing of your Personal Data will observe and adhere to the terms of this Privacy Policy and GDPR requirements.

The Foundation may disclose your Personal Data in good faith belief that such disclosure is necessary for one of the following reasons: complying with a legal obligation; protecting and defending the rights or property of the Foundation; preventing or investigating possible wrongdoing in connection with the Products; protecting the personal safety of users of Products or the public; protecting against legal liability; or responding to legal bodies as permitted or required by law such as in compliance with a warrant or subpoena issued by a court of competent jurisdiction; and/or responding to regulatory authorities.

In addition to the above, your Personal Data may also be disclosed or transferred to Our affiliates and subsidiaries.

8. Your Rights

Users can access, manage, and delete their Digital Identity Data within the wallet at any time. Any Private Key Material or other data securely stored within your device (as described in section 2) must be removed manually by the user.

If you want to know what Personal Data the Foundation holds about you or wish for it to be deleted, please reach out to Us at gdpr@cardanofoundation.org.

In certain circumstances, you possess these data protection rights:

1. Access: You can ask for details about your personal data We have.
2. Rectification: If the data is inaccurate or incomplete, you can request corrections.
3. Objection: You can contest the use of your data for specific reasons; for instance, using the unsubscribe option in our emails.
4. Restriction: You can ask Us to limit the processing of your data.
5. Data Portability: Request a copy of your data from Us in a standard, machine-readable format.
6. Withdraw Consent: Should We process data based on your consent, you can retract it anytime.

Please understand We might ask you to confirm your identity before acting on these requests. If unsatisfied with how We handle your data, you can report to your local Data Protection Authority in the EU or EEA.

9. Third Party Links

Products may contain links to other companies, organizations or websites (collectively, “Third Party Links”). This Privacy Notice does not apply to such Third Party Links. If you access Third Party Links using the links provided, the operators may collect your personal information.

The Foundation has no control over and assumes no responsibility for the content, privacy policies or practices of any third-party product or service.

10. Changes

We may revise or update this Privacy Policy from time to time.

Any modifications will be reflected on this page. We'll notify you of updates either through email or a notable alert on the Product, while also adjusting the "effective date" at this Policy's beginning. Regularly reviewing this Policy ensures you stay informed of any alterations, which take effect once displayed on this page.

11. Data Privacy Contact

For further inquiries or requests in relation to Our handling of your Personal Data or this Privacy Policy please contact Us at gdpr@cardanofoundation.org.