1. General Provisions

    1.1. Identity of the Data Controller

    This Privacy Policy is issued by Streamflow Foundation, an entity incorporated and existing under the laws of Panama, (“Streamflow Foundation,” “we,” “us,” or “our”). For the purposes of applicable data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 (“UK GDPR”), and applicable United States federal and state privacy laws, Streamflow Foundation acts as the Data Controller when determining the purposes and means of processing Personal Data.

    Please read this Policy carefully so that you understand your rights in relation to your personal data and how we will collect, use, and process your personal data. If you do not agree to this Policy, please do not use, access, connect to, interact with, or download any of the Services or otherwise provide your information to us.

    1.2. Applicability of this Privacy Policy

    This Privacy Policy governs all processing of Personal Data collected from or about individuals (“Users,” “you,” or “your”) who access or use our website https://streamflow.foundation/, smart contracts, web applications, APIs, and all associated services, regardless of the means of access (collectively, “Services”). Where we process Personal Data strictly on behalf of a third-party business partner in accordance with their instructions, we act as a Data Processor, and the privacy policy of such partner will apply to that processing.

    1.3. Purpose of the Privacy Policy

    The purpose of this Privacy Policy is to explain in a clear and transparent manner:

    • the types of Personal Data we collect;
    • the legal bases on which we process such Personal Data;
    • the purposes for which we use Personal Data;
    • the circumstances in which we may share Personal Data with third parties; and
    • the rights and choices available to you in relation to your Personal Data.

    1.4 Consent and Agreement to Terms

    By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. In jurisdictions where consent is the lawful basis for certain processing activities (including, without limitation, the placement of non-essential cookies and the sending of marketing communications), you consent to such processing by providing your explicit opt-in in the manner described herein.

  2. Definitions

    2.1. Personal Data

    Any information relating to an identified or identifiable natural person, including:

    • direct identifiers such as your name, email address, or blockchain wallet address;
    • indirect identifiers such as IP address, device identifiers, and transaction metadata, which, when combined with other information, can reasonably be used to identify you; and
    • pseudonymous data, such as blockchain wallet addresses or smart contract interaction history, where such information can be reasonably linked to you.

    2.2. Sensitive Data

    Certain categories of Personal Data afforded enhanced protection under applicable law, which may include:

    • financial account details and payment credentials;
    • blockchain transaction histories revealing asset holdings or trading activity;
    • precise geolocation;
    • government-issued identification numbers; and
    • any other category designated as “special category” or “sensitive personal information” under applicable law.

    2.3. Processing

    Any operation performed on Personal Data, whether automated or not, such as collection, storage, use, disclosure, transmission, alteration, restriction, erasure, or destruction.

    2.4. Controller

    The entity determining the purposes and means of Processing Personal Data.

    2.5. Processor

    The entity Processing Personal Data on behalf of the Controller.

  3. Legal Bases for Processing Personal Data

    We process Personal Data only where we have a lawful basis under applicable data protection laws. These include:

    3.1. Contractual Necessity

    To enter into and perform a contract with you, including creating and managing your account, providing technical support, facilitating blockchain transactions, and enabling other core functions of the Services.

    3.2. Legal Obligation

    To comply with obligations imposed by law, regulation, or court order, including but not limited to anti-money laundering (AML) and counter-terrorist financing (CTF) requirements, tax reporting, and responding to lawful governmental requests.

    3.3. Consent

    Where you have explicitly agreed to the processing of your Personal Data for one or more specific purposes, such as receiving marketing communications or enabling non-essential cookies.

    3.4. Legitimate Interests

    Where processing is necessary for our legitimate interests or those of a third party, provided these interests are not overridden by your fundamental rights and freedoms. Examples include fraud prevention, network security, and improving the Services.

  4. Categories of Personal Data We Collect

    4.1. Automatically Collected Personal Data

    • Technical Data — IP address, browser type, device identifiers, operating system, and other system configuration details.
    • Usage Data — Pages visited, features used, transaction activity, and the timing of your interactions.
    • Location Data — Approximate location derived from IP address or device settings.
    • Cookies and Similar Technologies — Essential cookies for core functionality are set automatically; non-essential cookies require your consent where mandated by law.

    4.2. Personal Data Provided by You

    • Account and Registration Data — Name, email address, phone number, blockchain wallet address, and project details you voluntarily provide.
    • Communications Data — Content of support requests, inquiries, and related metadata.
    • Marketing Preferences — Your preferences regarding receipt of marketing communications.

    4.3. Sensitive Data

    Collected only where necessary for the provision of Services, compliance with legal obligations, or with explicit consent where required.

  5. Purposes of Processing

    5.1. Primary Purposes for Service Provision

    We process Personal Data primarily to operate and deliver the Services, which includes:

    • Account Establishment and Management — verifying identity, maintaining accurate records, and processing updates you request;
    • Transaction Facilitation — initiating, recording, and verifying blockchain transactions, including smart contract execution;
    • Security and Fraud Prevention — monitoring for suspicious activity, implementing anti-fraud measures, and defending against cyber threats;
    • Customer Service — responding to inquiries, resolving technical issues, and providing requested assistance;
    • Regulatory Compliance — fulfilling AML/CTF and other legal requirements;
    • Communication Recording — where permitted by law and, where required, with your consent, recording customer support calls or similar communications for accuracy, quality assurance, compliance, and training.
    • Recruitment process — If you submit an application by email, then we may process your personal data in order to consider your application and if your application proceeds, to contact you for interviews and engage in internal deliberations, discussions, negotiations, and planning. We may also request personal data as necessary to perform a background, reference, or other check, solely as permitted by applicable law.

    5.2. Secondary Purposes (With Consent Where Required)

    • Analytics and Service Improvement — collecting aggregated metrics on feature usage to inform platform improvements;
    • Marketing Communications — sending newsletters, promotional offers, or event invitations according to your preferences;
    • Product Research and Development — testing new features, integrations, and service enhancements.

    5.3. Purpose Limitation

    We will not process Personal Data in a manner that is incompatible with the purposes for which it was collected unless otherwise permitted by applicable law.

  6. Cookies and Tracking Technologies

    6.1 Categories of Cookies and Similar Technologies

    6.1.1. Essential Cookies

    Strictly Necessary Cookies — Required for the operation of the Services, enabling core functionality such as security authentication, session management, and facilitating blockchain transactions. We do not need to obtain your consent in order to use these cookies, and they cannot be turned off as we cannot provide the Services without them.

    6.1.2. Non-essential Cookies

    • Performance and Analytics Cookies — Collect aggregated data on how Users interact with the Services to help us improve functionality, identify usability issues, and measure engagement; requires opt-in consent for Users in the EEA/UK;
    • Targeting and Advertising Cookies — Enable delivery of personalised advertising and measurement of campaign effectiveness; require opt-in consent in the EEA/UK;
    • Functionality Cookies — Store User preferences (such as language and region) to personalise the Service experience;
    • Web Beacons and Tracking Pixels — Embedded objects used to monitor engagement with content (e.g., email open rates).

    6.2. Consent Management

    No Non-Essential Cookies (as in 6.1.2. above) are set without your consent. However, if we introduce any of Non-Essential Cookies, the following will apply:

    • Upon your first visit to the Services (including on mobile devices), we present a clear and prominent cookie banner or consent management tool;
    • You may choose to: (i) accept all cookies; (ii) reject all non-essential cookies; or (iii) manage preferences at a granular level;
    • In jurisdictions requiring opt-in consent, all non-essential cookies are disabled by default until explicitly enabled by you.

    6.3. Withdrawal of Consent

    You may change or withdraw your cookie preferences at any time via our cookie management interface, which is accessible from every page of our website.

    6.4. Retention of Cookie Data

    Data collected through cookies and tracking technologies is retained only for as long as necessary to fulfil the stated purpose and is securely deleted or anonymised thereafter.

  7. Disclosure and Sharing of Personal Data

    7.1. General Principles of Disclosure

    We do not sell or share your Personal Data to third parties. We disclose Personal Data only in compliance with this Policy, applicable laws, and contractual safeguards. Any such disclosure is limited to what is strictly necessary for the stated purpose.

    7.2. Categories of Recipients

    • Service Providers (Processors) — Third-party vendors providing hosting, cloud storage, analytics, customer support, compliance (e.g., KYC/AML verification), marketing, and security services, bound by Data Processing Agreements;
    • Professional Advisors — External lawyers, auditors, and accountants engaged under confidentiality obligations;
    • Affiliates and Subsidiaries — For operational or administrative purposes under equivalent protections;
    • Regulatory and Law Enforcement Authorities — Where disclosure is required to comply with a legal or regulatory obligation, court order, or to protect our legal rights;
    • Transaction Counterparties — In the context of mergers, acquisitions, financing, or corporate restructuring, provided appropriate confidentiality arrangements are in place;
    • Third-Party Services Chosen by You — Blockchain explorers, wallet providers, or integrations you elect to use.

    7.3. Vendor Transparency

    We maintain and make available a list of categories of third parties with whom we regularly share Personal Data.

    7.4. Cross-Border Disclosures

    Where such sharing involves transfer of Personal Data across national borders, safeguards described in Section 8 will apply.

  8. International Data Transfers

    8.1. Scope of Transfers

    Your Personal Data may be transferred to and processed in jurisdictions outside your country of residence. Such jurisdictions may not provide the same level of data protection as your home jurisdiction.

    8.2. Transfer Mechanisms

    Where required by law, we use one or more of the following mechanisms:

    • Standard Contractual Clauses (SCCs) — Approved by the European Commission for transfers from the EEA;
    • UK International Data Transfer Addendum (IDTA) — For transfers from the UK;
    • Binding Corporate Rules (BCRs) — Approved frameworks for intra-group transfers;
    • Adequacy Decisions — Transfers to jurisdictions recognised by relevant authorities as providing adequate protection.

    8.3. Technical and Organisational Measures

    In addition to legal mechanisms, we apply:

    • encryption in transit and at rest;
    • pseudonymisation where feasible;
    • access controls and logging for transfer-related activities.

    8.4. Onward Transfers

    If Personal Data is subsequently transferred to another third party, we require contractual assurances that equivalent data protection standards will be maintained.

  9. Your Rights

    9.1. Overview of Rights

    Subject to applicable law, you may have the right to:

    • access your Personal Data;
    • rectify inaccurate or incomplete Personal Data;
    • request erasure of your Personal Data (“right to be forgotten”);
    • restrict processing of your Personal Data;
    • object to certain types of processing, including direct marketing;
    • receive your Personal Data in a structured, machine-readable format (“data portability”);
    • withdraw consent where processing is based on consent;
    • lodge a complaint with a relevant supervisory authority.

    9.2. Mechanism for Exercising Rights

    • Submit a written request to [email protected] with the subject line “Data Rights Request”;
    • Include sufficient detail to identify yourself and the right you wish to exercise;
    • Provide verification information, which may include matching details from our records or presenting identification documents.

    9.3. Identity Verification

    • We will verify your identity before processing your request;
    • For authorised agents, we require proof of authorisation and will verify both the agent and the individual.

    9.4. Response Timeframes

    • EU, UK and Rest of the World — Within one (1) month of receiving a valid request, extendable by two (2) months for complex requests;
    • US — Within forty-five (45) days, extendable by an additional forty-five (45) days where permitted by law.

    9.5. Grounds for Refusal

    We may refuse a request if:

    • we cannot verify your identity;
    • it is manifestly unfounded or excessive;
    • retention is required by law or for legal defence.

    9.6. Unified Rights Application

    Where feasible, we apply the highest protections from GDPR, UK GDPR, and applicable US state privacy laws to all users, regardless of location.

  10. Security and Retention

    10.1. Security Measures

    We implement technical, organisational, and administrative measures to safeguard Personal Data, including:

    • using strong encryption to protect stored information (“data at rest”) and secure connection protocols to protect information sent over the internet (“data in transit”);
    • multi-factor authentication for administrative accounts;
    • network intrusion detection and prevention systems;
    • regular penetration testing and vulnerability assessments;
    • role-based access controls and segregation of duties.

    10.2. Incident Response

    • We promptly investigate any suspected data breaches;
    • Where required by law, we notify relevant supervisory authorities without undue delay;
    • If the breach poses a high risk to your rights and freedoms, we will also notify you without undue delay.

    10.3. Blockchain-Specific Considerations

    • Due to blockchain immutability, certain transaction data cannot be altered or erased;
    • We minimise off-chain identifiers linked to on-chain records to reduce privacy risk.

    10.4. Retention Policy

    • Personal Data is retained only for as long as necessary to fulfil the purposes described in this Policy or as required by law;
    • Data no longer required is securely deleted or anonymised;
    • Archived data for legal compliance is stored securely with restricted access.

  11. Minors’ Privacy

    Our Services are intended for individuals aged eighteen (18) years or older. We do not knowingly collect Personal Data from minors. If such data is inadvertently collected, we will delete it promptly unless retention is required by law.

  12. Changes to this Policy

    We may amend this Privacy Policy from time to time to reflect changes in law, regulatory guidance, or our practices. Material changes will be communicated via our website or other appropriate means before they take effect.

  13. Contact Us

    For privacy-related questions or to exercise your rights, contact:

    Email: [email protected]