Privacy Policy

This Privacy Policy explains how we collect, use, and protect your personal data when you use our decentralized autonomous organization (DAO) application and website.

We take the protection of your personal data very seriously and handle your personal data confidentially and in accordance with legal data protection regulations and this Privacy Policy.

---

Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

MüritzPhone

Hohe Straße 2

17207 Röbel/Müritz

Germany

Email: mueritzphone@gmail.com

Phone: 039931 148019

Owner: Max Brych

---

Personal Data We Collect

3.1 Data You Provide Directly

Wallet Address (Public Key):

Your Ethereum/Base wallet address is collected when you connect your wallet to our application
Important: Wallet addresses are considered personal data under GDPR, even though they are pseudonymous

Governance Data:

Participation in DAO votes
Proposal creation
NFT ownership (HomeTownVotingNFT)

Optional Profile Data:

Display name
Email address (if you subscribe to updates)
Profile picture

3.2 Automatically Collected Data

Technical Data:

IP address
Browser type and version
Operating system
Device type and model
Screen resolution
Language settings
Time zone

Usage Data:

Pages visited
Interactions with smart contracts
Application usage patterns
Session duration
Referring URL

Blockchain Data:

Wallet address (public key)
Transaction history with our smart contracts
NFT ownership and transfers
Participation in governance votes
Smart contract interactions
Transaction hashes

3.3 Location Data (Mobile App)

Precise Location Data:

GPS coordinates (when you grant location permission)
Used for map features and location-based content
Only collected when actively using the feature

Approximate Location Data:

City or region-based location information
Derived from IP address
For weather data and regional context

Google Maps Data:

Map interactions
Searched places
Route queries

3.4 Weather Data

Location requests for weather information

Request timestamps
Weather preferences

---

Purposes and Legal Bases for Processing

We only process your personal data for specified purposes and based on a lawful legal basis pursuant to Art. 6(1) GDPR:

4.1 DAO Governance and Contract Performance

Purpose: Enable participation in DAO governance (voting, proposals, NFT management)

Processed Data: Wallet address, voting data, NFT ownership, smart contract interactions

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Processing is necessary to enable your participation in the DAO

Additionally: Art. 9(2)(a) GDPR (explicit consent)

Voting may reveal political opinions (special category of personal data)
We use MACI (Minimal Anti-Collusion Infrastructure) for encrypted voting
Only the fact of your participation is public, your voting choice remains private

4.2 Blockchain Storage

Purpose: Immutable recording of DAO transactions and governance activities

Processed Data: Wallet address, voting participation (not voting choice), NFT transactions

Legal Basis:

Art. 6(1)(a) GDPR (consent) - You expressly consent to permanent storage on the blockchain
Art. 6(1)(b) GDPR (contract performance) - Technically necessary for DAO operation

Important Notice: Blockchain data cannot be deleted due to technical immutability (see Section 5)

4.3 Location-Based Services

Purpose: Provision of maps, weather information, and location-related community content

Processed Data: GPS coordinates, location preferences, map interactions

Legal Basis: Art. 6(1)(a) GDPR (consent)

You expressly consent when you grant location permissions
You can revoke consent at any time in device settings

4.4 Analytics and Service Improvement

Purpose: Improve user experience, fix bugs, optimize performance

Processed Data: IP address, usage patterns, technical data, device information

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest)

Our legitimate interest: Improve our services, ensure functionality
Your interests: We use pseudonymized data and no behavioral advertising

Alternatively: Art. 6(1)(a) GDPR (consent)

When you accept analytics cookies

4.5 Security and Fraud Prevention

Purpose: Protection against abuse, fraud, security breaches

Processed Data: IP address, transaction patterns, access logs

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest)

Our legitimate interest: Platform security and protection of all users
Necessary to prevent abuse and comply with legal obligations

4.6 Communication and Support

Purpose: Send important updates, notifications, respond to inquiries

Processed Data: Email address, communication history

Legal Basis:

Art. 6(1)(a) GDPR (consent) - for newsletters and marketing
Art. 6(1)(b) GDPR (contract performance) - for essential service updates

---

Blockchain and Immutability

5.1 Permanent Data Storage

Important Information: When you interact with our DAO, certain data is permanently stored on the public [Base/Ethereum] blockchain:

Data Stored on the Blockchain:

Your wallet address (public key)
NFT ownership and transfers
Participation in governance votes (not your voting choice)
Proposal creation
Smart contract interactions
Transaction hashes

Characteristics of Blockchain Data:

✅ Publicly accessible via blockchain explorers
✅ Globally retrievable
✅ Permanent and immutable
✅ Cannot be deleted or modified
✅ Remains on the blockchain indefinitely

5.2 Private Voting with MACI

We use MACI (Minimal Anti-Collusion Infrastructure) for privacy-friendly voting:

How MACI Protects Your Privacy:

Your voting choice is encrypted before being transmitted to the blockchain
Only the coordinator can decrypt votes to calculate results
Results are verified using zero-knowledge proofs
Your specific voting choice is never publicly revealed
Only the fact that you voted is visible via your wallet address

Benefits:

Prevents vote buying and coercion
Protects political opinions (special category of personal data)
Enables verifiable but private voting

5.3 On-Chain vs. Off-Chain Data Storage

On-Chain (Blockchain):

Immutable and permanent
Publicly accessible
Cannot be deleted
Minimal: Only wallet addresses and encrypted votes

Off-Chain (Supabase Database):

Modifiable and deletable
Private and access-controlled
GDPR-compliant deletion possible
Contains: Profile information, email addresses, preferences

5.4 Your Consent

Before Your First Blockchain Interaction:

You will be expressly informed and must consent that:

1. Your wallet address will be permanently stored on the blockchain

2. This data is publicly accessible

3. This data cannot be deleted

4. Voting may reveal political opinions (but MACI protects your voting choice)

You cannot proceed without providing this express consent.

5.5 Limitations on the Right to Erasure

Important: Due to the technical immutability of the blockchain, we cannot fully fulfill the following rights:

Limited Right to Erasure (Art. 17 GDPR):

We can delete off-chain data (profile, email)
We CANNOT delete blockchain data (wallet address, transactions)
This is a technical limitation, not a legal exception
We inform you transparently about this before first use

Limited Right to Rectification (Art. 16 GDPR):

Blockchain data cannot be corrected
Corrections can be added as new transactions, but old data remains visible

Legal Exceptions:

Art. 17(3)(e) GDPR: Archiving purposes in the public interest
The blockchain serves as a public, decentralized archive for governance

---

We only share your personal data with the following recipients:

6.1 Infrastructure Service Providers

Supabase Inc. (Database and Backend)

Location: Singapore (headquarters), Data Processing: Germany (Frankfurt, eu-central-1)

Purpose: Database, authentication, file storage, real-time functionality

Processed Data:

Account information (email, authentication credentials)
Profile information
Session information
Content you upload

Legal Basis: Art. 28 GDPR (data processing agreement)

We have entered into a Data Processing Agreement (DPA) with Supabase
Includes EU Standard Contractual Clauses

Data Storage Location: EU (Frankfurt, Germany)

All your data remains in the EU
NOT transferred to third countries (for Supabase services)

Security:

SOC 2 Type 2 certified
AES-256 encryption at rest
TLS encryption in transit
Daily encrypted backups

Sub-processors:

Amazon Web Services (AWS) - Cloud hosting (EU Frankfurt)
Stripe - Payment processing (if applicable)
More at: https://supabase.com/privacy

---

Vercel Inc. (Hosting and Infrastructure)

Location: USA (440 N Barranca Ave #4133, Covina, CA 91723)

Purpose: Website hosting, serverless functions, edge network, deployments

Processed Data:

IP addresses
Browser information
Request data and server logs
Performance metrics

Legal Basis: Art. 28 GDPR (data processing agreement)

Data Processing Agreement (DPA) executed
EU Standard Contractual Clauses for data transfers

Data Storage Location: Primarily USA, global edge network

Data may be processed worldwide
Protected by EU-US Data Privacy Framework (DPF)

Security:

ISO 27001:2022 certified
SOC 2 Type 2 attested
TLS encryption
DDoS protection

Log Retention:

Hobby Plan: 1 hour
Pro Plan: 1 day
Configurable depending on plan

Sub-processors:

Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
Full list: https://security.vercel.com/

---

thirdweb Inc. (Web3 Infrastructure)

Location: USA

Purpose: Wallet connection, blockchain interactions, smart contract calls, analytics

Processed Data:

Wallet addresses
Transaction data
Smart contract interactions
IP addresses
Device information
Usage analytics (via Client ID)

Legal Basis: Art. 28 GDPR (data processing agreement) and Art. 6(1)(b) (contract performance)

Data Storage Location: USA

International Transfer:

Standard Contractual Clauses (SCCs)
thirdweb GDPR/CCPA compliance

Data Deletion: Customer data deleted upon request:

GDPR: 30 days
CCPA: 45 days

Security:

TLS encryption
AES-256 encryption for backups
Private keys are NEVER stored or transmitted

Privacy Policy: https://thirdweb.com/privacy

---

6.2 Map Services

Google LLC (Google Maps Platform)

Location: USA (Mountain View, California)

Purpose: Map display, location search, route planning, geolocation

Processed Data:

IP addresses
Location data (when you grant permission)
Device and browser information
Map interactions
Unique identifiers (API key)

Legal Basis: Art. 6(1)(a) GDPR (consent)

Google Maps is only loaded after your express consent
You can revoke consent at any time

Data Storage Location: Worldwide (Google data centers, including USA)

International Transfer:

EU-US Data Privacy Framework (Google is certified)
Google Cloud Data Processing Addendum (CDPA) with SCCs

Cookies: Google Maps uses cookies:

NID cookie: User settings, connection to Google network
More information: https://policies.google.com/technologies/cookies

You Have Control:

You can disable Google Maps in settings
The app will continue to function without map features

Google Privacy Policy: https://policies.google.com/privacy

---

6.3 Weather Services

Google Cloud Weather API

Location: USA (Google LLC, Mountain View, California)

Purpose: Provision of weather information based on your location

Processed Data:

Location coordinates or city name
IP address
Request timestamps
Device information

Legal Basis: Art. 6(1)(a) GDPR (consent)

International Transfer:

EU-US Data Privacy Framework (Google is certified)
Google Cloud Data Processing Addendum (CDPA) with SCCs

Privacy Policy: https://policies.google.com/privacy

---

6.4 Mobile App Services (Expo)

Expo (630 Network, Inc.)

Location: USA

Purpose: Mobile app development platform, OTA updates, push notifications (if used), error reports

Processed Data:

Minimal data: Device installation IDs (randomly generated, no unique device identifiers)
Push tokens (only if you enable push notifications)
EAS update requests (do NOT contain unique device identifiers)

Expo's Privacy-First Approach:

Collects only minimal data
No end-user tracking without your implementation
GDPR/CCPA compliant

Legal Basis: Art. 28 GDPR (data processing agreement)

Data Storage Location: USA

Sub-processors (Expo):

Amazon AWS (cloud infrastructure)
Google (cloud infrastructure)
Cloudflare (CDN)
Full list: https://expo.dev/privacy/subprocessors

Privacy Policy: https://expo.dev/privacy

---

6.5 Blockchain Network

Public Blockchain (Base/Ethereum)

Type: Decentralized network with thousands of independent nodes worldwide

Processed Data:

All on-chain transactions
Wallet addresses
Smart contract interactions
Publicly accessible data

Important:

We have NO control over the blockchain network
Data is public and immutable
Nodes are distributed worldwide (international transfer is inherent)
Anyone can access this data (e.g., via Etherscan, Basescan)

Legal Basis:

Art. 6(1)(a) GDPR (consent)
Art. 6(1)(b) GDPR (contract performance - technically necessary for DAO)

---

6.6 Analytics and Monitoring (if applicable)

Option 1: Vercel Web Analytics (Recommended - privacy-friendly)

Privacy Features:

No cookies
No cross-site tracking
Anonymous visitor identification (hash-based)
Session data automatically deleted after 24 hours
No personal data collected

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest)

No consent required (no cookies, fully anonymous)

---

Option 2: Google Analytics (If used - requires consent)

Purpose: Website analysis, user behavior, traffic sources

Legal Basis: Art. 6(1)(a) GDPR (consent)

Requires express consent via cookie banner
Cookies are only set after consent

Privacy-Friendly Configuration:

IP anonymization enabled
No sharing with Google for advertising purposes
Data processing agreement with Google executed

---

6.7 Legal Disclosures

We may disclose personal data when legally required:

Government requests (police, courts)
Legal obligations
Protection of our rights or the safety of others

Legal Basis: Art. 6(1)(c) GDPR (legal obligation)

---

International Data Transfers

7.1 Transfers to Third Countries

Some of our service providers process data outside the European Economic Area (EEA):

USA (United States):

Vercel Inc. (hosting)
thirdweb Inc. (Web3 infrastructure)
Google LLC (Maps, potentially Analytics)
Expo (mobile platform)

7.2 Safeguards for Data Transfers

We ensure that your data is adequately protected:

1. EU-US Data Privacy Framework (DPF):

EU Commission adequacy decision
Vercel and Google are DPF-certified
Verification: https://www.dataprivacyframework.gov/list

2. Standard Contractual Clauses (SCCs):

EU Commission-approved contractual clauses (2021)
Executed with all US service providers
Ensure legally binding level of protection

3. Data Processing Agreements (DPAs):

Executed with all processors
Obligate compliance with GDPR standards
Contain technical and organizational measures

7.3 Supabase EU Data Residency

Advantage: Your primary application data (profile, email, preferences) remains in the EU:

Supabase Frankfurt (eu-central-1) region
All data processing occurs in Germany
Backups remain in the same region
NO transfer to third countries for Supabase database services

7.4 Blockchain Data Transfers

Specificity: The blockchain is a global, decentralized network:

Nodes are located worldwide (incl. third countries)
Data is publicly accessible on the entire blockchain
International transfer is inherent to the technical architecture
Transfer is technically necessary for DAO participation

Legal Basis:

Art. 49(1)(b) GDPR (contract performance)
Art. 49(1)(a) GDPR (explicit consent)

---

Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help store your preferences and improve website functionality.

8.2 What Cookies Do We Use?

Strictly Necessary Cookies (No Consent Required):

Session Cookies: Authentication, session management

- Purpose: Enable you to log in and securely use the application

- Duration: End of session or until logout

- Provider: Our application (Supabase Auth)

- Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Security Cookies: CSRF protection, security tokens

- Purpose: Protection against attacks and abuse

- Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in security)

---

Functional Cookies (No Consent Required):

Preference Cookies: Language settings, theme (light/dark)

- Purpose: Store your preferences

- Duration: 12 months

- Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in user-friendliness)

Cookie Consent Cookie: Stores your cookie preferences

- Purpose: Remembers your cookie consent

- Duration: 12 months

- Legal Basis: Art. 6(1)(c) GDPR (legal obligation to store consent)

---

Analytics Cookies (Require Consent):

If using Vercel Analytics (recommended):

NO cookies: Vercel Analytics does not use cookies
Privacy-friendly: Hash-based anonymous visitor identification
No consent required: Fully anonymous, no tracking

If using Google Analytics:

Analytics Cookies: _ga, _gid, _gat

- Purpose: Website usage analysis, traffic measurement

- Duration: _ga: 2 years, _gid: 24 hours

- Provider: Google LLC (USA)

- Legal Basis: Art. 6(1)(a) GDPR (consent)

- Consent required: Yes, via cookie banner

- IP anonymization: Enabled

---

Google Maps Cookies (Require Consent):

NID Cookie: User settings, connection to Google network

- Purpose: Google Maps functionality, abuse detection

- Duration: 6 months

- Provider: Google LLC (USA)

- Legal Basis: Art. 6(1)(a) GDPR (consent)

- Consent required: Yes, before Google Maps is loaded

More information: https://policies.google.com/technologies/cookies

---

8.3 Manage Your Cookie Settings

Grant/Revoke Consent:

Cookie banner on first visit
Change settings at any time via: [Link to Cookie Settings]
Granular control by category (Essential, Analytics, Maps)

Browser Settings:

You can block or delete cookies in your browser
Note that this may affect functionality
Instructions for common browsers:

- Chrome: https://support.google.com/chrome/answer/95647

- Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

- Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac

- Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

Impact of Disabling:

Essential cookies: Website may not function correctly
Analytics cookies: No impact on functionality
Google Maps cookies: Map features unavailable

8.4 Do Not Track (DNT)

We respect Do-Not-Track signals when you use Vercel Analytics (no cookies). For other tracking technologies, we use a consent-based solution.

8.5 Local Storage (LocalStorage)

We also use browser LocalStorage for:

Wallet connection status (thirdweb)
App settings and preferences
Cached data for offline functionality

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in functionality)

Technically necessary for app functionality
No consent required

---

Data Retention

We only store your personal data as long as necessary for the respective purposes:

9.1 Off-Chain Data (Supabase Database)

Active Accounts:

As long as your account is active
Definition "active": You have logged in or interacted within the last 24 months

Inactive Accounts:

Retention period: 2 years after last activity
Deletion: Automatic deletion after expiration
Notification: We send a reminder email 30 days before deletion (if email available)

Specific Data Types:

Email addresses: As long as account exists or until newsletter unsubscribe
Profile information: As long as account exists
Session data: Until logout or after session expiration
Support requests: 3 years after completion (for legal purposes)

9.2 On-Chain Data (Blockchain)

Retention Period: Indefinite / permanent

Reason: Technical immutability of the blockchain

Affected Data:

Wallet addresses
Transaction hashes
NFT ownership and transfers
Vote participation (not voting choice with MACI)
Smart contract interactions

Important: This data cannot be deleted due to blockchain architecture.

9.3 Analytics Data

Vercel Analytics:

Session data: Automatically deleted after 24 hours
Aggregated statistics: Indefinite (fully anonymized)

Google Analytics (if used):

Raw data: 14 months (IP anonymized)
Aggregated reports: Indefinite (anonymized)

9.4 Server Logs

Vercel Server Logs:

Hobby Plan: 1 hour
Pro Plan: 1 day (30 days with Observability Plus)
Enterprise: 3 days (30 days with Observability Plus)

Content: IP addresses, request data, error messages

9.5 Cookies

See Section 8.2 for specific cookie retention periods.

9.6 Legal Retention Obligations

We must retain certain data longer if legal requirements mandate:

Commercial retention obligations: 6-10 years (German law)
Contract-relevant documents: 6 years after contract end (statute of limitations)

9.7 Early Deletion

You can request deletion of your data at any time (see Section 10.3 "Right to Erasure").

---

Your Rights

Under GDPR, you have comprehensive rights regarding your personal data:

10.1 Right of Access (Art. 15 GDPR)

You have the right:

To receive a copy of your personal data
To receive information about processing (purposes, categories, recipients, retention)

How to request access:

Email: mueritzphone@gmail.com
Subject: "GDPR Access Request"
Or use the "Export Data" function in app settings

Timeline: We respond within 1 month (extendable to 3 months for complexity)

Format: Machine-readable format (JSON, CSV)

10.2 Right to Rectification (Art. 16 GDPR)

You have the right:

To have inaccurate personal data corrected
To have incomplete data completed

Implementation:

Off-chain data: Can be changed anytime in account settings
Blockchain data: CANNOT be corrected (technical immutability)

- Corrected data can be added as new transaction

- Old data remains visible

10.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right:

To request deletion of your personal data

How to delete your data:

Use "Delete Account" function in app settings
Email: mueritzphone@gmail.com

What will be deleted:

✅ Off-chain data: Profile, email, preferences, session data
✅ Cookies and LocalStorage
✅ Supabase database entries
✅ Analytics data (personal)

What CANNOT be deleted:

❌ Blockchain data: Wallet address, transactions, NFT ownership, vote participation
Reason: Technical immutability of the blockchain
Alternative: We can delete encryption keys to make data inaccessible

Exceptions to erasure right:

Fulfillment of legal obligations
Establishment, exercise, or defense of legal claims
Archiving purposes in the public interest (blockchain)

Confirmation: You will receive a deletion confirmation via email

10.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right:

To request restriction of processing when:

- You contest the accuracy of data

- Processing is unlawful but you don't want deletion

- We no longer need data but you need it for legal claims

- You have objected (during review)

Implementation:

Data will be marked and only processed for limited purposes
Contact: mueritzphone@gmail.com

10.5 Right to Data Portability (Art. 20 GDPR)

You have the right:

To receive your data in a structured, commonly used, machine-readable format
To transmit this data to another controller

Available Data:

Off-chain data from our database
Blockchain data (publicly accessible via block explorers)

Format: JSON, CSV

How to exercise this right:

"Export Data" function in app settings
Email request: mueritzphone@gmail.com

10.6 Right to Object (Art. 21 GDPR)

You have the right:

To object to processing based on legitimate interest (Art. 6(1)(f) GDPR) for reasons arising from your particular situation

Affected:

Analytics purposes
Security processing (unless mandatory)

Exception: We can continue processing if compelling legitimate grounds override

Absolute right to object:

Direct marketing: You can ALWAYS object to processing for direct marketing

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right:

To withdraw granted consents at any time

Affected Consents:

Blockchain data storage (prevents future interactions, existing data remains)
Location data for Google Maps (in device settings)
Analytics cookies
Newsletter and marketing emails
Push notifications

How to withdraw:

Cookie settings: [Link to Cookie Settings]
Location permission: Device Settings > App > Permissions
Newsletter: Unsubscribe link in every email
App settings: Privacy & Consents

Important: Withdrawal does not affect the lawfulness of processing before withdrawal.

10.8 Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)

You have the right:

Not to be subject to a decision based solely on automated processing with legal effect

Note: We do not perform automated individual decisions that legally affect you.

---

Right to Lodge a Complaint

11.1 Right to Complain to a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data.

11.2 Competent Supervisory Authorities in Germany

Federal Level:

Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Graurheindorfer Str. 153
53117 Bonn, Germany
Phone: +49 (0)228 997799-0
Fax: +49 (0)228 997799-550
Email: poststelle@bfdi.bund.de
Website: https://www.bfdi.bund.de

---

State Level:

Depending on your place of residence or our company's location, the respective state data protection authority is responsible.

Examples:

Berlin:

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstr. 219, 10969 Berlin
Phone: +49 (0)30 13889-0
Email: mailbox@datenschutz-berlin.de
Website: https://www.datenschutz-berlin.de

Bavaria:

Bavarian State Office for Data Protection Supervision (BayLDA)

Promenade 18, 91522 Ansbach
Phone: +49 (0)981 180093-0
Email: poststelle@lda.bayern.de
Website: https://www.lda.bayern.de

North Rhine-Westphalia:

State Commissioner for Data Protection and Freedom of Information NRW (LDI NRW)

Kavalleriestr. 2-4, 40213 Düsseldorf
Phone: +49 (0)211 38424-0
Email: poststelle@ldi.nrw.de
Website: https://www.ldi.nrw.de

Complete list of all German supervisory authorities:

https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html

11.3 EU-wide Complaint Right

You can also contact the supervisory authority in another EU member state:

List of all European data protection authorities:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

11.4 Direct Contact

Before filing a complaint, feel free to contact us directly:

Email: mueritzphone@gmail.com
We strive to resolve all privacy concerns promptly and satisfactorily

---

Security Measures

We implement comprehensive technical and organizational measures to protect your data:

12.1 Technical Measures

Encryption:

In transit: TLS/HTTPS encryption for all data transmissions
At rest: AES-256 encryption for database and backups
Wallet security: Private keys are NEVER stored or transmitted

Access Control:

Role-based access rights
Multi-factor authentication (MFA) for administrative access
Principle of least privilege
Secure API endpoints with authentication

Network Security:

Firewalls and DDoS protection (Cloudflare, Vercel)
Intrusion detection systems
Regular security updates and patches

Database Security:

Row Level Security (RLS) in Supabase
Database replication and backups
Encrypted connections

Smart Contract Security:

Audited and reviewed smart contracts
Use of OpenZeppelin standard libraries
Timelock mechanisms for critical governance functions

12.2 Organizational Measures

Data Protection Governance:

Data Protection Officer (if required)
Documented data protection policies
Record of Processing Activities (Art. 30 GDPR)

Employee Training:

Regular data protection training
Confidentiality commitments
Access rights only for authorized employees

Incident Response:

Data protection incident management
72-hour reporting obligation for data breaches (Art. 33 GDPR)
Notification procedures for affected persons

Vendor Oversight:

Review of all third-party vendors for GDPR compliance
Data Processing Agreements (DPAs) with all processors
Regular audits

Backups:

Daily encrypted backups (Supabase)
Backups in the same region (EU)
Regular recovery testing

12.3 Certifications of Our Service Providers

Supabase:

SOC 2 Type 2 (Security, Availability, Confidentiality)

Vercel:

ISO 27001:2022 (Information Security)
SOC 2 Type 2 (Security, Confidentiality, Availability)

Google (Maps):

ISO 27001, ISO 27017, ISO 27018
SOC 2/SOC 3
Various other certifications

12.4 Privacy by Design

Data Minimization:

We only collect data necessary for the respective purpose
No collection "just in case"

Pseudonymization:

Use of wallet addresses instead of real names
Hash-based analytics (Vercel)
MACI for encrypted voting

Privacy by Default:

Most privacy-friendly settings as default
Opt-in instead of opt-out for optional data processing
No pre-selected checkboxes

Off-Chain Priority:

Deletable data stored off-chain
Only the essentials on-chain

12.5 What You Can Do

Wallet Security:

Use hardware wallets for larger amounts
NEVER share your private keys or seed phrases
Use secure passwords
Enable MFA where available

Account Security:

Use secure, unique passwords
Log out from unused sessions
Regularly review your account activity

Beware of Phishing:

Verify URLs before logging in
We will NEVER ask for your private key
Be cautious with suspicious emails

12.6 Reporting Security Incidents

If you discover a security vulnerability or data protection incident:

Contact: mueritzphone@gmail.com

We take all reports seriously and investigate them promptly.

---

Changes to This Privacy Policy

13.1 Updates

We may update this Privacy Policy from time to time to reflect changes in:

Our processing activities
Legal requirements
New technologies or features
Feedback from supervisory authorities

13.2 Notification of Material Changes

For material changes:

We notify you via email (if available) at least 30 days in advance
We display a prominent notice in the app for 30 days
We obtain new consent if required (when legal bases change)

For minor changes:

We update the "Last Updated" date above
No active notification (but you should check regularly)

13.3 Version History

Previous versions of this Privacy Policy are available upon request:

Email: mueritzphone@gmail.com
Or at: [Link to version history]

13.4 Consent to Changes

By continuing to use our services after changes take effect, you agree to the updated Privacy Policy.

---

Contact

14.1 Privacy Inquiries

For general privacy questions:

Email: mueritzphone@gmail.com
Subject: "Privacy Inquiry"

For exercising your rights (access, deletion, etc.):

Email: mueritzphone@gmail.com
Subject: "GDPR Rights: [Type of Right]"

For security incidents:

Email: mueritzphone@gmail.com

14.2 Response Times

Access requests (Art. 15 GDPR): Within 1 month (extendable to 3 months for complexity)

Deletion requests (Art. 17 GDPR): Within 1 month

Other requests: We strive to respond within 7 business days

14.3 Postal Address

MüritzPhone

Hohe Straße 2

17207 Röbel/Müritz

Germany

14.4 Languages

This Privacy Policy is available in:

🇩🇪 Deutsch (legally binding version)
🇬🇧 English (translation, not legally binding)

In case of discrepancies between versions, the German version shall prevail.

---

Additional Notes

Children

Our services are not directed at persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately.

External Links

Our website may contain links to external websites. We are not responsible for their privacy practices. Please read their privacy policies.

Social Media

If we integrate social media plugins, they are only loaded after your consent (2-click solution). The platforms may collect data according to their privacy policies.

---

This Privacy Policy complies with the requirements of the GDPR (General Data Protection Regulation) and the BDSG (Federal Data Protection Act) in their current versions.

Status: January 31, 2025

Version: 1.0

---

Also available in: Deutsch

Privacy Policy

Privacy Policy

Table of Contents

Introduction

Data Controller

Personal Data We Collect

3.1 Data You Provide Directly

3.2 Automatically Collected Data

3.3 Location Data (Mobile App)

3.4 Weather Data

Purposes and Legal Bases for Processing

4.1 DAO Governance and Contract Performance

4.2 Blockchain Storage

4.3 Location-Based Services

4.4 Analytics and Service Improvement

4.5 Security and Fraud Prevention

4.6 Communication and Support

Blockchain and Immutability

5.1 Permanent Data Storage

5.2 Private Voting with MACI

5.3 On-Chain vs. Off-Chain Data Storage

5.4 Your Consent

5.5 Limitations on the Right to Erasure

Recipients and Data Sharing

6.1 Infrastructure Service Providers

6.2 Map Services

6.3 Weather Services

6.4 Mobile App Services (Expo)

6.5 Blockchain Network

6.6 Analytics and Monitoring (if applicable)

6.7 Legal Disclosures

International Data Transfers

7.1 Transfers to Third Countries

7.2 Safeguards for Data Transfers

7.3 Supabase EU Data Residency

7.4 Blockchain Data Transfers

Cookies and Tracking Technologies

8.1 What Are Cookies?

8.2 What Cookies Do We Use?

8.3 Manage Your Cookie Settings

8.4 Do Not Track (DNT)

8.5 Local Storage (LocalStorage)

Data Retention

9.1 Off-Chain Data (Supabase Database)

9.2 On-Chain Data (Blockchain)

9.3 Analytics Data

9.4 Server Logs

9.5 Cookies

9.6 Legal Retention Obligations

9.7 Early Deletion

Your Rights

10.1 Right of Access (Art. 15 GDPR)

10.2 Right to Rectification (Art. 16 GDPR)

10.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

10.4 Right to Restriction of Processing (Art. 18 GDPR)

10.5 Right to Data Portability (Art. 20 GDPR)

10.6 Right to Object (Art. 21 GDPR)

10.7 Right to Withdraw Consent (Art. 7(3) GDPR)

10.8 Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)

Right to Lodge a Complaint

11.1 Right to Complain to a Supervisory Authority

11.2 Competent Supervisory Authorities in Germany

11.3 EU-wide Complaint Right

11.4 Direct Contact

Security Measures

12.1 Technical Measures

12.2 Organizational Measures

12.3 Certifications of Our Service Providers

12.4 Privacy by Design

12.5 What You Can Do

12.6 Reporting Security Incidents

Changes to This Privacy Policy

13.1 Updates

13.2 Notification of Material Changes

13.3 Version History

13.4 Consent to Changes

Contact

14.1 Privacy Inquiries

14.2 Response Times

14.3 Postal Address