Privacy Policy

This privacy policy (“Policy”) informs you (“your”, “user” or “data subject”) about how the IOTA Ecosystem DLT Foundation (“DLT Foundation”, “we”, “us” or “our”) processes your personal data when you visit our website and when you contact us. Moreover, this privacy policy informs you about your rights.

The DLT Foundation is a distributed ledger technology foundation based in the Abu Dhabi Global Market (ADGM) in Abu Dhabi, United Arab Emirates. We are committed to the highest level of integrity in dealing with our users, employees, collaborators, and other business partners, in accordance with applicable data protection laws, including the ADGM Data Protection Regulations 2021 (“Data Protection Regulations”).

When you are using our website or requesting information from us, we may collect, process and/or use your Personal Data, as defined below, in accordance with this Policy. Further, we may either receive your Personal Data directly from you when you send us e-mails or otherwise provide your Personal Data in the course of other interactions with us, or indirectly from third parties who legally provide your Personal Data to us.

We use a combination of cloud servers and physical servers located in the EU to process the data. In case of any data stored on servers outside EU/EEA, in jurisdictions where the standards of data protection may be lower than in the EU/EEA, all appropriate contractual and organizational measures are taken to ensure that the data is treated in accordance with applicable requirements.

This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in applicable law. We encourage you to read this Policy carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Policy. Your continued use of our Services or website constitutes your agreement to be bound by this Policy, as amended or updated from time to time.

I. Contact details of the controller

IOTA Ecosystem DLT Foundation

Office 611, 6th Floor
Al Khatem Tower
Abu Dhabi Global Market Square,
Al Maryah Island
Abu Dhabi
United Arab Emirates

Email: legal@iotadlt.foundation

II. General information on data processing

1. Extent of the processing of personal data

As a matter of principle, we process personal data of our users only to the extent that this is necessary for the provision of a functional website including our content and services. The processing of personal data of our users is regularly carried out only with the consent of the user. An exception applies in those cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal regulations.

2. Legal basis for the processing of personal data

Insofar as we obtain your consent for processing activities involving personal data, Section 5(1)(a) of the Data Protection Regulations serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Section 5(1)(b) of the Data Protection Regulations serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures. Insofar as processing of personal data is necessary for the fulfillment of a legal obligation to which our company is subject, Section 5(1)(c) of the Data Protection Regulations serves as the legal basis. In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Section 5(1)(d) of the Data Protection Regulations serves as the legal basis. If the processing is necessary to protect a legitimate interest of our foundation or a third party and the interests of the data subject do not override the first-mentioned interest, Section 5(1)(f) of the Data Protection Regulations serves as the legal basis for the processing.

3. Data erasure and storage period

Your personal data will be erased or restricted as soon as the purpose of storage no longer applies. We may store your data for longer if the data is subject to a statutory retention period or other regulations or an order from a competent public authority we are subject to. The data will then be erased or restricted if the statutory retention period or official order expires, unless there is a need for further storage of the data for the conclusion or performance of a contract. We may also store the data longer if it is necessary for the establishment, exercise or defense of legal claims.

4. Storage of your IP address

We store the IP address transmitted by your web browser for a period of seven (7) days, strictly for the purpose of identifying, restricting and eliminating attacks on our website. After seven (7) days, we delete or anonymize your IP address. The legal basis for the processing of this personal data is provided for in Section 5(1)(f) of the Data Protection Regulations.

III. Providing the website and creating log files

When you visit our website, data like

  • the page, from which the data is requested,
  • the name of the data file,
  • the date and time of the query,
  • the amount of data transferred,
  • the access status (file transmitted, file not found),
  • a description of the type of browser used and the IP address of the requesting computer (shortened to such an extent that no re identification of any persona data is possible),

can be collected.

The data collected from the use of the website is temporarily stored on our web server for statistical purposes in order to improve the quality of our website.

Data is processed on the basis of Section 5(1)(f) of the Data Protection Regulations. We use this information to enable our website to be called, to control and administer our systems, and to improve the design of our website. Your data is deleted as soon as the information is no longer required. It is not passed on to any third party.

You have the right to object to processing of your data. You can find more details in the section “Your rights as a user” below. As a result, personal user profiles cannot be created. Data on persons or their individual behavior is not collected.

IV. Email contact

You can contact us via the Email address provided. In this case you provide us with personal data like your name and your email address. You may provide us with further information, but you are not obligated to do so. The legal basis for processing is Section 5(1)(b) of the Data Protection Regulations. We use your data exclusively for the processing of your request. Your data will be deleted, as soon as it is no longer necessary for the initial purpose and will not be transmitted to third parties.

V. Cookies

We use cookies on our website. Cookies are small pieces of data that are stored and read in your end-device. A distinction is made between session cookies, which are deleted when you close your browser, and permanent cookies, which are stored even after your visit has expired. Cookies may contain data that enables the recognition of the device being used. However, in some cases cookies only contain information on certain settings which are not personal data.

We use session cookies and permanent cookies on our website. The data is processed in accordance with Section 5(1)(a) of the Data Protection Regulations, your consent.

Please be aware that you can set your browser to inform you when cookies are being stored or used on the website you are visiting. Thus, any use of cookies is transparent to you.

For more Information, please refer to our Cookie Policy.

VI. Web Analytics

We use the software tool Google Analytics on our website to analyze the surfing behavior of our users. The software sets a cookie on your computer.

Google Analytics does not log or store individual IP addresses. It provides coarse geo-location data by deriving the following metadata from IP addresses: City (and the derived latitude, and longitude of the city), Continent, Country, Region, Subcontinent (and ID-based counterparts). For EU-based traffic, IP-address data is used solely for geo-location data derivation before being immediately discarded. It is not logged, accessible, or used for any additional use cases. When Analytics collects measurement data, all IP lookups are performed on EU-based servers before forwarding traffic to Analytics servers for processing.

For more information, please refer to the data protection and privacy statement of Google Analytics.

When accessing our website, you are informed about the use of cookies for analysis purposes and your consent to the processing of personal data used in this context is obtained. In this context, a reference to this privacy policy is also made. The legal basis for the processing of personal data using cookies for analysis purposes is Section 5(1)(a) of the Data Protection Regulations.

The analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimize our offer. The processing of your personal data enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness.

Cookies are stored on your computer and transmitted from it to our site. Therefore, you also have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website in full. The collected data is stored in the log files of Google Analytics. IP addresses are not associated with data collected by analytics services. The storing period for the log files is limited to fourteen (14) days.

VII. Your rights as a user

If your personal data is processed, you are a data subject within the meaning of the ADGM Data Protection Regulations and you have the following rights towards the controller:

1. Right of access (Section 13 Data Protection Regulations)

You may request confirmation from the controller as to whether personal data concerning you is being processed by us.

If there is such processing, you may request access from the controller to the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Sections 20(1) and 20(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Right to rectification (Section 14 Data Protection Regulations)

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning yourself.

3. Right to restriction of processing (Section 16 Data Protection Regulations)

You may request the restriction of the processing of personal data concerning you under the following conditions:

  1. if you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
  2. if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. if the controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;
  4. You have objected pursuant to Section 19(1) of the Data Protection Regulations pending the verification whether the legitimate grounds of the controller override yours.

Where processing of personal data relating to you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. If the restriction of processing has been applied in accordance with the above-mentioned conditions, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure (Section 15 Data Protection Regulations)
1. Obligation to erase

You may obtain from the controller the erasure without undue delay of personal data concerning you, and the controller shall have the obligation to erase such data without undue delay, if one of the following reasons applies:

  1. the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. you withdraw consent on which the processing is based according to section 5(1)(a) or 7(2)(a), and where there is no other legal ground for the processing;
  3. you object to the processing pursuant to section 19(1)and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to section 19(3);
  4. the personal data concerning you have been unlawfully processed; or
  5. the personal data concerning you has to be erased for compliance with a legal obligation in applicable law to which the controller is subject.
2. Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it according to section 15(1) of the Data Protection Regulations, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested them to erase all links to, or copies or replications of, that personal data.

3. Exceptions

The right to erasure shall not apply insofar as the processing is necessary:

  1. for compliance with a legal obligation which requires processing under applicable law to which the controller is subject or for the performance of a task carried out by a public authority or in the exercise of official authority vested in the controller
  2. for reasons of public interest in the area of public health in accordance with sections 7(2)(d) and 7(2)(e) of the Data Protection Regulations
  3. for archiving and research purposes to the extent that the right referred to in section 15(1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  4. for the establishment, exercise or defense of legal claims.
5. Right to information (Sections 10, 11, 12 Data Protection Regulations)

You have a right to receive clear, transparent and easily understandable information about your rights and how we use your personal data. That is why we are providing you with the information in this Policy.

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, in accordance with Section 17 of the Data Protection Regulations, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed of these recipients by the controller.

6. Right to data portability (Section 18 Data Protection Regulations)

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data has been provided, if

  1. the processing is based on consent pursuant to Section 5(1)(a) of the Data Protection Regulations and
  2. the processing is carried out with the aid of automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.

The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.  Right of objection (Section 19 Data Protection Regulations)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of sections 5(1)(e) and 5(1)(f); this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the possibility, in connection with the use of information society services, to exercise your right to object by means of automated procedures using technical specifications.

8. Right to withdraw the declaration of consent (Section 6(7) Data Protection Regulations)

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.

9. Automated individual decision-making, including profiling (Section 20 Data Protection Regulations)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This does not apply if the decision:

  1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. is based on your explicit consent; or
  3. is required or authorized by applicable law (including for fraud prevention, anti-money laundering and security and integrity purposes) and in respect of which (i) the controller has, as soon as reasonably practicable, notified the you in writing that a decision has been taken based solely on automated processing; and (ii) you have not, before the end of a period of 1 month beginning with the receipt of the notification, requested the controller to either reconsider the decision or take a new decision that is not based solely on automated decision making.

However, these decisions must not be based on special categories of personal data unless section 7(2)(a) or 7(2)(k) applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

10.  Right to lodge a complaint with the supervisory authority (Section 57 Data Protection Regulations)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority, the Commissioner of Data Protection, if you consider that the processing of personal data concerning you infringes the Data Protection Regulations.

The supervisory authority will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Section 58 of the Data Protection Regulations.