Privacy Policy

Last updated on August 05, 2019[a]

 

We are delighted that you have chosen to use our App or visit our website. We take our data protection responsibilities with the utmost seriousness and we have designed our website so that you may navigate and use our website without having to provide Personal Data.

This Policy sets out what Personal Data we collect, how we process it and how long we retain it. This Policy applies to all of our processing activities where we act as a data controller.

In this policy, "we", "us" and "our" refers to Gnosis Limited a company incorporated in Gibraltar with its registered address at World Trade Center, 6 Bayside Rd, Gibraltar.

For more information about us, see the Contact Us section of this policy.

In this Policy, “personal data” means any information relating to you as an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.

In this Policy, “processing” means any operation or set of operations which is performed on personal data (as defined in this Privacy Policy) or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

1.         Navigating this Policy

 

If you are viewing this policy online, you can click on the below links to jump to the relevant section:

Your information and the Blockchain

How We Use Personal Data

Use of Third Party Applications

Sharing Your Personal Data

Transferring Your data outside of the EU

Existence of Automated Decision-making

Data Security

Your Rights as a Data Subject

Storing Personal Data

Changes to this Privacy Policy

Our details

2.     Your information and the Blockchain

 

Blockchain technology, also known as distributed ledger technology (or simply ‘DLT’), is at the core of our business. Blockchains are decentralized and made up of digitally recorded data in a chain of packages called ‘blocks’. The manner in which these blocks are linked is chronological, meaning that the data is very difficult to alter once recorded. Since the ledger may be distributed all over the world (across several ‘nodes’ which usually replicate the ledger) this means there is no single person making decisions or otherwise administering the system (such as an operator of a cloud computing system), and that there is no centralized place where it is located either.

 

Accordingly, by design, a blockchains records cannot be changed or deleted and is said to be ‘immutable’. This may affect your ability to exercise your rights such as your right to erasure (‘right to be forgotten’), or your rights to object or restrict processing, of your personal data. Data on the blockchain cannot be erased and cannot be changed. Although smart contracts may be used to revoke certain access rights, and some content may be made invisible to others, it is not deleted.

 

In certain circumstances, in order to comply with our contractual obligations to you (such as delivery of tokens) it will be necessary to write certain personal data, such as your Ethereum or other cryptocurrency wallet address, onto the blockchain; this is done through a smart contract and requires you to execute such transactions using your wallet’s private key.

 

In most cases ultimate decisions to (i) transact on the blockchain using your Ethereum or other cryptocurrency wallet address, as well as (ii) share the public key relating to your Ethereum or other cryptocurrency wallet address with anyone (including us) rests with you.

 

IF YOU WANT TO ENSURE YOUR PRIVACY RIGHTS ARE NOT AFFECTED IN ANY WAY, YOU SHOULD NOT TRANSACT ON BLOCKCHAINS AS CERTAIN RIGHTS MAY NOT BE FULLY AVAILABLE OR EXERCISABLE BY YOU OR US DUE TO THE TECHNOLOGICAL INFRASTRUCTURE OF THE BLOCKCHAIN.

IN PARTICULAR THE BLOCKCHAIN IS AVAILABLE TO THE PUBLIC AND ANY PERSONAL DATA SHARED ON THE BLOCKCHAIN WILL BECOME PUBLICLY AVAILABLE

 

 

3.     How We Use Personal Data

 

3.1.   When visiting our website

 

We may collect and process Personal Data about your use of our website. This data may include:

 

i.              the browser types and versions used;

ii.             the operating system used by the accessing system;

iii.            the website from which an accessing system reaches our website (so-called referrers);

iv.             behaviour: subpage, duration, and revisit

v..           the date and time of access to our website,

vi.           the Internet protocol address (“IP address”);

vii.          the Internet service provider of the accessing system; and

viii.            any other similar data and information that may be used in the event of attacks on our information technology systems.

This data may be processed in order to deliver the content of our website correctly, to optimize the content of our website to ensure the long-term viability of our information technology systems and website technology, and to provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.

The legal basis for this processing is our legitimate business interests, namely monitoring and improving our website and the proper protection of our business against risks and your consent when agreeing to accept cookies

 

3.2.   When using the Safe App or the browser extension

 

When using the Safe App or the browser extension we may collect and process personal data. The data will be stored in different instances.

a) On the Ethereum blockchain following data will be stored:

i.              your smart contract address of the Safe;

ii.            addresses of externally owned accounts

iii.            transaction made with the safe; and

iv.            ETH and token balance.

The data is needed to create the user’s safe and enable the user to make use of the app. The Gnosis Safe is a multi-signature wallet. Thus, the externally owned accounts are needed to confirm a transaction before they are executed.

 

The legal basis for this processing is that it is necessary to fulfil a contract with you.

 

The data will be stored on the Ethereum Blockchain. Given the technological design of the blockchain, as explained in section 2, this data will become public and it will not likely be possible to delete or change the data at any given time.

 

b) In our Amazon Webserver we will store the following data:

 

i.              your smart contract address of the Safe address;

ii.             addresses of externally: and

iii.            transaction made with the safe.

 

The legal basis for this processing is that it is necessary to fulfil a contract with you.

 

c) Log Data

i.              your smart contract address of the Safe address;

ii.             the Internet protocol address (“IP address”); and

iii.            transaction id/ Hash.

 

We need this data to be able to debug issues and provide support for our application.

The legal basis for this processing is that it is necessary to fulfil a contract with you.

 

 

3.3.   When Participating in User Experience Research (UXR )

When you participate in our user experience research we may collect and process some personal data. This data may include:

                      i.    your name

                     ii.   your email

                     iii.  your phone type

                      iv.  your occupation

In addition, we may take a recording of you while testing the Safe for internal and external use.

The basis for this collection and processing is our legitimate business interest in monitoring and improving our services.

The legal basis for this processing is your consent as provided before participating in user experience research.

3.4   When registering for the email notification service

We may collect and process Personal Data that you provide to us for the purpose of subscribing to our email notification service. This data may include:

i.    your email address;

                     ii.   the date and time of registration;

                     iii.  your IP address.

This data is collected and processed for the purpose of sending you XXXX.

The legal basis for this processing is your consent as provided in the double opt-in confirmation part of our sign-up process. Your email address will be stored as long we have the consent to send you a notification email.

3.5   When receiving the email notification

If you have subscribed to our email notification service, each time you receive a email notification from us, we may collect and process Personal Data. This data may include:

i.    the date and time you opened the email;

                     ii.   what (if any) links or URLs you accessed from our newsletter;

                     iii.  the location it was accessed from.

This data is collected and processed for the purpose of improving the content of our email notification service.

The legal basis for this processing is your consent as provided in the double opt-in confirmation part of our sign-up process.

3.6    Other uses of your Personal Data

We may process any of your Personal Data where it is necessary to establish, exercise, or defend legal claims. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

 

Further, we may process your Personal data where such processing is necessary in order for us to comply with a legal obligation to which we are subject. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights.

 

4.     Use of Third Party Applications

 

4.1.   Ethereum Blockchain

When using the Gnosis Safe your smart contract address, the transactions made with the Safe, addresses of externally owned accounts and ETH balances and token balances will be stored on the Ethereum blockchain. See section 2 of this Policy

 

The information will be displayed permanently and public, this is part of the nature of the blockchain.

If you a new to this field, we highly recommend informing yourself about the blockchain technology before using our services.

 

4.2.   Amazon Webserver

We use the Amazon Web Server (AWS) to store log and database data as described in section 3.2

For further information and the applicable data protection provisions of AWS please visit

https://aws.amazon.com/privacy/?nc1=f_pr .

 

 

4.3.   Appstore /Playstore/Chrome Webstore

Apple and Google most likely track user behavior when downloading apps from their stores as well as when using apps. We (Gnosis) only have very limited access to that data. We can view aggregated statistics on installs and uninstalls. Grouping by device type, app version, language, carrier and country is possible.

https://www.apple.com/legal/privacy/en-ww/

https://policies.google.com/privacy

 

 

4.4.   Fingerprint/Touch ID/ Face ID

We enable the user to unlock the Safe mobile app via fingerprint/ touch ID (Android and iOS) and Face ID (iPhone X). This is a feature of the operating system. We do not store any of this data. Instead, a proprietary API of the operating system is used to validate the user input.

If you have any further questions regarding fingerprint/ touch ID/ face ID you should consult with your preferred mobile device provider or manufacturer.

 

4.5.   Firebase

We use Firebase in order to be able to create reports and user funnels to understand possible issues of our app that might impair user experience. We also need the to access this information to track the success of our product. The Data is collected and stored by Firebase.

 

The total data collected by firebase is compiled under the following link:

https://support.google.com/firebase/answer/6317486?hl=en

 

Additionally, we enabled the following firebase products

 

Firebase Service

Personal data

How the data helps to provide the service

Firebase Crash Reporting

Instance IDs

Crash traces

How it helps: Crash Reporting uses crash stack traces to associate crashes with a project, send email alerts to project members and display them in the Firebase Console, and help Firebase customers debug crashes. It uses Instance IDs to measure number of users impacted by a crash.

Retention: Crash Reporting retains crash stack traces for 180 days. Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

Firebase Cloud Messaging

Instance IDs

How it helps: Firebase Cloud Messaging uses Instance IDs to determine which devices to deliver messages to.

Retention: Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

Google Analytics for Firebase

Mobile ad IDs IDFVs/ Android IDs Instance IDs Analytics App Instance IDs

https://support.google.com/firebase/answer/6318039

 

 

How it helps: Google Analytics uses the data to provide analytics and attribution information. The precise information collected can vary by the device and environment. For more information see Data collection.

Retention: Google Analytics retains ID-associated data for 60 days, and retains aggregate reporting and campaign data without automatic expiration, unless the Firebase customer changes their retention preference in their Analytics settings or deletes their project.

Firebase Remote Config

Instance IDs

How it helps: Remote Config uses Instance IDs to select configuration values to return to end-user devices.

Retention: Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

 

For further information and the applicable data protection provisions of Firebase please visit

https://firebase.google.com/support/privacy/

 

4.6.   Fabric.io

In order to be able to notice, debug and fix bugs/crashes of the Gnosis Safe app which might impair user experience we use fabric.

For further information and the applicable data protection provisions of fabric please visit

https://get.fabric.io/

https://fabric.io/kits/ios/crashlytics

 

In particular we use Crashlytics to monitor the performance any male function of the app.

The Services automatically may collect certain information that does not personally identify users who access or use mobile applications that use the Crashlytics. This information includes, but is not limited to, the user’s Safe wallet address, device state information, unique device identifiers, device hardware and OS information, information relating to how an application functions, and the physical location of a device at the time of a crash.

For further information and the applicable data protection provisions of fabric please visit

https://fabric.io/terms

 

4.7.   Transmitting Social Media Links

At the end of our website we link to our social media profiles. Those services might also collect Personal Data. Please refer to their privacy policies for more information.

 

Facebook: https://www.facebook.com/policy.php

Twitter: https://twitter.com/de/privacy

Reddit: https://www.redditinc.com/policies/privacy-policy

Medium: https://medium.com/policy/medium-privacy-policy-f03bf92035c9

        4.8        Telegram

In order to provide user support we created a group on Telegram (https://telegram.org) to facilitate the resolution of any questions and concerns should these arise.

By accepting this Privacy Policy, you are deemed to consent to providing the following Personal Data to persons looking to resolve any dispute:

  1. Name and surname;
  2. Used wallet address;
  3. Detailed enquiry description;
  4. The date and time that the issue arose;
  5. The outcome sought.

Please note that Telegram may use and/or collect your Personal Data. Thus, we recommend to view Telegram’s Privacy Policy at the following link: https://telegram.org/privacy, on a periodical basis.

        4.9        Gitter

In order to provide user support we created a group on Gitter (https://gitter.im) to facilitate the resolution of any questions and concerns should these arise.

By accepting this Privacy Policy, you are deemed to consent to providing the following Personal Data to persons looking to resolve any dispute:

  1. Name and surname;
  2. Used wallet address;
  3. Detailed enquiry description;
  4. The date and time that the issue arose;
  5. The outcome sought.

Gitter is owned and operated by GitLab (https://gitlab.com). Please note that GitLab may use and/or collect your Personal Data. Thus, we recommend to view GitLab’s Privacy Policy at the following link: https://about.gitlab.com/privacy/, on a periodical basis.

        

4.10         Mailchimp[b]

We use Mailchimp (https://mailchimp.com/) for our email notification service to subscribers. Mailchimp allows us to prepare customized Emails and manage our subscribers.

We do not store any information collected by Mailchimp. Mailchimp’s privacy policy is available at https://mailchimp.com/legal/privacy .

Mailchimp’s purpose and function is further explained under the following link: https://mailchimp.com/ 

        4.11         Nolt.io[c]

We are collecting user feedback via https://safe.nolt.io/.

We do not collect or store any personal data collected via nolt.io. Nolt’s privacy policy is available at https://nolt.io/legal#privacy .

Nolt’s purpose and function is further explained under the following link: https://nolt.io/legal

4.12         Dovetail

[d]

We are using Dovetail (https://dovetailapp.com/) for collecting user research notes.

We do not store any information collected by Dovetail. Dovetail’s privacy policy is available at https://dovetailapp.com/security/ .

Dovetail’s purpose and function is further explained under the following link: https://dovetailapp.com/ 

5.         Sharing Your Personal Data

We may pass your information to our Business Partners, administration centres, third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing our services to you.

In addition, when we use any other third-party service providers, we will disclose only the personal information that is necessary to deliver the service required and we will ensure, that they keep your information secure and not to use it for their own direct marketing purposes.

In addition, we may transfer your personal information to a third party as part of a sale of some, or all, of our business and assets or as part of any business restructuring or reorganisation, or if we are under a duty to disclose or share your personal data in order to comply with any legal obligation. However, we will take steps to ensure that your privacy rights continue to be protected.

 

 

6.     Transferring Your data outside of the EU

The data mentioned in section 3.2b) and c) will the stored in our Amazon Web Server, which is based in the US. Amazon is certified under the EU- US Privacy Shield.

Fabric.io and Firebase are part of the Google LLC., which is based in the US. Google is certified under the EU-US Privacy Shield.

 

However, when interacting with the blockchain, as explained above in this Policy, the blockchain is a global decentralized public network and accordingly any personal data written onto the blockchain may be transferred and stored across the globe

 

7.         Existence of Automated Decision-making

We do not use automatic decision-making or profiling when processing Personal Data.

 

 

8.         Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

 

9.         Your Rights as a Data Subject

You have certain rights under applicable legislation, and in particular under Regulation EU 2016/679 (General Data Protection Regulation or ‘GDPR’). We explain these below. You can find out more about the GDPR and your rights by accessing the European Commission’s website.

 

Right Information and access

You have a right to be informed about the processing of your personal data (and if you did not give it to us, information as to the source) and this Privacy Policy intends to provide the information. Of course, if you have any further questions you can contact us on the above details.

 

Right to rectification

You have the right to have any inaccurate personal information about you rectified and to have any incomplete personal information about you completed. You may also request that we restrict the processing of that information.

The accuracy of your information is important to us. If you do not want us to use your Personal Information in the manner set out in this Privacy Policy, or need to advise us of any changes to your personal information, or would like any more information about the way in which we collect and use your Personal Information, please contact us at the above details.

 

Right to erasure (right to be ‘forgotten’)

You have the general right to request the erasure of your personal information in the following circumstances:

 

However, when interacting with the blockchain we may not be able to ensure that your personal data is deleted. This is because the blockchain is a public decentralized network and blockchain technology does not generally allow for data to be deleted and your right to erasure may not be able to be fully enforced. In these circumstances we will only be able to ensure that all personal data that is held by us is permanently deleted.

We will proceed to comply with an erasure request without delay unless continued retention is necessary for:

 

Right to restrict processing and right to object to processing

You have a right to restrict processing of your personal information, such as where:

 

 

You also have the right to object to processing of your personal information under certain circumstances, such as where the processing is based on your consent and you withdraw that consent. This may impact the services we can provide and we will explain this to you if you decide to exercise this right.

However, when interacting with the blockchain, as it is a public decentralized network, we will likely not be able to prevent external parties from processing any personal data which has been written onto the blockchain. In these circumstances we will use our reasonable endeavours to ensure that all processing of personal data held by us is restricted, notwithstanding this, your right to restrict to processing may not be able to be fully enforced.

 

Right to data portability

Where the legal basis for our processing is your consent or the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, you have a right to receive the personal information you provided to us in a structured, commonly used and machine-readable format, or ask us to send it to another person.

 

Right to freedom from automated decision-making

As explained above, we do not use automated decision-making, but where any automated decision-making takes place, you have the right in this case to express your point of view and to contest the decision, as well as request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers.

 

Right to object to direct marketing (‘opting out’)

You have a choice about whether or not you wish to receive information from us.

We will not contact you for marketing purposes unless:

 

 

You can change your marketing preferences at any time by contacting us on the above details. On each and every marketing communication, we will always provide the option for you to exercise your right to object to the processing of your personal data for marketing purposes (known as ‘opting-out’) by clicking on the ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your data. You may also opt-out at any time by contacting us on the below details.

Please note that any administrative or service-related communications (to offer our services, or notify you of an update to this Privacy Policy or applicable terms of business, etc.) will solely be directed at our clients or business partners, and such communications generally do not offer an option to unsubscribe as they are necessary to provide the services requested. Therefore, please be aware that your ability to opt-out from receiving marketing and promotional materials does not change our right to contact you regarding your use of our website or as part of a contractual relationship we may have with you.

 

Right to request access

You also have a right to access information we hold about you. We are happy to provide you with details of your Personal Information that we hold or process. To protect your personal information, we follow set storage and disclosure procedures, which mean that we will require proof of identity from you prior to disclosing such information. You can exercise this right at any time by contacting us on the above details.

 

Right to withdraw consent

Where the legal basis for processing your personal information is your consent, you have the right to withdraw that consent at any time by contacting us on the above details.

 

Raising a complaint about how we have handled your personal data

If you wish to raise a complaint on how we have handled your personal data, you can contact us as set out above and we will then investigate the matter.

 

Right to lodge a complaint with a relevant supervisory authority

If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the Data Protection Commissioner under the Data Protection Act, which is presently the Gibraltar Regulatory Authority (GRA). You may contact the GRA on the below details:

 

Gibraltar Data Protection Commissioner

Gibraltar Regulatory Authority

2nd Floor, Eurotowers 4

1 Europort Road

Gibraltar

Email: info@gra.gi

Phone: (+350) 200 74636

Fax: (+350) 200 72166

 

You also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of our rights has taken place, if that is based in the EEA.

 

10.  Storing Personal Data

 

We retain your information only for as long as is necessary for the purposes for which we process the information as set out in this policy.

However, we may retain your Personal Data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

 

11.  Changes to this Privacy Policy

We may make changes to this Policy from time to time. Where we do so, we will notify those who have a business relationship with us or who are subscribed to our emailing lists directly of the changes, and change the ‘Last updated’ date above. We encourage you to review the Policy whenever you access or use our website to stay informed about our information practices and the choices available to you. If you do not agree to the revised Policy, you should discontinue your use of this website.

 

12.  Our details

This website is owned and operated by Gnosis Limited.

We are registered in Gibraltar under registration number 115571, and our registered office is located at:

You can contact us via:

 

Gnosis Limited

World Trade Center

6 Bayside Rd,

GX111AA Gibraltar

                

If you have any queries concerning your rights under this Privacy Policy, please contact us at dataprotection@gnosis.pm .