Get in Touch
Get in Touch
logotype
Data Protection
HomeData Protection

This Data Protection Policy (“Policy”) sets forth how the BlockAura community and its custodians (collectively, “we” or “us”) handle the collection, processing, storage, transfer, and deletion of personal and non-personal data in connection with BlockAura Classic and BlockAura Eternity tokens and the broader BlockAura ecosystem (the “Platform”). As a fully decentralized, open-source blockchain protocol, we strive to exceed global data privacy standards, including GDPR, CCPA, and other applicable laws.

1. Purpose and Scope

1.1 Objective: Define roles, responsibilities, technical and organizational measures, and user rights related to data protection.

1.2 Scope: Applies to all data processed by community custodians, third-party processors, smart contracts, websites, applications, forums, mailing lists, and any other Platform-related services.

1.3 Legal Frameworks: Designed to comply with:

  • EU General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
  • UK Data Protection Act 2018
  • Applicable data protection laws globally

2. Definitions

  • “Personal Data”: Information relating to an identified or identifiable natural person.
  • “Processing”: Any operation involving personal data (collection, storage, use, disclosure, deletion).
  • “Data Subject”: An individual whose personal data is processed.
  • “Controller”: Entity determining the purposes and means of processing (community custodians collectively).
  • “Processor”: Third-party service provider processing data on behalf of the Controller.
  • “Data Protection Officer” (DPO): Community-appointed role responsible for overseeing data protection compliance.
  • “Sensitive Data”: Special categories of personal data requiring heightened protection.

3. Data Protection Principles

We adhere to the following principles:

  1. Lawfulness, Fairness, and Transparency: Process personal data lawfully, fairly, and in a transparent manner.
  2. Purpose Limitation: Collect data for specified, explicit, and legitimate purposes only.
  3. Data Minimization: Ensure data collected is adequate, relevant, and limited to what is necessary.
  4. Accuracy: Keep personal data accurate and up to date; rectify inaccuracies without undue delay.
  5. Storage Limitation: Retain data only for as long as necessary for intended purposes.
  6. Integrity and Confidentiality: Process data in a way that ensures security, including protection against unauthorized or unlawful processing and accidental loss.
  7. Accountability: Demonstrate compliance with these principles through documentation and oversight.

4. Roles and Responsibilities

4.1 Data Protection Officer (DPO)

  • Monitor compliance with this Policy and applicable laws.
  • Conduct regular data protection impact assessments (DPIAs).
  • Act as point of contact for Data Subjects and regulatory authorities.

4.2 Community Custodians (Controllers)

  • Determine lawful basis for processing.
  • Oversee selection and management of Processors.
  • Ensure contracts include appropriate data protection obligations.

4.3 Processors

  • Process data only on documented instructions from Controllers.
  • Implement technical and organizational security measures.
  • Notify Controllers of data breaches without undue delay.

4.4 Data Subjects

  • Exercise rights to access, rectify, erase, restrict, port, or object to processing.
  • Provide accurate and current personal data where required.

5. Lawful Bases for Processing

We rely on one or more lawful bases for processing personal data, including:

  • Consent: Explicit opt-in consent for non-essential communications and services.
  • Contract Performance: Necessary to fulfill contractual obligations (e.g., governance participation).
  • Legal Obligation: Compliance with laws, court orders, or regulatory requirements.
  • Legitimate Interests: Balancing community interests in security, network integrity, and service improvement with individual rights.

6. Categories of Data Processed

6.1 Personal Data

  • Contact details: name, email address, organization.
  • Forum profile: username, avatar, biographical information.
  • Governance participation records linked to addresses.

6.2 Technical Data

  • IP addresses.
  • Device identifiers, browser metadata.
  • On-chain wallet addresses (public ledger).

6.3 Sensitive Data

  • Not intentionally collected. If inadvertently processed, we treat as high risk and delete unless legally required.

7. Data Subject Rights and Requests

7.1 Right of Access

You may request confirmation and a copy of personal data processed.

7.2 Right to Rectification

You may request correction of inaccurate or incomplete data.

7.3 Right to Erasure (Right to be Forgotten)

Subject to legal retention obligations, you may request deletion of personal data.

7.4 Right to Restrict Processing

You may request limitation of processing under certain conditions.

7.5 Right to Data Portability

You may request transfer of personal data in a structured, commonly used format.

7.6 Right to Object

You may object to processing based on legitimate interests or direct marketing.

7.7 Withdrawal of Consent

You may withdraw consent at any time; this does not affect prior lawful processing.

7.8 Exercise of Rights

Submit requests to the DPO at info@blockaura.example. We respond within 30 days, extendable by 60 days for complex requests.

8. Data Transfers and International Processing

  1. Cross-Border Transfers: Transfers outside the EEA or other jurisdictions are protected by appropriate safeguards (e.g., Standard Contractual Clauses).
  2. Decentralized Nodes: On-chain data is globally distributed; we ensure no personal data beyond public ledger entries is distributed without controls.
  3. Vendor Transfers: Third-party processors in various regions abide by this Policy and contractual data protection terms.

9. Technical and Organizational Security Measures

  1. Encryption: Data at rest and in transit is encrypted using industry standards (TLS, AES-256).
  2. Access Controls: Role-based access, multi-factor authentication for custodians and processors.
  3. Audit Trails: Logging and monitoring of data access and processing activities.
  4. Data Segregation: Separation of personal data from public on-chain data.
  5. Incident Management: Defined procedures for breach detection, response, and notification.
  6. Regular Audits: Periodic reviews, vulnerability assessments, and penetration testing.

10. Data Breach Notification

  1. Detection: Custodians and processors monitor for breaches.
  2. Notification Timeline: Notify DPO and regulatory authorities within 72 hours of awareness.
  3. Data Subject Notification: Inform affected individuals without undue delay if breach poses high risk.
  4. Documentation: Maintain records of breach details, impact assessments, and remediation steps.

11. Data Retention and Disposal

  1. Retention Schedules: Maintain personal data only for required durations (e.g., forum data: 24 months of inactivity; backups: 36 months).
  2. Archival: Encrypted archives for legal compliance; subject to secure access controls.
  3. Secure Disposal: Permanent deletion or irreversible anonymization when retention period expires.

12. Data Protection Impact Assessments (DPIAs)

  1. Trigger Events: New services, large-scale processing, use of new technologies.
  2. Assessment Steps: Identify risks, evaluate necessity, and implement mitigation measures.
  3. Documentation: Report findings to the community and update this Policy as needed.

13. Training and Awareness

  1. Community Workshops: Regular virtual training on data protection and security.
  2. Guidelines: Published best practices for custodians, contributors, and Users.
  3. Updates: Ongoing communications about policy changes and emerging threats.

14. Governance and Oversight

  1. Policy Review: Annual review by DPO and community custodians.
  2. Community Audits: Open-source audit reports published publicly.
  3. Escalation Path: Defined escalation for unresolved issues, including community votes.

15. Third-Party Processors

  1. Due Diligence: Vetting of vendors for compliance and security.
  2. Contracts: Standard contractual clauses and data processing agreements.
  3. Monitoring: Regular reviews and audits of processor practices.

16. Special Considerations

  1. On-Chain Governance Data: Public by design; no expectation of privacy.
  2. Anonymization Techniques: Use of cryptographic mixers or hashing for optional anonymized analytics.
  3. Pseudonymization: Where feasible, replace identifiers with pseudonymous tokens.

17. Interaction with Other Policies

This Policy complements and should be read alongside:

  • BlockAura Privacy Policy
  • BlockAura Cookie Policy
  • BlockAura General Disclaimer
  • BlockAura Terms of Use

18. Jurisdictional Addenda

  1. EU: Explicit compliance with GDPR Articles 12–23.
  2. California: CCPA/CPRA rights, privacy notices, Do Not Sell My Info link (not applicable—no sale).
  3. UK: Data Protection Act 2018 and UK GDPR alignment.
  4. Australia: Privacy Act 1988 and APP principles.
  5. Other Regions: References to applicable local data protection laws.

19. Amendments and Updates

  1. Community Governance: Material changes require on-chain proposal and vote.
  2. Notification: Updates published on official channels with new Effective Date.
  3. Version Control: Maintain changelog publicly in repository.

20. Contact and Complaints

For inquiries, data subject requests, or to lodge complaints: