PRIVACY POLICY

1. Data Controller

I am the data controller responsible for your personal data.

2. Personal Data I Collect

2.1 Data You Provide Directly

Email Address: I collect your email address when you request access to the Service. Your email address is used for identity verification and to send you transaction logs.

Stellar Public Key (G-Address): When you use the Service, I record your Stellar blockchain public key. Public keys are publicly visible on the Stellar blockchain and are not considered confidential.

2.2 Data I Collect Automatically

IP Address: I collect your IP address for rate limiting, fraud prevention, and security monitoring.

Transaction Data: I record details of blockchain transactions you execute using the Service, including:

• Transaction hashes (publicly visible on the Stellar blockchain)
• Digital assets processed
• Transaction amounts and blockchain fees
• Transaction timestamps
• Transaction success/failure status

Technical Data: I collect device and browser information (user agent strings) for security event logging.

Security Events: I log security-relevant events such as:

• Verification code requests
• Secret key entry events (I do NOT log the secret key itself)
• Portfolio fetch operations
• Session lifecycle events
• Acceptance of terms clicks

2.3 Data I Do NOT Collect

I do not collect, store, or have any access to:

• Your Stellar account private keys (secret keys)
• Passwords or credentials for external wallets
• Browsing history outside the Service
• Cookies for tracking or advertising purposes

3. Legal Basis for Processing

I process your personal data based on the following legal grounds under GDPR Article 6:

3.1 Contractual Necessity (Article 6(1)(b))

Processing is necessary to perform my contract with you (the Terms and Conditions), including:

• Email verification for service access
• Transaction execution and log delivery
• Service donation collection

3.2 Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with legal obligations, including:

• Anti-money laundering (AML) requirements under the Finnish Act on Preventing Money Laundering and Terrorist Financing (444/2017)
• Tax reporting and accounting obligations
• Data retention requirements for financial records

3.3 Legitimate Interests (Article 6(1)(f))

Processing is necessary for my legitimate interests, including:

• Fraud prevention and security monitoring
• Service improvement and bug fixing
• Statistical analysis and service planning

I have assessed that these legitimate interests are not overridden by your fundamental rights and freedoms.

4. How I Use Your Personal Data

I use your personal data for the following purposes:

• (a) Service Delivery: To provide access to the Service, verify your identity, execute blockchain transactions on your behalf, and deliver transaction logs;
• (b) Security and Fraud Prevention: To detect and prevent fraud, unauthorized access, and security threats;
• (c) Legal Compliance: To comply with anti-money laundering, tax, accounting, and other legal obligations;
• (d) Service Improvement: To analyze Service usage, identify bugs, and improve functionality;
• (e) Customer Support: To respond to your inquiries and provide technical assistance;
• (f) Audit and Accountability: To maintain an audit trail of all transactions for regulatory compliance and dispute resolution.

5. Data Sharing and Disclosure

5.1 Third-Party Processors

I share your personal data with the following third-party service providers who process data on my behalf:

5.2 Legal Disclosures

I may disclose your personal data if required to do so by law or in response to valid requests by public authorities, including:

• (a) Law enforcement or regulatory agencies;
• (b) Courts or other judicial authorities;
• (c) Financial intelligence units for AML/CFT purposes.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of my assets, your personal data may be transferred to the acquiring entity. I will notify you via email or prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and Singapore, where data protection laws may differ from those in EEA.

I ensure that all international data transfers are protected by appropriate safeguards:

Standard Contractual Clauses (SCCs): I use Standard Contractual Clauses approved by the European Commission pursuant to GDPR Article 46(2)(c) for transfers to third-party processors in the United States and Singapore.

The applicable SCCs are available online at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

7. Data Retention

7.1 Retention Period

I retain your personal data for 10 years from the end of the fiscal year in which you last used the Service.

Example: If you use the Service in March 2025, your data will be retained until December 31, 2035.

7.2 Retention Justification

This retention period is required by:

• (a) Finnish Accounting Act (1336/1997), which requires retention of transaction records for 10 years;
• (b) Finnish Act on Preventing Money Laundering and Terrorist Financing (444/2017), which requires retention of customer due diligence records for at least 5 years;
• (c) Tax legislation requiring retention of financial records.

7.3 Deletion After Retention Period

After the retention period expires, I will securely delete or anonymize your personal data unless further retention is required by law.

8. Cookies and Tracking

8.1 Necessary Cookies Only

I only use strictly necessary cookies required for the Service to function. These cookies include:

• Session management cookies (to maintain your authenticated session)
• Security cookies (for bot protection via Cloudflare Turnstile)

8.2 No Tracking or Advertising Cookies

We do not use:

• Analytics cookies
• Advertising cookies
• Social media tracking cookies
• Third-party tracking technologies

Strictly necessary cookies do not require consent under GDPR and ePrivacy Directive (2002/58/EC).

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You have the right to request a copy of the personal data I hold about you. I will provide this information in a structured, commonly used, and machine-readable format (JSON or CSV).

9.2 Right to Rectification (Article 16)

If your personal data is inaccurate or incomplete, you have the right to request correction.

9.3 Right to Erasure / "Right to Be Forgotten" (Article 17)

IMPORTANT LIMITATION: While you have a general right to erasure, we cannot delete personal data that I am legally required to retain under Finnish accounting, tax, or anti-money laundering laws.

Specifically:

• Transaction records must be retained for 10 years (Finnish Accounting Act)
• Customer due diligence data must be retained for 5-10 years (AML/CFT Act)

If you request erasure, I will:

• Delete any data not subject to mandatory retention
• Restrict processing of data required for legal compliance to the minimum necessary
• Notify you of which data cannot be deleted and why

9.4 Right to Restriction of Processing (Article 18)

You have the right to request that I restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests (see Section 3.3). I will cease processing unless I demonstrate compelling legitimate grounds that override your interests.

9.7 Right to Lodge a Complaint

You have the right to lodge a complaint with the Finnish Data Protection Ombudsman:

10. Exercising Your Rights

To exercise any of your rights, please contact us at:

Please include:

• Your full name
• Email address used with the Service
• Stellar public key (G-address), if applicable
• Description of the right you wish to exercise

I will respond to your request within one month of receipt. In complex cases, I may extend this period by up to two additional months and will notify you of the extension.

Identity Verification: To protect your privacy, I may require proof of identity before fulfilling your request.

11. Data Security

I implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption in Transit: All data transmitted between your browser and my servers is encrypted using TLS 1.3.
• Encryption at Rest: All personal data stored in my database is encrypted at rest using industry-standard AES-256 encryption.
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis and protected by multi-factor authentication.
• Security Monitoring: We monitor for security threats, unauthorized access attempts, and anomalous behavior.
• Secret Key Protection: Your Stellar secret key never leaves your browser and is never transmitted to my servers. It remains solely in your browser's memory during transaction execution and is wiped immediately afterward.
• Audit Logging: We maintain comprehensive audit logs of all data access and processing activities.

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. I cannot guarantee absolute security.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. I do not knowingly collect personal data from children. If I become aware that I have collected personal data from a child under 18, I will take steps to delete that information promptly.

13. Changes to This Privacy Policy

I may update this Privacy Policy from time to time to reflect changes in my practices, legal requirements, or for other operational reasons. I will notify you of material changes by:

• (a) Posting the updated Policy on the Platform with a new "Last Updated" date;
• (b) Sending an email notification to the email address you provided (for material changes only).

Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy.

14. Contact

If you have questions, concerns, or complaints about this Privacy Policy or my data processing practices, please contact me at: