Privacy Notice Urban Change Protocol and Frontend

V.1.2.  |  Nov. 13, 2023

I.        Introduction

II.       Data Controller

III.      Data categories we process

IV.      Processing purposes

V.       Legal basis for processing

VI.      Data sharing

VII.     Disclosure abroad

VIII.    Data storage

IX.      Data security

X.       Data subjects rights

XI.      Online tracking and social media presence

XII.     Updates to this Notice

1. Introduction

The Urban Change Foundation (also «the Foundation», «we», «us») may collect and process personal data that concern the personal data of individuals (also “the User” or “you”) who use the Urban Change Protocol (“the Protocol”) as well as the Foundation’s website-based interface which facilitates easier access to the users (“the Frontend”)

In this Privacy Notice, we describe what we do with your data when you make use of the Protocol and the corresponding Frontend in your role as a Community Leader or “Other User” who was granted access to the “Community account”, of a community you set up and/or manage when using our service. If you disclose data to us or share data with us about other individuals, such as employees or co-workers, we assume that you are authorized to do so and that the relevant data is accurate. When you share data about others with us, you confirm that. Please make sure that these individuals have been informed about this Privacy Notice.

Please note that if you are using the “Magic” service integrated into the Frontend, you are accepting their Privacy Policy as well.

2. Data Controller

The Foundation is the controller for data processing under this Privacy Notice, unless we tell you otherwise in an individual case, for example in additional privacy notices, on a form, or in a contract. However, please note that in relation to any data processing by you in your capacity as a Community Leader, you may act as a sole controller. Further, data published on the Algorand blockchain (on-chain data) do not fall in our area of responsibility in the sense that we are not acting as a data controller in this regard within the meaning of data protection legislation. 

For any data protection concerns related to data processing by us under this Privacy Notice as well as when executing your data protection rights as described under section 10, please contact us as follows:

Urban Change Foundation
Gartenstrasse 5,
CH- 6300 Zug
info@urbanchange.com

3. Data categories we process

When you use our services, we process the following data of you:

• Technical data In order to ensure we provide you with our services and to align with security measurements, we may process (sometimes via a third-party vendor) technical data such as the IP address of your terminal device. e may also assign an individual code to you or your terminal device (for example cookies). Technical data as such does not permit us to draw conclusions about your identity. However, technical data may be linked with other categories of data (and potentially with your person) in relation to user accounts, registrations, access controls, or the performance of a contract. 

• Account data: when you use the Frontend in order to access the Protocol and its functionalities, you are required to register by opening a user account. For this purpose, we may collect general personal data such as name, e-mail, company/person you are representing, wallet address, if any, as well as metadata about the wallet you are connected with, including some transactional data that is stored on-chain. 

• Community data that may relate to your activities with respect to a community. For example, we collect data when you set up and maintain a community in your role as a Community Leader including data about, the initiatives, payouts to community members, and information about your community vaults. 

• Other data: we may process further data, in particular when required to do so by law or when required by an authority or in relation to administrative or judicial proceedings. In case we promote newsletters, events, and other services, we collect and document declarations of consent (opt-ins) and opt-outs. 

• Behavioral and preference data: Depending on our relationship with you, we try to get to know you better and tailor our products, services, and offers to you. For this purpose, we may collect and process data about your behavior and preferences. However, behavioral and preference data may be analyzed on an aggregated level only and we are not interested in using it for personal related reasons or on an identifiable basis. By behavioral data we mean information about certain actions, such as your visit to our website, your clickrate, or your interaction with our social media pages with our social partners of whom we have integrated social plugins on our website. 

Most of the data is provided by yourself to us (through forms, when you communicate with us, in relation to contracts when you use the Frontend, etc.), whether as part of your contractual obligation under the relevant contract you enter into with us or as for our legitimate interest when you use our services, participate at events or visit our website. When using our website, the processing of technical data cannot be avoided. 

4. Processing purposes

We process your data for the purposes explained below. These purposes and their objectives represent the interests of us and potentially of third parties. You can find further information on the legal basis of our processing in Section V.

We process your data for the following purposes:

• Communication and interaction with you, for example, in relation to responding to inquiries, the exercise of your rights (Section X) or to interact whenever necessary to perform our business relationship with you. 

• Marketing/relationship management: we intend to send you personalized publications, for example, in the form of newsletters and/or other communication channels, by providing you with integrated social media buttons, but also as part of marketing campaigns (for example events, contests, grant programs, etc.). You can object to such contacts at any time (see Section II) or refuse or withdraw consent to be contacted for marketing purposes. 

We further process your data for market research, to improve our services and operations, for product development as well as for security purposes. Also, we process personal data to comply with laws and regulatory requirements, directives and recommendations from authorities, and internal regulations («Compliance») (e.g. reporting obligation towards authorities) which may require or entail data processing such as archiving obligations and the prevention, detection, and investigation of criminal offenses and other violations. We also process your data to protect our legal rights, for example, to enforce claims in or out of court, and before authorities or to defend ourselves against claims, for example by preserving evidence, conducting legal assessments, and participating in court or administrative proceedings). 

5. Legal basis for processing

We may process your personal data by relying on the following legal basis: 

• Consent where we ask for your consent for certain processing activities (for example for marketing mailings, and behavior analysis on the website). You may withdraw your consent at any time with effect for the future by providing us written notice (by mail) or, unless otherwise noted or agreed, by sending an e-mail to us; see our contact details in Section II which also applies to withdrawing consent for online tracking. Once we have received notification of the withdrawal of consent, we will no longer process your information for the purpose(s) you consented to unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal.

• Performance of our business relationship with you to provide you with our services.

• Our or a third-party’s legitimate interest in particular processing, and in implementing related measures which also includes the marketing of our products and services, the interest in better understanding our markets and in managing as well as further developing our services, our company, including its operations, safety, and efficiency.

• Meeting legal and regulatory obligations incl. orders of authorities, courts, and other competent bodies.

6. Data sharing

In relation to our data processing activities under this Privacy Notice, we may disclose your personal data to third parties. In particular, to

• service providers we work with and who process your data on our behalf, as joint controllers with us, or who receive data about you from us as separate controllers, each constellation depending on the specific factual and contractual setup we enter into with these providers (e.g. IT providers, analytical platforms ). However, please note that your wallet provider is responsible for the processing of your data connected with transactions into, from, and out of your chosen wallet when interacting with your blockchain account. 

• other contractual partners, for example, other community leaders in your community; and/or

• authorities when required to disclose personal data to agencies, courts, and other authorities in Switzerland and abroad, if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests. This may happen in the event of criminal investigations, regulatory requirements, and investigation, legal proceedings.

All these categories of recipients may involve third parties, so your data may also be disclosed to them. We can restrict the processing by certain third parties (for example IT providers), but not by others (for example authorities, banks, etc.) and ask you to consult in particular your community or community leader for more details on their processing of your personal data. 

7. Disclosure abroad 

As explained above, we disclose data to other parties. These parties may be located in Switzerland, but also, in any country in the world. 

If a recipient is located in a country without adequate statutory data protection, we require the recipient to meet, however, a certain data protection level (we do this, for example, by entering into a set of so-called standard contractual clauses that have been officially issued by the European Commission as one measure to ensure that the required data protection level is met when disclosing personal data abroad). An exception may apply to the example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing. Many countries outside of Switzerland or the EEA currently do not have laws that ensure an adequate level of data protection under the Swiss Data Protection Act or the European GDPR. The contractual arrangements mentioned compensate for this weaker or missing legal protection to some extent. However, contractual precautions cannot eliminate all risks (namely government access abroad). You should be aware of these remaining risks, even though they may be low in an individual case, and we take further measures (for example pseudonymization or anonymization) to minimize these risks.

Please note that data exchanged via the internet is often routed through third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.

8. Data storage

We process your data for as long as our processing purposes, the legal retention periods and our legitimate interests in the documentation and keeping evidence require it or storage is a technical requirement. This period may be longer where required for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. In particular, we take into account applicable limitation periods and store and retain data in line with any such requirement.

9. Data security 

We take appropriate security measures in order to maintain the required security of your personal data and ensure its confidentiality, integrity, and availability, to protect it against unauthorized or unlawful processing, and mitigate the risk of loss, accidental alteration, unauthorized disclosure, or access. 

10. Data subjects rights

Applicable data protection laws grant you the right to object to the processing of your data in some circumstances, in particular for direct marketing purposes, for profiling carried out for direct marketing purposes, and for other legitimate interests in the processing.

To help you control the processing of your personal data, however, depending on the applicable data protection law, you have the following data protection rights:

• The right to request information from us as to whether and what data we process from you;

• The right to have us correct personal data if it is inaccurate;

• The right to request the erasure of personal data;

• The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;

• The right to withdraw consent, where our processing is based on your consent;

• The right to receive, upon request, further information that is helpful for the exercise of these rights;

• The right to express your point of view in case we should perform any automated individual decisions, what we do not do at the current point in time, and to request that the decision be reviewed by a human;

• The right to lodge a complaint with the competent data protection supervisory authority in your country.

If you wish to exercise these rights or should you not agree with the way we handle it, please contact us with our contact details in Section II. Please note that conditions, exceptions, or restrictions may apply to these rights under applicable data protection law (for example to protect third parties or trade secrets). We will inform you accordingly where applicable.

11. Online tracking and social media presence

We use various techniques on our Frontend that allow us and third parties to recognize you during your use of our Frontend, and possibly to track you across several visits. We use these technologies on our Frontend and may allow certain third parties to do so as well. However,  we do not intend to determine your identity, even if that is possible where we or third parties can identify you by the combination with registration data.  However, even without registration data, the technologies we use are designed in such a way that you are recognized as an individual visitor each time you access the Frontend, for example by our server (or third-party servers) that assign a specific identification number to you or your browser (so-called «cookie»). 

You can also set your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser that blocks certain third-party tracking. However, we only use cookies and similar technologies such as local storage that are necessary for the functioning of the Frontend or for certain features. For example, they ensure that you can move between pages without losing information that was entered in a form. They also ensure that you stay logged in. If you block them, the Frontend may not work properly. We may also integrate additional third-party offers on our Frontend, in particular from social media providers (e.g. social media platforms, social networks, messaging apps, etc.). These offers are deactivated by default. As soon as you activate them (for example by clicking a button), these providers can determine that you are using our Frontend. These social media providers process this data and your personal data as separate controllers. Please find all the service media providers we use on our Frontend. However, check the respective sign, icon, or button prior to clicking on it in order to be sure that it is the provider you wish to interact with as from the beginning of such action, personal data will be collected of you.

We are not aware of how social media platforms use the data from your visit. For further information on the processing of the platform operators, please refer to the privacy information of the relevant platforms where you can find all about their own data processing activities, the countries where they process your data, your rights of access, and the erasure of data and other data subjects rights and how you can exercise them or obtain further information.

12. Updates to this Notice

This Privacy Notice is not part of a contract with you. We can change this Privacy Notice at any time. The version published on our website at: urbanchange.com is the current version.