PRIVACY POLICY

This privacy policy for Chorus One AG (“Chorus” "Company," "we," "us," or "our"), describes how and why we might collect, store, use, and/or share your information when you use our services, such as when you:

• Visit our website at https://chorus.one, or any website of ours that links to this privacy policy and should be read together with our Cookie Policy which provides details on use of cookies on the website.
• Use any of our services or delegate to any Chorus validator nodes ("Services").

• Engage with us in other related ways, including any sales, marketing, or events.

NOTE that if you have signed a Master Services Agreement, Non-Disclosure Agreement or other agreement with Chorus that include confidentiality protections, in case of any inconsistency, the terms contained in that other agreement shall govern over this Privacy Policy.

Questions or concerns? Reading this privacy policy will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at legal@chorus.one.

SUMMARY OF KEY POINTS

This summary provides key points from our privacy policy, but you can find out more details about any of these topics by reading the full Privacy Policy below.

Key highlights include:

• What we collect: Wallet addresses, technical and transaction metadata, communications, and, in limited circumstances, identification documents.
• How we use it: To operate our validator services, ensure security and compliance, respond to inquiries, and conduct research and marketing.
• How we protect it: Through a combination of technical and organizational safeguards, with attention to data minimization and retention.
• Your rights: Depending on your location, you may have rights to access, correct, delete, or restrict the use of your personal data.
  

1. WHAT INFORMATION DO WE COLLECT?

In Short: We collect information that you provide to us, data available from third parties and data automatically collected as part of the Services as described below.

Information you provide to us. Personal information you may provide to us through the Service or otherwise includes:

• Contact data, such as your first and last name, salutation, email address, billing and mailing addresses, professional title and company name, and phone number and other contact information.

• Communications data based on our exchanges with you, including when you contact us through the Service, social media, or otherwise. 

• Transactional data, such as information relating to or needed to complete your orders on or through the Service, including order numbers and transaction history.

• Marketing data, such as your preferences for receiving our marketing communications and details about your engagement with them.

• Wallet data, such as information relating to or needed to complete your cryptocurrency transactions on or through the Service (including wallet address, transaction number, transaction sender and recipient, transaction amount, and transaction history), as well as information relating to other on-chain activity associated with your account or wallet, such as applications you have interacted with on the blockchain.  

• Identification documentation, in some circumstances we may ask you for identification, such as national identification number (e.g., Social Security Number, tax identification number, passport number), state or local identification number (e.g., driver’s license or state ID number), and an image of the relevant identification card, and/or other information we deem necessary for us to comply with our legal obligations under financial or anti-money laundering laws.

• Payment data needed to complete transactions, including payment card information or bank account number.

• Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.   

‍Third-party sources: We may combine personal information we receive from you with personal information we obtain from other sources, such as:

• Public sources, such as blockchain data, government agencies, public records, social media platforms, and other publicly available sources.
• We use Gmail's API (OAuth) to identify and authenticate some customers. When you use your Gmail address, the only personal data we collect via the Gmail API is your e-mail address which we solely use to provide our Services to you.
• Private sources, such as data providers, social media platforms and data licensors. 
• Our affiliate partners, such as our affiliate network provider and publishers, influencers, and promoters who participate in our paid affiliate programs.
• Marketing partners, such as joint marketing partners and event co-sponsors.
• Third-party services, such as social media services and others.

‍Automatic data collection. We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Service, our communications and other online services, such as:

• Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.
• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called "crash dumps"), and hardware settings).
• Communication interaction data such as your interactions with our email, text or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails. 
• Location Data. We may collect location data such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.
• Cookies. Some of our automatic data collection is facilitated by cookies and similar technologies. For more information, see our Cookie Policy. We will also store a record of your preferences in respect of the use of these technologies in connection with the Service.

Sensitive Information. We do not collect or process sensitive information.

Information from Minors.  We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the use of the Services and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at legal@chorus.one.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, to comply with law and as described below. 

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To deliver and personalize services to the user. We may process your information to provide you with the requested service and to personalize the service, including remembering the devices from which you have previously logged in and remembering your selections and preferences as you navigate the Service.​​ Where Chorus operates or supports smart contracts, we may process metadata related to contributions, validator reward distribution, and risk screening, in accordance with applicable regulatory requirements.

• To communicate to you about the Service and respond to inquiries. We may process your information to send you details about our products and services, changes to our terms and policies, security alerts, and other similar information or to respond to your inquiries and solve any potential issues you might have with the requested Service.

• Research and development. We may use your personal information for research and development purposes, including to analyze and improve the Service and our business and to develop new products and services. We may also use aggregated, de-identified or otherwise anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
• Marketing. We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes, such as direct marketing communications which may be personalized based on your needs and interests, or interest based marketing based on your interaction with the Site and Services to serve online ads that may interest you. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms. 
• ‍Compliance and protection. We may use your personal information to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas, investigations or requests from government authorities, or to protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims), including to prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft, and to audit our internal processes for compliance with legal and contractual requirements or our internal policies. Specifically, we may process wallet addresses and transaction metadata using third-party compliance tools (e.g., for OFAC, AML, or sanctions screening) to detect and prevent use of our Services by sanctioned or high-risk parties 
• Use for new purposes. We may use your personal information for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it.
• Cookies and similar technologies. In addition to the other uses included in this section, we may use the Cookies and similar technologies described above for the purposes described in our Cookie Policy.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

We may share your information with the following parties and as otherwise described in this Privacy Policy, in other applicable notices, or at the time of collection.  

• Affiliates and Advisors. Our corporate parent company, subsidiaries, and affiliates, as well as professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
• Service providers. Third parties that provide services on our behalf or help us operate the Service or our business (such as hosting, information technology, customer support, email delivery, marketing, consumer research and website analytics), and third-party advertising companies for the interest-based advertising purposes described above. 
• ‍Third parties designated by you. We may share your personal information with third parties where you have instructed us or provided your consent to do so. 
• Business and marketing partners. Third parties with whom we co-sponsor events or promotions, with whom we jointly offer products or services, or whose products or services may be of interest to you.
• Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above. 
• Business transferees. We may disclose personal information in the context of actual or prospective business transactions (e.g., investments in Chorus, financing of Chorus, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain personal information with prospective counterparties and their advisers. We may also disclose your personal information to an acquirer, successor, or assignee of Chorus as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets.

4. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy policy unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). We generally retain personal information to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period for personal information, we may consider factors such as the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. When we no longer require the personal information we have collected about you, we may either delete it, anonymize it, or isolate it from further processing. 

5. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

6. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please fill out and submit a data subject access request.

7. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

In respect of each of the purposes for which we use your personal information, various privacy laws, such as the GDPR (EU), CPRA (California) and Pipeda (Canada) requires us to ensure that we have a “legal basis” for that use. Our legal bases for processing your personal information described in this Privacy Policy are listed below. You can withdraw your consent at any time by emailing legal@chorus.one.

• Where we need to perform a contract, we are about to enter into or have entered into with you (“Contractual Necessity”).
• Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each purpose we use your personal information for is set out in the table below.
• Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
• Where we have your specific consent to carry out the processing for the purpose in question (“Consent”).  
• No Automated Decision-Making and Profiling. As part of the Services, we do not engage in automated decision-making and/or profiling, which produces legal or similarly significant effects. 

We have set out below, in a table format, the legal bases we rely on in respect of the relevant purposes for which we use your personal information:

8. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), Canada, and California, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your use of the Services at any time.

In some regions (like the EEA, UK, Canada and California), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services. You may also opt out of interest-based advertising by advertisers on our Services.

If you have questions or comments about your privacy rights, you may email us at legal@chorus.one.

9. Data Processing outside Europe  

‍We use US based service providers, advisers, partners or other recipients of data that are also based in the U.S. This means that, if you use the Service, your personal information will necessarily be accessed and processed in the U.S. It may also be provided to recipients in other countries outside Europe. Where we share your personal information with third parties who are based outside Europe, we try to ensure a similar degree of protection is afforded to it in Europe.

Personal information subject to the FADP is transferred to the following countries:

• UK and EU Member States (transfer mechanism: adequacy decision); 
• U.S., Singapore and United Arab Emirates (transfer mechanism: EU standard contract clauses (including the Swiss Annex)).

You may contact us if you want further information on the specific mechanism used by us when transferring your personal information out of Europe. You may have the right to receive a copy of the appropriate safeguards under which your personal information is transferred by contacting us.

10. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

11. DO WE MAKE UPDATES TO THIS NOTICE?

We may update this privacy policy from time to time and the updated version will be indicated by an updated "Revised" date. We may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information as the updated version will be effective as soon as it is accessible. 

12. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at legal@chorus.one or by post to:

Chorus One

Gartenstrasse 4, 6300 Zug, Switzerland

Zug, Zug 6300

Switzerland