Privacy Policy
Last Updated: March 2, 2026 · Effective Date: March 2, 2026
1. Introduction
This Privacy Policy ("Policy") describes how AlfaDAO ("AlfaDAO," "we," "us," or "our") collects, uses, shares, and protects personal information when you access or use our website at alfadao.xyz and related services (collectively, the "Services").
This Policy applies to all users of the Services, regardless of location. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU/EEA), California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Lei Geral de Proteção de Dados (LGPD) (Brazil), Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), and the UK Data Protection Act 2018 / UK GDPR.
By using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Services.
2. Data Controller Information
For the purposes of the GDPR and other applicable data protection laws, the data controller is AlfaDAO.
Privacy contact: privacy@alfadao.xyz
3. Information We Collect
3.1 Information You Provide Directly
| Data Category | Examples | Purpose |
|---|---|---|
| Wallet Address | Ethereum/EVM wallet address (e.g., 0x...) | Platform access, NFT verification, deal campaign participation, token distribution |
| Communication Identifiers | Discord username, Discord ID, Telegram handle | Community communication, support, membership verification |
| Email Address (if provided) | Email address | Notifications, updates, account communications |
| Self-Certified Information | Accredited investor status, jurisdiction of residence | Regulatory compliance, eligibility verification |
3.2 Information Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Device and Browser Information | IP address, browser type and version, operating system, device type | Security, analytics, fraud prevention |
| Usage Data | Pages visited, features used, click patterns, time spent on pages | Service improvement, analytics |
| Log Data | Access timestamps, error logs, request data | Technical operations, security monitoring |
| Cookies and Similar Technologies | Session cookies, analytics cookies, preference cookies | See Section 9 (Cookie Policy) |
3.3 Blockchain and On-Chain Data
3.4 Information from Third Parties
We may receive information about you from:
- Blockchain explorers (e.g., Etherscan) — publicly available transaction data
- Discord / Telegram — username and ID information through community integrations
- Analytics providers — aggregated usage data
4. How We Use Your Information
| Purpose | Legal Basis (GDPR) | CCPA Category |
|---|---|---|
| Providing the Services — verifying NFT ownership, processing deal campaign contributions, distributing token allocations | Contractual necessity (Art. 6(1)(b)) | Business purpose |
| Account and Identity Verification — verifying eligibility and accredited investor status | Legal obligation (Art. 6(1)(c)); Legitimate interest (Art. 6(1)(f)) | Business purpose |
| Communication — sending service-related notifications, responding to inquiries | Contractual necessity (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) | Business purpose |
| Security and Fraud Prevention — detecting and preventing fraud and unauthorized access | Legitimate interest (Art. 6(1)(f)) | Business purpose |
| Legal Compliance — complying with applicable laws, regulations, legal processes | Legal obligation (Art. 6(1)(c)) | Business purpose |
| Analytics and Improvement — understanding how users interact with the Services | Legitimate interest (Art. 6(1)(f)) | Business purpose |
| Marketing Communications (only with explicit opt-in consent) | Consent (Art. 6(1)(a)) | Requires opt-in consent |
We do not use your information for automated decision-making that produces legal effects without your consent, selling your personal information to third parties, or targeted advertising based on personal information.
5. How We Share Your Information
We do not sell your personal information. We may share your information with the following categories of recipients:
5.1 Service Providers
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| Vercel | IP address, device info, usage data | Website hosting and deployment | United States |
| Supabase / PostgreSQL | Wallet address, user data, campaign data | Database hosting and management | United States |
| Analytics Provider (privacy-first) | Anonymized usage data | Website analytics | Varies |
| Discord | Discord username and ID | Community management and authentication | United States |
| Blockchain Networks | Wallet address, transaction data | On-chain transactions (inherently public) | Decentralized |
5.2 Legal and Regulatory Disclosures
We may disclose your information when required by law, regulation, legal process, or governmental request, including court orders, subpoenas, regulatory inquiries, tax reporting obligations, and AML/sanctions compliance.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
5.4 With Your Consent
We may share your information with third parties when you have given us explicit consent.
6. International Data Transfers
Your information may be transferred to and processed in countries other than the country in which you reside. For transfers of personal data from the EU/EEA to countries not recognized by the European Commission as providing adequate data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and Data Processing Agreements with all service providers. For transfers from the UK, we rely on the UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable.
7. Data Retention
| Data Category | Retention Period | Justification |
|---|---|---|
| Wallet addresses and transaction records | Duration of account + 7 years | Tax and regulatory compliance; statute of limitations |
| Communication identifiers (Discord, email) | Duration of account + 1 year | Service delivery; reasonable post-termination period |
| Usage and analytics data | 26 months | Analytics purposes (anonymized where possible) |
| Log data | 12 months | Security and technical operations |
On-chain data cannot be deleted due to the immutable nature of blockchain technology.
8. Your Rights
8.1 Rights Under GDPR (EU/EEA and UK Users)
| Right | Description |
|---|---|
| Right of Access (Art. 15) | Request a copy of the personal data we hold about you |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Right to Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"), subject to legal exceptions and blockchain immutability |
| Right to Restrict Processing (Art. 18) | Request that we limit processing of your personal data |
| Right to Data Portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format |
| Right to Object (Art. 21) | Object to processing based on legitimate interest or for direct marketing |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time (does not affect lawfulness of prior processing) |
| Right to Lodge a Complaint | File a complaint with your local Data Protection Authority (DPA) |
8.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of personal information, subject to exceptions; correct inaccurate personal information; opt out of the sale or sharing of personal information (we do not sell personal information); and be free from discrimination for exercising your privacy rights.
We do NOT sell your personal information and do NOT share your personal information for cross-context behavioral advertising.
8.3 How to Exercise Your Rights
To exercise any of your rights, please contact us at privacy@alfadao.xyz with the subject line "Data Rights Request" and specify the right you wish to exercise. We will respond within 30 days (GDPR), 45 days (CCPA), or 15 days (LGPD). We may need to verify your identity before processing your request.
9. Cookie Policy
We use cookies and similar technologies to operate the Services. For full details, please see our Cookie Policy.
9.1 Types of Cookies We Use
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Authentication, security, wallet connection | No |
| Functional | Remember your preferences (language, display settings) | Yes |
| Analytics | Understand how visitors use the website (anonymized) | Yes |
We do not use advertising cookies, third-party tracking cookies for behavioral advertising, or social media tracking pixels. We do not respond to Do Not Track (DNT) browser signals; however, we do not track users across third-party websites.
10. Children's Privacy
The Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at privacy@alfadao.xyz.
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal information, including encryption of data in transit (TLS/SSL) and at rest, access controls and authentication requirements, regular security assessments, and access limited to need-to-know basis.
However, no system is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the security of your wallet, private keys, and any credentials used to access the Services.
12. Changes to This Policy
We may update this Policy from time to time. We will notify you of material changes by posting the updated Policy with a new "Last Updated" date and, where appropriate, sending a notification through the Services. Your continued use of the Services after changes become effective constitutes acceptance of the revised Policy.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: privacy@alfadao.xyz
Website: alfadao.xyz
14. Supervisory Authorities
If you are located in the EU/EEA and believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU DPAs can be found at the European Data Protection Board. UK residents may contact the Information Commissioner's Office (ICO).
This Privacy Policy was last reviewed on March 2, 2026.