Last Updated: May 2020
Your privacy is important to us. Polymath Inc. (“Polymath”, “we”, or “us”) wants you to be familiar with how we collect, use and disclose your Personal Information.
- The Polymesh Testnet network, through which you are able to access and interact with a foundational layer for securities tokens (“Polymesh”);
- The Polymath smart contracts that enable you to configure and design tokens directly on the Ethereum blockchain (“Ethereum Smart Contracts”);
- The TokenStudio platform on Ethereum, through which you are able to configure and design a securities token and interact with and engage third-party service providers (“Ethereum TokenStudio”);
- The TokenStudio platform on Polymesh, through which you are able to configure and design a securities token and interact with and engage third-party service providers (“Polymesh TokenStudio”); and
- The Polymesh Wallet available as a browser extension through which you are able to manage your (i) digital assets created on Polymesh; and (ii) Polymesh’s native protocol token, POLYX (“Polymesh Wallet”).
This Policy also describes other important topics relating to your privacy.
If you are a user in the UK or the European Economic Area ("EEA"), please refer to our section "Users in UK and EEA" which provides information on the rights that you have specifically under the General Data Protection Regulation and the UK's Data Protection Act 2018 (collectively we call them the "European Data Protection Laws").
By using the Services, or by otherwise choosing to submit Personal Information to Polymath, for users outside of the UK and EEA, you consent to the collection, use and disclosure of your information as outlined in this Policy. If you are a user in the UK or EEA, please refer to our section "Users in UK and EEA" which provides information on the basis on which we may process your personal information. At any time, you have the right to remove your consent to the collection, and future use and disclosure of your information, subject to reasonable notice and legal, contractual and technological limitations. You may make this request by writing to the e-mail address set out below.
We may change this Policy from time to time. If we make material changes, we will take reasonable steps to notify you, such as by revising the effective date at the top of the Policy or placing a notice on our Websites and associated platforms through which you use our Services, or at our discretion, contacting you using any contact information you have provided. We encourage you to review the Policy whenever you access the Services to stay informed about our information practices.
The following is a short summary of the key elements of this Policy. You can read the full version of the Policy following this summary.
We may collect the following Personal Information and other information from you:
- Your name;
- Your e-mail address;
- Your phone number;
- Your Ethereum and Polymesh public addresses;
- Information you provide directly to us when you request that we conduct a specific task on your behalf using the Services, or other information you provide when you communicate with us; and
- Online identifiers such as general geographic location, IP address, and details regarding your use of the Services.
We may use your Personal Information for the following purposes:
- To provide you with the functionality of the Services;
- To contact you regarding your use of the Services;
- To understand how you and our users use the Services in order to improve the Services, and our marketing efforts; and
- For other purposes required by applicable law, including confirming your identity to comply with our regulatory obligations.
We may share your Personal Information with the following parties / for the following purposes:
- To service providers selected by you in your use of the Services;
- To other third-party service providers to facilitate services they provide to us, including analytics providers that help us understand how our Services are used; and
- As otherwise required by applicable law.
How to contact us:
- If you have questions about this Policy or would like to contact us regarding the collection, use and disclosure of your personal information, please contact us at firstname.lastname@example.org
What Personal Information Do We Collect About You?
Personal Information refers to any information about an identifiable individual.
Your Ethereum public address is collected on-chain when you utilize our Ethereum Smart Contracts to configure securities tokens directly on the Ethereum blockchain. Please see the section “Information Recorded On-Chain” for more information on how information on-chain is processed.
We collect the following Personal Information and other information from you when you use the Ethereum TokenStudio, including:
- Your name;
- Your e-mail address; and
- Your Ethereum public addresses.
We collect the following Personal Information and other information when you request to open an account on Polymesh and our Services provided on Polymesh, including Polymesh TokenStudio and Polymesh Wallet:
- Your name;
- Your e-mail address;
- Your Ethereum public address and your Polymesh public address; and
- Your phone number (mobile).
We also collect information that you provide directly to us when you access and use the Services, including:
- Information that you provide when you request that a token be configured using the Services, such as information describing the tokens and the issuer as well as e-mail addresses for intended token recipients;
- Information regarding the services you use, such as information you provide for identification purposes, such as your name, nationality, and birth date; and
- Information that you provide when you request customer support from us.
Please note that where you provide us with the information of another person such as a token recipient, you must have their permission to give it to us for that purpose.
Information that we Collect
When you access or use the Services, we collect certain information using cookies, web beacons, and similar tracking technologies. Cookies are small data files stored directly on the device you are using that allow us to collect information to help the Services function properly, and to report on activities and trends so that we can improve the services. This information includes:
- Online identifiers such as IP address, geolocation, device information, and browser type;
- Details regarding how you interact with the Services, such as time spent on the Services and which links you click on; and
- Metrics such as number of visitors to our Websites, pages visited, frequency of clicks to assess behaviors, usage data, failed attempts, spam attempts, and similar information.
Your browser gives you the ability to reject cookies. However, setting your browser or device to reject cookies generally hinders performance and may adversely affect your experience while using the Services.
How do we Use your Personal Information?
Information we collect is used by Polymath and its service providers to:
- Provide you with the functionality of the Services and fulfil your requests, for example;
- When you configure a token using Polymesh TokenStudio and/or Ethereum TokenStudio, we will use the information that you provide to us to configure the token;
- We use your Ethereum and Polymesh public address for operations you initiate on Ethereum TokenStudio, Polymesh TokenStudio, Ethereum and Polymesh. We also use this to link your Polymesh account to your Ethereum account for the purpose of upgrading POLY tokens (on Ethereum) to POLYX, Polymesh’s native protocol token;
- Create your account and associated decentralized identity to enable you to access the Services;
- Create your Polymesh Wallet to enable you to access the Services;
- Send you technical notices, updates, security alerts and support and administrative messages including confirmations and receipts;
- Respond to your comments, questions and requests and provide customer service;
- Communicate with you about products, services, and events we think will be of interest to you;
- To understand users and potential users and their interests in Polymath products and services, manage our relationship with users, enhance user experience on our platform and applications, improve our platforms and applications;
- Monitor and analyze trends, usage and activities in connection with our Services so that we can improve our Services;
- Conduct audits to verify that our internal processes function as intended and to address legal, regulatory, or contractual requirements;
- Carry out any other purpose for which the information was collected and for which you have provided your consent; and
- For other purposes that are permitted or required by applicable law such as verifying your identity in accordance with our client identification requirements.
We may aggregate and anonymize Personal Information so that it may not be used to identify you or any other individual. We do so to generate data for our use, which we may use and disclose for any purpose, if permitted by applicable law.
Who do we share your information with?
We share information about you as follows or as otherwise described in this Policy:
- To analytics vendors, including Google Analytics, in order to help understand how users interact with the Services, including to understand users and potential users and their interests in Polymath products and services, to manage our relationship with users, enhance user experience on our platform and applications, improve our platforms and applications. These services may also collect information regarding the use of other websites, apps, and resources. You can learn about Google’s practices by going to https://policies.google.com/technologies/partner-sites, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at: https://tools.google.com/dlpage/gaoptout.
- In response to a request for information if we believe disclosure is required or permitted in accordance with any applicable law, regulation or legal process;
- To cooperate with law enforcement, protect our rights or those of third parties (for example, to detect and prevent fraud), or as otherwise required by any applicable law;
- In connection with, or during negotiations of, any merger, consolidation, restructuring, sale of company assets, or disposition of all or a portion of our business to another company, including, without limitation, during the course of any due diligence process; and
- With other third parties when we have your consent.
Information Recorded On-Chain
“On-chain” operations refer to those operations that occur on a blockchain such as Ethereum and Polymesh and are permanently recorded on the records of the blockchain.
Any information that you attach to an “on-chain” operation may be viewed by the public, meaning that others will have access to this content and it may be viewed, collected and used by others. Further, due to the nature of blockchain technology, information that is recorded “on-chain” cannot practically be corrected or revised.
Information may be recorded “on-chain” in the following circumstances:
- Token Reference Information: When you use the Ethereum TokenStudio or the Polymesh TokenStudio, you are able to attach reference information to the token you are creating. A hash of the reference information will be attached to the token and will be recorded on each settlement of the token using the Ethereum or Polymesh blockchain as applicable. The hash will enable others to locate the token reference information that you attached. As a result, we advise that you not include information that may identify you or others in the token reference information.
- Token Configuration Details: When you configure a token using either the Ethereum TokenStudio or the Polymesh TokenStudio, certain token details that you choose to associate with the token such as its name and symbol appear on-chain when the token is used. As a result, we advise that you not include information that may identify you or others in your token configuration details.
- Ethereum and Polymesh public addresses: When you configure a token using Ethereum TokenStudio or directly on the Ethereum blockchain using our Ethereum Smart Contracts, the Ethereum public address that you provide appears on-chain in association with that operation. Likewise, when you initiate an on-chain operation using Polymesh TokenStudio or any other operation on Polymesh, your Polymesh public address appears on-chain in association with that operation. This information is stored on-chain along with information regarding the operation, such as the time of the operation, the amount transferred, a reference to the information you choose to associate with the token, and, if you choose, your jurisdiction.
If you choose to voluntarily disclose Personal Information in an “on-chain” operation, that information will be available to the public (for example, anyone who views the public blockchain). We will not be able to control how members of the public access or use such information, nor can it be deleted as it is released outside of our control. Think carefully and use caution relating to the disclosure of any Personal Information before you request any operations to be processed “on-chain” on Ethereum or Polymesh as described herein.
Users in UK and EEA
The following information is only applicable to users located in the UK or the EEA or otherwise within the scope of European Data Protection Laws.
Basis for Processing
We are allowed to process your Personal Information for the following reasons and on the following legal bases:
- To enter and perform a contract with you (i.e. the terms and condition of the Services) or to perform any steps you require from us before entering into a contract.
- To pursue our legitimate interests i.e. we have good, sensible, practical reasons for processing your Personal Information which is in our interests. In this case, we use your Personal Information to provide you with the Services as agreed in our Terms of Service with the entity on whose behalf you act or you directly. We also use the Personal Information to establish, manage or conclude our business relationship with you or the entity on whose behalf you act.
- Where you have specifically consented to us processing your Personal Information.
- To comply with our legal obligations and establish, exercise or defend our legal rights.
Where Personal Information is processed with consent, you may choose to withdraw your consent at any point by contacting us as described below in the "Contact Us" section.
Rights as Data Subjects
As a data subject, you have the following rights under the European Data Protection Laws:
- Object to processing: You may object to us processing your personal information where we rely on a legitimate interest as our legal grounds for processing your Personal Information.
- Rectification: You have the right to have inaccurate personal information rectified, or completed if it is incomplete.
- Automated decision making: These rights do not apply as we do not make any automated decisions about you.
- Restriction: You have the right to restrict us from processing your Personal Information in certain circumstances such as where you are contesting the accuracy of your Personal Information or you have objected to us processing your Personal Information. Whilst the restriction is in place we cannot do anything with the Personal Information in any way except to store it.
- Data portability: You have the right to receive personal information that you have provided us in order to share it with a separate controller in a structured, commonly used and machine readable format. You can also request us to transmit this information directly to another controller. This is only applicable where the lawful basis we rely on to process your Personal Information is consent or for the performance of a contract.
- Erasure: You have the right to request that we erase your Personal Information in certain circumstance such as where your Personal Information is no longer necessary for the purpose which we originally collected it for or we are relying on consent as lawful basis for holding your Personal Information and you have withdrawn your consent.
- Withdraw your consent: Where we have relied on your consent to process your Personal Information, you have the right to withdraw the consent you have given us at any point. This is a vital and necessary aspect of consent. To withdraw your consent, you can contact us at the details in the “Contact Us” section.
For you to exercise these rights, please get in touch with us using the information in the section "Contact Us". We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex and/or if we receive a high number of requests, in which case we will respond within three months.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the applicable laws. Moreover, due to the nature of blockchain technology, information that is recorded “on-chain” cannot practically be corrected, revised or deleted. Please see the section “Information Recorded On-Chain” for more information.
Similarly, you may complain to the relevant supervisory authority in your country. In the UK this is the Information Commissioner's Office, information about how to contact this regulator can be found at www.ico.org.uk. Ideally, we recommend that you get in touch with us first so we can resolve any issues directly with you as quickly as possible.
Transfer of Personal Information Outside UK and EEA
Any transfer of your Personal Information outside the UK and the EEA will be carried out in accordance with the European Data Protection Laws to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.
The Personal Information we collect is stored on our servers or those of our service providers. We retain Personal Information in accordance with our record retention policies. Our record retention periods are established taking into account requirements of privacy laws, the purposes for which the information was collected, legal and regulatory requirements to retain the information for minimum periods, limitation periods for taking legal action, and our business needs. We may retain anonymous and aggregate information indefinitely.
Polymath uses physical, technological, and organizational security measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Our employees, representatives and agents will have access to your Personal Information as necessary for the purposes described in this Policy.
Personal Information may be accessed by persons within our organization, or our third party service providers, who require such access to carry out the purposes indicated in this Policy, or such other purposes as may be permitted or required by the applicable law. Personal Information we collect is managed from our affiliate offices in Toronto, Ontario, Canada.
However, while we have taken steps to help protect your Personal Information, we cannot fully eliminate security risks associated with Personal Information. No security measures can provide absolute protection. We cannot ensure or warrant the security of any information you provide to us.
We may Transfer Personal Information Outside of your Country
Some or all of the Personal Information we collect may be stored or processed outside of your jurisdiction of residence, including in the United States. Your Personal Information may be processed and stored in the United States and the governments, courts or law enforcement or regulatory agencies of the United States may be able to obtain disclosure of your Personal Information through a lawful order made where the information is located.
By providing us with Personal Information, for users outside of the UK and EEA, you understand and expressly agree that we may transfer your information to another country, including the US. If you are a user in the UK or EEA, please refer to our section “Transfer of Personal Information Outside UK and EEA”. If you do not agree to the transfer of your Personal Information outside of your jurisdiction (including to the US), as described here, do not provide us with Personal Information.
This Policy does not apply to third party sites
Access and Correction
You may request access to your Personal Information and to request a correction if you believe it is inaccurate.
Please contact us by e-mail at email@example.com if you would like to exercise either of these options. Please note that in some circumstances we may not be able to allow you to access certain Personal Information, for example if it contains Personal Information of other persons, or for legal reasons. We may require you to verify your identity before allowing you to access your Personal Information.
If you have any questions about this Policy, please contact our Policy Department at firstname.lastname@example.org.
You may also contact our Privacy Officer in our affiliate office at 3130 – 155 Wellington Street West, Toronto, Ontario, Canada, Postal Code: M5V 3H6.