Data Protection Statement – IVE.ONE

17.05.2019


When providing IVE.ONE as defined in our Terms & Conditions, Agora Innovation GmbH, Robert-Schneider-Str. 38, 64289 Darmstadt, Germany; +49 (0) 69 348 719 55; info@agora-innovation.com (“Agora”, “we” or “us”) may process personal data. This data protection statement informs potential data subjects:

1. Scope of Application / Responsible Party

This data protection statement applies to the processing of personal data for which we act as controller relating to:

Agora is the controller and therefore responsible party for the provision of IVE.ONE and as described herein. This in particular excludes any processing of personal data carried out and/or controlled by Customers or Token-Buyers, especially in connection with transactions of Tokens created with IVE.ONE including any associated data processing operations (c.f. Section 3.6). In this regard, the respective Customer or Token-Buyer is responsible.

Additionally, it should be kept in mind that IVE.ONE partly utilizes blockchain technology. The technology is characterised by the decentralised storage of data on numerous computers, each controlled by different entities. Hence, using IVE.ONE or selling or buying Tokens created with IVE.ONE in general coincides with the processing of personal data of the respectively affected data subjects by various parties.

2. Contact Details of our Data Protection Officer

Evgeny Mathershev
Robert-Schneider-Str. 38
64289 Darmstadt
Phone: +49 (0) 69 348 719 55
E-mail: evgeny@agora-innovation.com

3. Processing of Personal Data

When providing IVE.ONE we process personal data for the following purposes:

3.1 General use of the service

When using the service, we process certain information automatically. This includes: the IP address or device ID assigned to the respective end user device, which we require for the transmission of requested content (e.g. in particular content, texts, images and product information as well as files made available for download, etc.), the type of end user device, the URL of the previously visited services, the browser type and operating system used and the date and time of use.

This data processing takes place in order to facilitate the use of the service

We hold this information for a maximum of one month for the purpose of recognizing and pursuing misuse. Aside from this, we delete or anonymize these usage data, including the IP addresses, without undue delay as soon as they are no longer needed for the above mentioned purposes.

The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of the service to the user (Art. 6 para. 1(b) General Data Protection Regulation (GDPR)), or because we have a legitimate interest in safeguarding the security and functionality of our service as well as its proper use without the affected data subjects having an overriding interest (Art. 6 para. 1(f) GDPR).

3.2 User Accounts (Registration and Login)

In order to use our service, a user account must be set up.

When registering for a user account, the following information must be provided (jointly “Customer Data”):

When setting up a user account, an individual password must be created. This password can be changed at any time

In order to login to a user account, the following data must be entered:

The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of this functionality to the user (Art. 6 para. 1(b) GDPR)

Customer Data is generally stored until the respective Customer closes its account or otherwise unregisters for the use of the service, unless statutory retention obligations apply or the Customer Data is necessary for other purposes described herein.

3.3 Customer Authentication

To use IVE.ONE, in particular to create tokens, the Customers must verify their identities. In this regard we receive certain information from Know Your Customer service provider(s) (“KYC-Provider”) we work with and the respective Customer chooses to verify its identity with. In this regard, we solely receive the result of any such verification process (i.e. verified “yes” or “no”) and store that information in the Customer’s account.

The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of the service to the Customers (Art. 6 para. 1(b) GDPR).

This information is generally stored until the respective Customer closes its account or otherwise unregisters for the use of the service, unless statutory retention obligations apply or the information is necessary for other purposes described herein.

3.4 Integration of Wallets

In case a Customer chooses to integrate its crypto-currency wallet into its IVE.ONE account, we store the appropriate information provided by the Customer relating to its wallet. In such case, we may also receive certain information from the respective wallet provider.

The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of this functionality to the Customers (Art. 6 para. 1(b) GDPR).

This information is generally stored until the respective Customer closes its account, otherwise unregisters for the use of the service or lifts the integration of a wallet, unless statutory retention obligations apply or the information is necessary for other purposes described herein.

3.5 Token Creation / Handing over of Token

3.5.1 Basic data processed for creation of Token

When creating a Token, the Customer must provide the following information which will subsequently be processed by us in order to create the Token (jointly “Token Data”):

3.5.2 Transaction requirements embedded in Token

Additionally, each Customer may elect to embed certain individual requirements into a Token that must be observed when transferring that Token (e.g. to comply with applicable anti money laundering provisions) in order to ensure the monitoring of any transaction of the Token being in compliance with the respectively embedded requirements (jointly “Rule Stack Data”).

To this end, we process any provided Rule Stack Data by the Customer for the purpose of embedding it into the Token we create for the Customer. In case a transaction is in violation of the respectively embedded Rule Stack Data, the respective Token cannot be transferred.

Provided that the Customer chooses to embed a black- or whitelist into the Token, i.e. a list of persons or entities to whom the Token may not be transferred, respectively to whom it may exclusively be transferred (c.f. below Section 3.6.2), we further process any names or other information provided by the Customer in this regard for the purpose of implementing the respective black- or whitelist into the Token.

Provided that the Customer chooses to embed a forced authentication process into the Token (see Section 3.6.1), we implement any such pertinent information provided by the Customer (e.g. data of the respective KYC-Provider to be utilized) into the Token.

3.5.3 Initial transfer of Token to Customer

After the creation of a Token, in order to transfer the Token to the Customer, the Customer must provide us with a respectively applicable and valid public key which we will process in order to transfer the Token.

3.5.4 Legal ground / data retention

The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the provision of this functionality to the Customer (Art. 6 para. 1(b) GDPR).
Token and Rule Stack Data is generally stored until the respective Customer closes its account or otherwise unregisters for the use of the service, unless statutory retention obligations apply or the Token and Rule Stack Data is necessary for other purposes described herein.

3.6 Token-Transactions / Tracking of issued Tokens

The transactions of Tokens created are tracked via IVE.ONE. Transactions are compiled in a transaction history that can be accessed by the respective Customer through a dashboard provided in its respective IVE.ONE account. The purpose of this tracking is to ensure that each transaction complies with the Rule Stack Data and the underlying legal requirements the Customer is subject to.

To this end, we process the following information of the Token-Buyers:

3.6.1 Forced Authentication of Token-Buyers

In case a Customer elects to embed a forced authentication process into the Token, we process personal data of the potential Token-Buyers for the purpose of authenticating each Token Buyers’ identity.

To this end, the Token Buyer has to verify its identity via the respective KYC-Provider elected by the Customer to be able to buy the Token.

To this end, we process the following information of the Token-Buyers:

We disclose this information to the respective KYC-Provider for the purpose of validating the entered information. From the respective KYC-Provider, we solely receive the result of such verification (i.e. verified “clear” or “suspected”). On this basis, transactions are blocked or allowed.

3.6.2 Black-/Whitelists

Provided that the Customer elects to embed a black- or whitelist into the Token, the personal data from potential Token-Buyers is processed for the purpose of comparison with the black/whitelist created by the Customer.

To this end, we process the following information of the Token-Buyers:

All transactions within the Black-/Whitelists are processed against the E-mail and Wallet addresses defined by the Customer and respectively embedded into the Token. On this basis, transactions are blocked or allowed.

3.6.3 Legal grounds / retention of data

The data processing is carried out on the basis of legal provisions which authorise the data processing because it is necessary for the execution of each transaction of Tokens between the Customer and Token-Buyer (Art. 6 para. 1(b) GDPR).

Data relating to transactions of Tokens is respectively retained for a maximum of five years, unless statutory retention obligations apply or such data is necessary for other purposes described herein.

3.6.4 Responsibility for actual transactions of Tokens

As initially stated (see Section 1), the Customer independently and in its own responsibility renders any transaction of the initially handed over Token created by us (see Section 3.5).

For the avoidance of doubt: Please note that we have no influence on a transaction of a Token being granted or refused on the basis of the information defined by the Customer and respectively embedded in the Token. This power lies exclusively with the Customer. Against this background, if you wish to contest any rejection of a Token transaction, please contact the relevant Customer (i.e. Token issuer).

3.7 Service improvement

We also analyse Customer Data, data we receive from KYC-Providers, Rule Stack Data and information pertaining to Token transactions to develop and improve our services for our customers, in particular to analyse risk patterns with legal requirements such as anti-money laundering provisions.

The data processing is carried out on the basis of legal provisions which authorise the data processing because we have a legitimate interest in improving our service and in offering and ensuring compliance with regulatory requirements for the transfer of Tokens without the affected data subjects having an overriding interest (Art. 6 para. 1(f) GDPR).

3.8 Contact and Service Inquiries

The service allows general contact or specific service inquiries to be submitted. When communicating via our service, we will process the respective Customer Data as well as additional information the respective user will provide to us (e.g. the content of the message).

We process that information in order to answer the inquiries. This processing is carried out on the basis of legal provisions which authorise the processing because it is necessary in order to process the inquiries (Art. 6 para. 1(b) GDPR).

After final answering of an inquiry, we delete the inquiry as well as information with regard to their handling with a period of three years after the end of the respective calendar year.

3.9 Cookies

Cookies are text files containing information that are stored on the users’ computers. We use cookies to increase the functionality of our service and to simplify the usage of our service. Through the use of cookies, we can provide login data as a personal pre-set the next time a user visits the service, which makes it possible, for example, to store the users’ passwords.

We therefore use so-called session cookies to maintain a login session. Session cookies are small information units in which a randomly generated identification number, the so-called session ID, is stored. In addition, a session cookie stores information about its origin and the storage period. These cookies cannot store any other data. Session cookies will be deleted at the latest within a period of 24 days.

The processing takes place on the basis of legal regulations which permit the processing because it is necessary for the intended and comprehensive provision of the service and the functionalities offered thereon (Art. 6 para. 1 (f) GDPR). If you would like more detailed information on the weighing of interests, please contact one of the addresses listed under section 1.

The service can also be used without cookies. Most Internet browsers automatically accept cookies. To prevent cookies from being stored each user may select “do not accept cookies” in his or her browser settings. Please refer to the instructions of the browser manufacturer to find out how this works in detail. Already stored cookies can be deleted at any time. Not accepting cookies may however lead to functional restrictions of our services.

4 Disclosure of Data

In addition to the other instances mentioned in this data protection statement, a disclosure of personal data may only occur in the following cases:

4.1 To criminal prosecution authorities as well as, if necessary, harmed third parties if necessary to investigate illegal or abusive use of the service. However, this only occurs if there are specific indications for illegal use or misuse. A disclosure can also take place if this serves to enforce the terms and conditions for the use of the service or other agreements or if necessary, to assert, exercise or defend legal claims.

4.2 We are also required by law to provide information to certain governmental agencies. These are the criminal prosecution authorities, public authorities that prosecute administrative misdemeanours sanctioned with fines and the tax authorities.

4.3 To the extent necessary to process a request or order, and in the case of centralised or outsourced business functions, personal data may be transferred to Agora affiliates for the purposes set out above.

4.4 From time to time we may rely on contracted third parties or other partners and external service providers such as IT service providers, business consultants and financial institutions to fulfil the purposes described herein or to provide our services. In such cases, personal data may be shared with these recipients.

4.5 During the course of the further development of our business, it is possible that the structure of our company will change by changing the legal form, establishing, purchasing or selling subsidiaries, company divisions or parts of the company. In case of such transactions, personal data is passed on together with the part of the business which is transferred. We make sure in the case of each disclosure of personal data to third parties as described above that this takes place in accordance with this data protection statement and applicable data protection laws.

4.6 Insofar as the recipients referred to in Sections 4.3 to 4.5 are entities outside the EU or the EEA, we shall ensure an appropriate level of data protection, for example by concluding appropriate contracts or on basis of appropriate certifications of the respective recipient, or ensure the applicability of an exemptions as per Art. 49 GDPR.

5 Access Right / Further Data Subjects’ Rights

Users have the right to obtain information at any time about the personal data stored about them. They may also be entitled to the following rights in case the respective requirements are met:

In addition, the users may object to processing of their personal data for reasons arising from their particular situation. However, this only applies in such cases in which we process data to fulfil a legitimate interest of Agora or a third party. If the user can state such a reason and we cannot assert a compelling, overriding interest for the further processing, we will not process these data further for the respective purpose.

This does not affect the other rights of objection described in this data protection statement.

If users wish to enforce any of the above mentioned rights or if they have questions about how we protect or process personal data, they can contact our data protection officer via the contact details provided in Section 2. After the final answering of an inquiry, we delete the inquiry with a period of three years after the end of the respective calendar year.

Users also have the right to file a complaint at any time with a supervisory authority, in particular a supervisory authority in the Member State where they are staying, working or the place of alleged infringement, if they believe that the processing of personal data concerning them is in violation of applicable data protection laws.

6 Deletion of Personal Data

Unless otherwise described in this data protection statement, we will only store personal data for as long as it is necessary to achieve the purposes stated herein or within the framework of an applicable statutory storage period; in the latter case, we will block the affected personal data for other processing operations.

7 Amendments to this Data Protection Statement

We reserve the right to amend this data protection statement from time to time and make changes as to which we process personal data. The current version of the data protection statement is always available under [www.ive.one/privacy-policy].