Privacy Policy

Block.one (an exempted company formed in the Cayman Islands with limited liability) and its affiliates (collectively, “we”, “us” or “our”) are committed to protecting the privacy of your personal information. This Privacy Policy explains how we demonstrate this commitment, including:

1. the types of information we collect through your use of our products and services including our software and our mobile applications, and your navigation of our websites;
2. the manner in which we use and share the information, and why;
3. the circumstances in which your information may be transferred to another country;
4. the rights you may have under relevant privacy or data protection laws;
5. cookies that we use or used by our service providers; and
6. whom you can reach out to regarding this Privacy Policy.

Where a law or regulation in the applicable jurisdiction requires us to provide you with a notice or other explanation of the information about you that we collect and process or similar, this Privacy Policy is intended to fulfill this obligation.

Scope

This Policy applies to your use of, access to, or participation in any of the following sources (collectively, our “Data Sources”):

1. our products, services, applications or software offered through the block.one website (our “Services”), unless a separate privacy policy is expressed to apply in respect of such Service; 
2. our Block.one website (URL: block.one or b1.com) and its subdomains regardless of the medium in which the Websites are accessed by a user (e.g., via a web or mobile browser) (the “Websites”);   
3. any events hosted by us, whether such events are open to the public or by invitation (collectively the “Events”); and 
4. subsections of social media platforms controlled by us, such as our Twitter, LinkedIn, or Facebook pages.

Personal Data We Process

We process the Personal Data we collect about you when you use, gain access to, or participate in our Data Sources. In this Policy, “Personal Data” means any information relating to an identified or identifiable natural person as may be collected or processed by us in connection with the Data Sources and includes “Personal Data” as defined in the EU General Data Protection Regulation 2016/679 (“GDPR”) or other applicable laws. 

As set out in the section below, we may process the following categories of Personal Data:

• Account Information, which means your Contact Information provided to us when creating an account as well as your username and user identification number. 
• Application Security Information, which means your passwords, two-factor authentication software or key pairs, security questions (including the answers to the said questions) and security device identification number. 
• Communications Information, which means the contents of the communications and correspondence between us, whether by email, through one of our Services, through your submission of an online form, or when you otherwise contact us. 
• Contact Information, including your first and last name, mailing address, email address, telephone number, mailing preference and other contact information you may provide when communicating with us through our Data Sources. 
• Financial Transaction Information, which means payment information, such as your credit or debit card number and other card information; other financial account and authentication information; and billing, contact details or cryptocurrency wallet address (including public key or private key). 
• Identity Verification Information, which is information that you provide as part of an identity verification process. It may include copies of the documents you submit to our service providers (for example, your passport or other ID document) and information our service providers derive from those documents for identity verification purposes. When you are going through the identity verification process, you should refer to any separate privacy policy made available by the relevant service provider for further information about how they process your Personal Data.
• Recruitment Information, which means your resume, employment history, qualifications, contact information, reference information, and other information you may submit when applying for a job with us. 
• Other Identifying Information, which means your IP address, device name and device ID, MAC address, GUID, coarse location and fine location. 
• Service Use Information, which means the information that you provide to us when you use our Services, such as information you may upload or generate when using our Services or communicating with us about our Services.

We collect Personal Data through:

• Your use of or participation in our Data Sources.
• Your use of our Services.
• Direct or unsolicited interactions, such as when you voluntarily provide your information to us by contacting us, submitting requests and comments, subscribing to our newsletters, submitting job applications, or otherwise engaging with us through our Data Sources. 
• Indirectly, such as when you provide your information to us through a social media platform, such as LinkedIn, Facebook, or Twitter.

We may also collect other types of anonymized statistical information in aggregate form when you use our Data Sources.

How We Use Your Personal Data

We only process certain types of your personal data as necessary to fulfil the terms of service for our Data Sources and in line with your agreement to do so or an appropriate basis for processing.  For these activities, the purpose of processing, categories of personal data used, and a description of the processing is outlined below.  For individuals who live in the European Economic Area (EEA), the table also identifies the legal basis under which we process your personal data.

Activity	Categories of Personal Data	Purpose of Processing	Lawful Basis
Providing Services	Account Information, Application Security Information, Communications Information, Identity Verification Information, Other Identifying Information, Service Use Information	Enable you to use our Services, manage your preferences, manage our Services including in accordance with your instructions, administer and troubleshoot our platforms, develop new and improve existing Services, detect abuse, fraud, and illegal activity on our platforms, enforce our Service terms and conditions	Performance of a Contract Legitimate Interest: Providing our Services and improving our Services and user experience
Engaging with us regarding investments and business opportunities	Communications Information, Contact Information, Identity Verification Information, Other Identifying Information	Enabling you to engage with us regarding investments and business opportunities, submitting proposals and grant requests, and informing you about or discussing potential opportunities	Performance of a Contract Legitimate Interest: Engaging with relevant parties regarding business or investment opportunities that may be of interest to us
Collecting or providing funds	Contact Information, Communications Information, Financial Transaction Information, Identity Verification Information	Enabling us to send or receive funds to or from individuals in connection with grants, investments, or services or other contracts, in compliance with our legal obligations and our internal policies and risk tolerance	Performance of a Contract Legitimate Interest: Sending or receiving funds in compliance with our obligations and company policies
Providing support for our Services	Account Information, Communications Information, Contact Information, Financial Transaction Information	Answer your queries, resolve matters with accounts, and otherwise provide general support related to our Services	Legitimate Interest: Respond, investigate, and resolve user queries
Security and investigations	Account Information, Application Security Information, Other Identifying Information, Service Use Information	Operate, administer, secure, and improve the safety and security operations of our Services, detect spam, prevent harmful or illegal conduct, investigate suspicious activity in breach of terms of Service, administer policies and rules applicable to the Service	Legitimate Interest: Security of the Services, protection of our business interests, and protection of data
Compliance with laws and regulations and protection of company interests	Account Information, Application Security Information, Financial Transaction Information, Identity Verification Information, Other Identifying Information, Service Use Information	Verify accounts and activity, including processing personal data for identity verification purposes, protect the business from fraud, money laundering, breach of confidence, theft of proprietary materials and other financial or business crimes	Legal Obligation Legitimate Interest: Complying with laws in the jurisdictions where we are subject to them, protecting the Services, protection of our business interests, and protection of data
Events and webinars	Contact Information, Communications Information, Financial Transaction Information	Facilitate Event registration, plan and execute Events, and share pre- and post-Event information with registrants and interested individuals	Performance of a Contract Legitimate Interest: Planning and executing Events, administering Event attendance, and distributing Event information
Marketing and surveys	Contact Information, Communications Information, Service Use Information	Provide you with relevant information about our Services and Events, send surveys, and send information that may be of interest to you based on your preferences	Consent
Website traffic analysis and usage analytics	Other Identifying Information, Service Use Information	Understand how users interact with our Websites, analyze Website traffic and usage, to improve our Websites and our offerings	Legitimate Interest: Understanding user behavior and preferences on our Websites to improve our Websites and user experience
Engaging with you on social media	Contact Information, Communications Information, Other Identifying Information	Engaging with you on social media, including on subsections of social media platforms controlled by us	Legitimate Interest: Understanding how you engage with us on social media, engaging users through social media platforms, and improving our social media activities and users’ social media experience
Potential recruitment by us	Recruitment Information, Identity Verification Information		Legitimate Interest: Evaluating job applications, making employment and other hiring decisions, and recruitment steps we must take prior to entering into employment contracts with individuals
Sharing with law enforcement/legal requests	Information that is the subject of a lawful request	Comply with valid legal requests from authorities, and to comply with our legal and regulatory obligations	Legal Obligation Legitimate Interest: Complying with laws in the jurisdictions where we are subject to them
Protection of the vital interests of an individual	Information required to protect the vital interest of an individual	Protect the life or physical safety of individuals, to combat harmful conduct, to promote safety and security	Vital Interests

In the above table, “consent” refers to Article 6(1)(a), “performance of a contract” or “steps we must take prior to entering into a contract” to Article 6(1)(b), and “legitimate interest” to Article 6(1)(f) of the GDPR.

How We Share Your Personal Data

We may share your Personal Data with the following categories of third parties:

• Third-party service providers who need access to Personal Data to assist us in delivering Services.  For example, such third parties include payment processors; information technology service providers; providers of identity verification services; website hosting providers; marketing, accounting, shipping, and delivery vendors; other business process outsourcing providers; and partners who assist us with administering programs we offer to you, such as our bug bounty program.  We endeavour to only share the minimum amount of Personal Data that these service providers need to perform their tasks. 
• Third-party service providers who need access to Personal Data to provide advertising and analytics services. For example, we use a third party for the collection and management of your Personal Data that enables us to deliver marketing communications about our Services and Events to you. 
• Our corporate affiliates, when necessary to complete the processing activities described above. 
• Other third parties, as reasonably necessary: 
  • In relation to a merger, sale, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy, or other change of ownership or control (whether in whole or in part); or 
  • To: (i) comply with laws applicable to us, a request from a law enforcement agency, regulatory authority, public or judicial body having jurisdiction over us, or other legal process; (ii) protect our legitimate rights, privacy, property, vital interests, health and safety, as well as those of our customers, business partners, personnel, or the general public; (iii) seek professional advice, manage risk (including obtaining and managing insurance), pursue available remedies or limit damages; (iv) enforce our Terms of Use; or (v) respond to an emergency. 

We do not sell your Personal Data to third parties.

Third Party Applications and Websites

Our Data Sources may contain links to third-party applications not affiliated with us.  Your use of an external application or any informational content found on external applications is subject to and governed by the privacy policies, terms, and conditions of that application.  We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external applications are framed within our Data Sources.  Further, while we review the privacy practices of our vendors, we are not responsible for the privacy practices of any external applications with which we are not affiliated. The Websites may contain links to websites not affiliated with us. Your use of external websites or any informational content found on external websites is subject to and governed by the privacy policies, terms, and conditions of those websites.  We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external websites even if one or more pages of the external websites are framed within a page of our Websites. Further, we are not responsible for the privacy practices of any external websites with which we are not affiliated.

Advertising and Analytics Services Provided by Third Parties

We may allow others to serve advertisements on our behalf across the Internet and to provide analytics services. These entities may use cookies, web beacons and other technologies to collect information about your use of our Data Sources or other websites, including your IP address, web browser, pages viewed, blocks created, transactions undertaken, information provided to EOSIO blockchains, time spent on pages, links you clicked, and conversion information. This information may be used by us and others to, among other things, analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on the Websites, and better understand your online preferences. For more information about interest-based ads, please visit the Digital Advertising Alliance at www.aboutads.info/choices. 

The third-party service providers we use for advertising and Website analytics include:

• Google Analytics, a web analysis service provided by Google, uses cookies to collect information such as how often users visit the Website, what they view on the Website, and which websites they visited before coming to the Website.  Google’s ability to use and share information it collects about your visits to the Website is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. In order to protect your privacy, your IP address will be truncated. To opt-out of Google Analytics, you may disable cookies on your browser or install the Google Analytics Opt-Out Browser Ad-On.  To opt-out of DoubleClick’s advertising services, you may visit Google Ads Settings.
• Hotjar is an analytics sservice that helps us to better understand how our users use the Website through tools such as heatmaps and session recordings [and surveys]. Hotjar’s ability to use and share information it collects about your use of the Website is restricted by the Hotjar Terms of Service and the Hotjar Privacy Policy.

Cookies

We use Cookies, web beacons, and other data collecting technologies, such as when you navigate the Websites or click on links in the emails we send you.  A cookie is a small data file that is transferred to a web browser, allowing our Sites to remember and customize your subsequent visits. A web beacon (also called a “pixel tag” or “clear GIF”) is a piece of computer code that enables us to monitor user activity and website traffic.  To learn more about how we use cookies then please visit our Cookie Policy. For more information on cookies and web beacons more generally, please visit http://www.allaboutcookies.org.  

When you first land on the Websites, you will be asked for your consent to the placement of Cookies.  No cookies over which we have control will be placed on your browser without your consent.  Some pages on the Websites may contain iframes, such as pages with embedded videos hosted by third party services, and those third party services may place cookies on your browser.  If you wish to disable cookies placed by iframes, you should adjust your browser settings. You also have the option to manage your consent on an ongoing basis by opting out of any Cookies category except Strictly Necessary Cookies by changing your Cookie Settings Cookie Settings

Most web browsers allow some control of cookies through the browser settings. You can find out how to manage cookies on popular browsers on the browser’s websites or the browser developer’s websites.  Please note that if you choose to decline or block cookies by adjusting your browser settings, some or all of the Websites may not be functional or accessible to you.You may also visit http://tools.google.com/dlpage/gaoptout to opt out of being tracked by Google Analytics across all websites.

Your Rights

We will comply with any relevant legislation in the jurisdiction you are located in that confers you with some or all of the following rights with respect to your Personal Data.  To make a request, you can complete the B1 Data Subject Rights Request web form or contact us directly via the addresses below.

• To access the Personal Data we maintain about you. We will provide you free of charge with a copy of your Personal Data, but we may charge you a reasonable fee to cover our administrative costs if you request further copies of the same information. 
• To be provided with information about how we process your Personal Data. This will include information on the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, the recipients of your Personal Data and the safeguards regarding data transfers to other jurisdictions, subject to the limitations set out in applicable laws and regulations. 
• To correct your Personal Data. You have the right to ask us to rectify Personal Data you think is inaccurate or incomplete. In some cases, you will need to make these changes yourself by using the tools we provide in the Data Sources. 
• To have your Personal Data erased. You have a right to ask us to delete your Personal Data. In some cases, you will need to do the deletion yourself using the tools we provide in the Data Sources. We will decline your request for deletion if processing your Personal Data is necessary: (i) to comply with our legal obligations, such as fraud detection and monitoring, or being required; (ii) to perform a task in the public interest; (iii) in pursuit of a legal action; (iv) for exercising the right of freedom of expression and information; and (v) for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
• To object to how we process your Personal Data. Where we process your Personal Data based on our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will decline your request where we have a compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims. 
• To be informed about direct marketing. You have the right to request us to tell you how your Personal Data has been shared, if at all, with third parties for the third parties’ direct marketing purposes. 
• To stop your Personal Data being used for direct marketing purposes. At your request, we will stop using your Personal Data for the purpose of direct marketing. If you want to stop us from contacting you in connection with marketing communications, please email us at the email address specified below. 
• To restrict how we process your Personal Data. At your request, we will limit the processing of your Personal Data if: 
  • you dispute the accuracy of your Personal Data; 
  • your Personal Data was processed unlawfully and you request a limitation on processing, rather than the deletion of your Personal Data; 
  • we no longer need to process your Personal Data, but you require your Personal Data in connection with a legal claim; or 
  • you object to the processing pending verification as to whether an overriding legitimate ground for such processing exists. 

We may continue to store your Personal Data to the extent processing is required or based on one of the following bases: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest. 

• The right to data portability.  You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, if: 
• the processing of your Personal Data is based on your consent or required for the performance of a contract; or 
• the processing is carried out by automated means.

Please note that this information might already be available to you via the Data Sources

• To withdraw any consent that you gave us to process your Personal Data. You have the right to withdraw any consent you may have previously given us at any time. Your consent withdrawal will not affect the lawfulness of the processing done before the withdrawal.
• To complain to a supervisory authority. If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction. 

To exercise the above rights, please complete the B1 Data Subject Rights Request web form or contact us directly via the addresses below. We will consider and process your request within the required period of time.  Please be aware that under certain circumstances, or in relation to certain types of data, including pseudonymous data, the applicable legislation may limit your exercise of these rights. 

We do not sell your personal data to third parties.

International Data Transfers

Block.one Data Sources are primarily supported from our offices in the United States and Hong Kong. Information we collect from you may be processed in the United States and Hong Kong, and by using the Block.one services you acknowledge this and consent to the transfer of your personal data to these locations. We may also transfer your personal data to our other offices in countries outside of your jurisdiction for processing in accordance with this Privacy Policy and as permitted by the applicable laws. Such intra-organisational transfers are based on appropriate mechanisms, and we seek to apply suitable safeguards to these transfers and only use your data in a manner consistent with the practices set out in this Privacy Policy.

Where we rely on our service providers located outside of your jurisdiction and acting as data processors, we ensure that they are subject to laws ensuring an adequate level of data protection as set out in an applicable adequacy decision of the relevant regulatory authority or will ensure that an adequate level of data protection will be available, such as on the basis of data processing agreements and standard contractual clauses.

Retention of Personal Data

We retain Personal Data for the period of time necessary to fulfil the purposes outlined in this Privacy Policy and to comply with our record retention policies, unless a longer retention period is required by law. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. 

Data Security

The security of your information is important to us. We have implemented appropriate technical, physical and administrative security measures intended to protect your Personal Data from unauthorized access, disclosure, alteration or destruction. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

Marketing

To opt-out of receiving marketing communications from us, please click the unsubscribe link that can be found at the bottom of every marketing email.  You may also let us know through the B1 Data Subject Rights Request web form or by reaching us at the email address specified below.  Please note that even if we stop all marketing communications, you may still receive administrative, legal, and other important or service-related communications from us.

Children’s Privacy

We do not market to and do not knowingly collect any Personal Data from or about a child under the age of 16 without the consent of the child’s parent or legal guardian. Our Data Sources are not intended for children under the age of 16.  Children under the age of 16 must not use our Data Sources for any purpose without first obtaining legally valid parental/guardian consent to this Privacy Policy (both for themselves and on your behalf). If you believe we have any Personal Data from any children under the age of 16 without such parental/guardian consent, please contact us at the email address specified below.

Do Not Track

Certain web browsers and other devices you may use to access the Websites may permit you to submit your preference that you do not wish to be “tracked” online. We do not currently commit to responding to these submissions, in part, because no common industry standard for “do not track” has been adopted by industry groups, technology companies, or regulators. We will make efforts to monitor developments around “do not track” browser technology and the implementation of a standard.  

Updates to the Privacy Notice

We reserve the right to amend this Policy at any time. You will know if the Policy has changed since the last time you reviewed it by checking the “Date of Last Update” section below. We therefore encourage you to review this Policy from time to time. To the extent permitted by law, by continuing to use our Data Sources after changes have been posted, you are confirming that you have read and understood the latest version of this Policy.

Our Role and How to Contact Us

Block.one acts as the data controller for your Personal Data unless a different affiliate is named in a separate privacy policy, or we have identified a different data controller for a particular processing operation.

If you have any questions, comments or complaints, or would like to exercise your rights concerning your Personal Data and privacy preferences, you may use our available self-service options or contact in the following ways: 

• Submit a request or query through the B1 Data Subject Rights Request web form
• Contact us directly at privacy@block.one 

If you are in the EEA, you may also contact our EU representative, designated for the purposes of Article 27 of the GDPR:

• Achieved Compliance Advocacy, Ltd., Attn:  Ms. S. Ali re Block.one, Singel 250; 1016 AB, Amsterdam, Netherlands​
• privacy-eu@block.one 

If you are in the UK, you may also contact our designated UK representative:

• Achieved Compliance Advocacy, Ltd., Attn:  Ms. S. Ali re Block.one, Princess House, Princess Way, Swansea, UK SA1 3LW
• privacy-eu@block.one 

Alternatively, you may contact our appointed Data Protection Officer (DPO) whose contact details are as follows:

• HewardMills Ltd., 77 Farringdon Road, London, UK EC1M 3 JU.
• dpo@hewardmills.com