1. Introduction

Creova ("we," "us," or "our") is an Ethereum-native platform for supporting public goods operated by [Creova Group Ltd], a [company] registered in [England/Wales/Scotland/Northern Ireland, Registration Number if applicable]. We are committed to protecting your privacy and handling your personal data responsibly in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform ("Platform") to participate in community-driven, non-commercial funding for public goods. It applies to all users, including funders, project creators, and treasury grant applicants. By accessing or using the Platform, you consent to the data practices described herein. If you do not agree, please do not use the Platform.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 On-Chain Data (Publicly Available)

Wallet Addresses: Ethereum addresses used for transactions.

Transaction Histories: Contributions, withdrawals, and funding details recorded on the Ethereum blockchain.

Project Data: Information stored in smart contracts, such as IPFS content identifiers (CIDs) for project descriptions, hero media, and milestone proofs.

Note: On-chain data is publicly accessible and immutable due to the nature of blockchain technology.

2.2 Off-Chain Data (Private)

Identity Verification Data: For treasury grant applicants and users withdrawing over 5 ETH (or equivalent in GBP), we collect via our third-party KYC provider (e.g., Sumsub):

• Full name
• Date of birth
• Government-issued identification (e.g., passport, driving licence)
• Proof of address (e.g., utility bill)

Contact Information: Email addresses provided when you contact us for support or inquiries.

Technical Data: IP addresses, browser type, and device information collected to enhance security and prevent fraud.

3. How We Use Your Data

We process your personal data for the following purposes, based on lawful grounds under UK GDPR:

• Platform Operation (Performance of a Contract): To facilitate crowdfunding, treasury grants, and smart contract interactions as outlined in our Terms & Conditions.
• KYC & Compliance (Legal Obligation): To verify identities for compliance with UK anti-money laundering (AML) and counter-terrorism financing (CTF) regulations.
• Security & Fraud Prevention (Legitimate Interests): To monitor transactions and protect the Platform from unauthorised or fraudulent activities.
• Legal & Regulatory Compliance (Legal Obligation): To meet requirements under UK financial regulations, tax laws, and UK GDPR.
• User Support & Communication (Legitimate Interests): To respond to inquiries, provide updates, and improve user experience.

4. Data Sharing & Third Parties

We do not sell your personal data. We may share it with:

• KYC Provider: Third-party services (e.g., Sumsub) for identity verification. These providers are contractually bound to protect your data under UK GDPR-compliant agreements.
• Law Enforcement & Regulators: When required by UK law or regulatory authorities (e.g., HMRC, Financial Conduct Authority).
• Blockchain Network: On-chain data (e.g., wallet addresses, transaction details) is inherently shared with the Ethereum network and publicly accessible.
• Service Providers: Limited technical providers (e.g., hosting services) under strict data protection agreements.

If data is transferred outside the UK (e.g., to Sumsub’s servers), we ensure adequate safeguards (e.g., UK International Data Transfer Agreement or adequacy decisions).

5. Data Retention

• On-Chain Data: Permanent and immutable due to blockchain technology; we cannot delete it.
• Off-Chain KYC Data: Retained securely for 5 years post-transaction to comply with UK AML regulations, then securely deleted unless further retention is legally required.
• Contact Information: Kept for 12 months after resolution of support inquiries, then deleted unless needed for ongoing disputes.
• Technical Data: Retained for 6 months for security purposes, then anonymised or deleted.

6. Your Data Rights

Under UK GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data we hold.
• Right to Rectification: Request corrections to inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of off-chain personal data, subject to legal retention obligations (e.g., AML). On-chain data cannot be erased due to blockchain immutability.
• Right to Restrict Processing: Limit how we use your data in certain circumstances.
• Right to Object: Object to processing based on legitimate interests (e.g., fraud prevention), which we will review.
• Right to Data Portability: Receive your off-chain data in a structured, machine-readable format.

To exercise these rights, email us at privacy@creova.xyz. We will respond within 1 month, extendable to 3 months for complex requests. If unsatisfied, you may complain to the Information Commissioner’s Office (ICO) at www.ico.org.uk.

7. Security Measures

• Encryption: Off-chain data (e.g., KYC records) is encrypted in transit and at rest.
• Access Controls: Only authorised personnel with a strict need-to-know basis can access private data.
• Smart Contract Audits: Regular security reviews of our blockchain infrastructure to mitigate vulnerabilities.
• Monitoring: Continuous monitoring for suspicious activity.

Despite these efforts, no system is 100% secure, especially on public blockchains. You accept these inherent risks by using the Platform.

8. Cookies & Tracking

• We may use cookies and similar technologies on our website to:
• Enhance user experience (e.g., remembering preferences).
• Improve security (e.g., detecting fraud).

You consent to cookies by using the Platform. You can manage preferences via your browser settings, though disabling cookies may limit functionality.

9. Changes to This Policy

We may update this Privacy Policy as needed. Significant changes will be announced on our website ([insert website]) or via email/X at least 14 days before taking effect. Continued use of the Platform after changes indicates your acceptance.

10. Contact Us

For privacy-related inquiries or to exercise your rights, contact our Data Protection Officer at:

• Email: adam@creova.xyz
• Post: [Creova Group Ltd], [3 Childwick Green, Childwickbury], [AL36JJ]