# Privacy Policy **Last Updated: 01/14/2026** *** ## 1. Who We Are **ADDU** (hereinafter "ADDU", "we", "us" or "our") is a **French non-profit association** (Association loi 1901) governed by French law, with its registered office at: **10 rue de la Paix, 75002 Paris, France** ADDU operates websites and interfaces enabling access to certain functionalities related to digital assets and smart contracts (the "Services"), in particular through: * fira.money * app.fira.money (together, the "Site") *** ## 2. Purpose of This Privacy Policy This Privacy Policy explains: * What personal data we collect * Why and on what legal basis we process it * With whom we share it * How long we retain it * Your GDPR rights and how to exercise them *** ## 3. Definitions | Term | Definition | | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Personal Data** | Any information relating to an identified or identifiable natural person (e.g., email address, IP address, online identifier, a wallet address if it can identify a person) | | **Processing** | Any operation performed on personal data (collection, storage, consultation, deletion, etc.) | | **Controller** | The entity that determines the purposes and means of the processing (ADDU for the processing described here, except for blockchain processing) | *** ## 4. Eligibility (Minors) The Services are not intended for individuals under 18 and we do not knowingly collect personal data from children. If we become aware that a minor has provided us with personal data, we will delete it as soon as reasonably possible, subject to our legal obligations. *** ## 5. What Data Do We Collect? ### 5.1 Data You Provide to Us * **Identity and contact data:** first and last name, email address, nationality (if provided) * **Communications:** content of messages sent to our support (e.g., feedback, questions, job applications, requests) ### 5.2 Technical and Usage Data * **Connection data:** IP address, logs, date/time, browser information * **Device and configuration data:** version, time zone, settings, language * **Audience and performance measurement:** technical errors, interactions with the Site, usage events ### 5.3 Web3-Related Data Depending on how the dApp operates, we may process: * Wallet address(es) (public key) * Transaction identifiers (hash) * Network * Relevant smart contract(s) * Data necessary for operations, security, and support :::note Some of this information may also exist on-chain (see Section 10). ::: ### 5.4 Cookies and Trackers We use cookies and similar technologies (see Section 11). *** ## 6. Why Do We Process Your Data? In accordance with the GDPR, we process personal data only when we have a legal basis. ### Main Purposes | Purpose | Data | Legal Basis | | ------------------------------------------------- | ---------------------------------------- | -------------------------------------------------------- | | Support and Communications | Name, email, communications content | Performance of contract / Legitimate interests / Consent | | Providing, Maintaining and Improving the Services | Technical data, logs, usage events | Legitimate interests / Performance of contract | | Security, Fraud and Abuse Prevention | Logs, IP address, technical signals | Legitimate interests / Legal obligations | | Legal and Regulatory Compliance | Any data necessary | Legal obligation | | Non-Essential Cookies | Cookie identifiers, audience measurement | Consent | *** ## 7. Who Do We Share Your Data With? ### 7.1 Internal Recipients Access is restricted to personnel who need to know (support, engineering, security). ### 7.2 Processors (Service Providers) We may share data with service providers acting as processors (hosting, support tools, analytics if enabled, security tooling, communications). ### 7.3 Authorities and Legal Requirements We may disclose data where required to do so by law. ### 7.4 Partners If personal data is shared with corporate partners, such sharing must be limited and framed. *** ## 8. International Transfers Your data may be processed outside the European Economic Area. Where that happens, we implement appropriate safeguards: * Standard Contractual Clauses approved by the European Commission * Additional measures where required (encryption, minimization, access controls) *** ## 9. Data Retention We retain personal data only as long as necessary for the purposes described above. | Data Type | Retention Period | | ------------------------- | ----------------------------------------------- | | Support/communications | As long as needed + up to 5 years for archiving | | Account/relationship data | 5 years after account closure | | Transaction-related data | 5 years from transaction date | | Security logs | A few months (unless incident requires longer) | :::warning\[Blockchain Data] Data recorded on a public blockchain may be non-erasable. ::: *** ## 10. Blockchain-Specific Notice :::danger\[Important] Public blockchains provide transaction transparency. Some information (e.g., wallet addresses, amounts, transaction hashes) may be recorded **permanently** on-chain. ::: ADDU does not control public blockchains (decentralized networks) and is not responsible for processing carried out by such networks nor for on-chain persistence. As a result, certain rights (in particular erasure and rectification) may be technically limited for on-chain data. **Recommendation:** Do not insert directly identifying personal data (e.g., name, email) into public transaction fields or metadata. *** ## 11. Cookies and Similar Technologies ### 11.1 What is a Cookie? A cookie/tracker is a file or identifier stored/read on your device to enable technical functionality, measure audience, store preferences, etc. ### 11.2 Strictly Necessary Cookies (No Consent Required) We may use technical cookies essential to operate the Site (e.g., session management, security, load balancing). ### 11.3 Non-Essential Cookies (Consent Required) Analytics, advanced personalization, or advertising cookies (if used) generally require your prior consent. *** ## 12. Security We implement reasonable technical and organizational measures to protect your data: * Access controls * Minimization * Logging * Backups * Application security :::note No method provides absolute security, and a residual risk cannot be entirely eliminated. ::: *** ## 13. Your GDPR Rights Subject to legal conditions and limitations, you have the right to: | Right | Description | | ---------------------------- | -------------------------------------------------- | | **Access** | Access your data | | **Rectification** | Rectify your data | | **Erasure** | Erase your data (in certain cases) | | **Restriction** | Restrict processing | | **Object** | Object to processing based on legitimate interests | | **Portability** | Data portability (where applicable) | | **Withdraw Consent** | Withdraw consent at any time | | **Post-mortem Instructions** | Under French law | :::warning\[Blockchain Limitation] The exercise of certain rights may be limited for on-chain data. ::: *** ## 14. How to Exercise Your Rights You may contact us: **By email:** **By post:** ADDU – 10 rue de la Paix, 75002 Paris, France *** ## 15. Complaints with a Supervisory Authority If you believe your rights are not respected, you may lodge a complaint with the **CNIL** (France): **CNIL – 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07** *** ## 16. Third-Party Links The Site may contain links to third-party websites. We do not control those sites and this Privacy Policy does not apply to them. *** ## 17. Changes to This Privacy Policy We may update this Privacy Policy at any time. Where changes are material, we will post a notice on the Site and the updated version will apply as of publication. *** ## 18. Contact If you have any questions about privacy, please contact: ****