Privacy Policy
Last updated: 01/14/2026
1. Who we are
ADDU (hereinafter “ADDU”, “we”, “us” or “our”) is a French non-profit association (Association loi 1901) governed by French law, with its registered office at 10 rue de la Paix, 75002 Paris, France.
ADDU operates websites and interfaces enabling access to certain functionalities related to digital assets and smart contracts (the “Services”), in particular through:
fira.money
app.fira.money
(together, the “Site”).
ADDU has developed a tool/protocol (referred to in our documentation as “Fira” / the “Fira Protocol”) enabling, among other things, interaction with smart contracts (e.g., lending/borrowing, staking, digital asset transactions). Certain operations may involve public blockchains (see Section 10).
For more legal information, please consult our Legal Notice.
2. Purpose of this Privacy Policy
This Privacy Policy explains:
what personal data we collect,
why and on what legal basis we process it,
with whom we share it,
how long we retain it,
your GDPR rights and how to exercise them.
3. Definitions (summary)
Personal Data: any information relating to an identified or identifiable natural person (e.g., email address, IP address, online identifier, a wallet address if it can identify a person).
Processing: any operation performed on personal data (collection, storage, consultation, deletion, etc.).
Controller: the entity that determines the purposes and means of the processing (ADDU for the processing described here, except for blockchain processing—see Section 10).
4. Eligibility (minors)
The Services are not intended for individuals under 18 and we do not knowingly collect personal data from children.
If we become aware that a minor has provided us with personal data, we will delete it as soon as reasonably possible, subject to our legal obligations.
5. What data do we collect?
We may collect the following categories of data:
5.1 Data you provide to us
Identity and contact data: first and last name, email address, nationality (if provided).
Communications: content of messages sent to our support (e.g., feedback, questions, job applications, requests).
5.2 Technical and usage data
Connection data: IP address, logs, date/time, browser information.
Device and configuration data: version, time zone, settings, language.
Audience and performance measurement: technical errors, interactions with the Site, usage events.
5.3 Web3-related data (where applicable)
Depending on how the dApp operates, we may process (directly via our systems and/or indirectly through infrastructure providers):
wallet address(es) (public key),
transaction identifiers (hash), network, relevant smart contract(s),
data necessary for operations, security, and support.
Please note: some of this information may also exist on-chain (see Section 10).
5.4 Cookies and trackers
We use cookies and similar technologies (see Section 11).
6. Why do we process your data? (Purposes & legal bases)
In accordance with the GDPR, we process personal data only when we have a legal basis.
6.1 Main purposes table
A) Support and communications
Data: name, email, communications content, potentially nationality if provided.
Purposes: respond to requests, user support, contact management, service-related communications.
Legal basis:
Performance of a contract or pre-contractual measures (where your request relates to accessing/using the Services)
Legitimate interests (support, service improvement, security)
Consent (where we specifically ask for it for a stated purpose)
B) Providing, maintaining and improving the Services
Data: technical data, logs, usage events, error reports.
Purposes: operate the Site, troubleshoot, fix bugs, improve performance and UX.
Legal basis: legitimate interests and/or performance of a contract.
C) Security, fraud and abuse prevention
Data: logs, IP address, technical signals, usage events.
Purposes: secure the Site, detect/prevent attacks, abuse, fraud.
Legal basis: legitimate interests and, where applicable, legal obligations.
D) Legal and regulatory compliance
Data: any data necessary depending on the context.
Purposes: respond to lawful requests from authorities, comply with applicable laws and regulations.
Legal basis: legal obligation.
E) Non-essential cookies (if used)
Data: cookie identifiers, audience measurement, preferences.
Purposes: analytics, advanced personalization, etc.
Legal basis: consent (see Section 11).
6.2 Mandatory vs. optional data
Some data is required for the Site to function (e.g., security logs, necessary technical cookies). Without it, parts of the Site may not work properly.
Data you provide to support is optional, but needed for us to respond accurately.
7. Who do we share your data with?
We limit access to personal data to authorized persons only.
7.1 Internal recipients
Access is restricted to personnel who need to know (support, engineering, security).
7.2 Processors (service providers)
We may share data with service providers acting as processors (hosting, support tools, analytics if enabled, security tooling, communications). They process data on our instructions, under contractual safeguards (confidentiality, security, GDPR commitments).
7.3 Authorities and legal requirements
We may disclose data where required to do so by law (administrative/judicial authorities, lawful requests).
7.4 Partners
If personal data is shared with corporate partners, such sharing must be limited and framed. Ideally, specify who, why, and the parties’ roles (joint controller / independent controller / processor). (To be aligned with your actual operations.)
8. International transfers (outside the EEA)
Your data may be processed outside the European Economic Area where certain providers are located outside the EEA.
Where that happens, we implement appropriate safeguards, such as:
Standard Contractual Clauses approved by the European Commission,
additional measures where required (encryption, minimization, access controls).
9. Data retention
We retain personal data only as long as necessary for the purposes described above, then delete or anonymize it, unless we are legally required to retain it longer.
Indicative periods (based on your prior draft):
Support/communications: as long as needed to handle the request, plus evidentiary archiving where relevant (up to 5 years under your policy).
Account/relationship data: in principle, deletion 5 years after account closure (where applicable).
Transaction-related data held by ADDU: in principle, 5 years from the transaction date, depending on legal/proof requirements.
Security logs: a short, proportionate period (often a few months) unless an incident requires longer retention.
Please note: data recorded on a public blockchain may be
non-erasable
10. Blockchain-specific notice (important)
Public blockchains provide transaction transparency. Some information (e.g., wallet addresses, amounts, transaction hashes) may be recorded permanently on-chain.
ADDU does not control public blockchains (decentralized networks) and is not responsible for processing carried out by such networks (validators/nodes) nor for on-chain persistence.
As a result, certain rights (in particular erasure and rectification) may be technically limited for on-chain data.
We recommend that you do not insert directly identifying personal data (e.g., name, email) into public transaction fields or metadata.
11. Cookies and similar technologies
11.1 What is a cookie?
A cookie/tracker is a file or identifier stored/read on your device to enable technical functionality, measure audience, store preferences, etc.
11.2 Strictly necessary cookies (no consent required)
We may use technical cookies essential to operate the Site (e.g., session management, security, load balancing). These do not require your consent.
11.3 Non-essential cookies (consent required)
Analytics, advanced personalization, or advertising cookies (if used) generally require your prior consent.
You can accept/refuse via the cookie banner and change your choices at any time through the cookie management tool.
11.4 Cookie list
A detailed list (name, purpose, retention period, provider) should be made available through your cookie preference center.
12. Security
We implement reasonable technical and organizational measures to protect your data (access controls, minimization, logging, backups, application security, etc.).
No method provides absolute security, and a residual risk cannot be entirely eliminated.
13. Your GDPR rights
Subject to legal conditions and limitations, you have the right to:
Access your data,
Rectify your data,
Erase your data (in certain cases),
Restrict processing,
Object (notably where processing is based on legitimate interests),
Data portability (where applicable),
Withdraw consent at any time (without affecting past lawfulness),
Post-mortem instructions (under French law).
⚠️ Blockchain limitation: the exercise of certain rights may be limited for on-chain data (Section 10).
14. How to exercise your rights
You may contact us:
by email: [email protected]
by post: ADDU – 10 rue de la Paix, 75002 Paris, France
To prevent fraudulent requests, we may ask for information necessary to verify your identity, only where required and proportionate.
15. Complaints with a supervisory authority
If you believe your rights are not respected, you may lodge a complaint with the CNIL (France), notably via its website, or by post at:
CNIL – 3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07
16. Third-party links
The Site may contain links to third-party websites. We do not control those sites and this Privacy Policy does not apply to them. We encourage you to review their privacy policies.
17. Changes to this Privacy Policy
We may update this Privacy Policy at any time. Where changes are material, we will post a notice on the Site and the updated version will apply as of publication.
18. Contact
If you have any questions about privacy, please contact: [email protected].
Last updated