diff --git a/docs/legal/privacy-policy.mdx b/docs/legal/privacy-policy.mdx index 578c0a4ad..885d77f74 100644 --- a/docs/legal/privacy-policy.mdx +++ b/docs/legal/privacy-policy.mdx @@ -3,86 +3,133 @@ title: Privacy Policy description: "Privacy Policy | Documentation - Web3Auth" --- -Latest update: 2 June 2023 +Latest update: **9 December 2024** -This privacy policy is applicable to Web3Auth's Products (https://auth.web3auth.io), Torus wallet (https://app.tor.us). This privacy policy explicitly -excludes business and developer interactions including the website (https://dashboard.web3auth.io). The policy does extend to Web3Auth/Torus's -interactions with clients that integrate its SDK, but does not include what data our clients manage and collect themselves. +This privacy policy is applicable to Web3Auth's Products +([https://auth.web3auth.io](https://auth.web3auth.io/), +[https://wallet.web3auth.io](https://wallet.web3auth.io)), Torus wallet +([https://app.tor.us](https://app.tor.us/)). This privacy policy explicitly excludes business and +developer interactions including the website +([https://dashboard.web3auth.io](https://dashboard.web3auth.io/)). The policy does extend to +Web3Auth/Torus's interactions with clients that integrate its SDK, but does not include what data +our clients manage and collect themselves. ## Owner and Data Controller -Torus Labs Private Limited, 38 Lor Stangee, Singapore 425021 +Torus Labs Private Limited, 60 Paya Lebar Road, \#04-23, Paya Lebar Square, Singapore 409051 -**Contact email:** hello@tor.us +Contact email: hello@web3auth.io ## Types of Data Collected -Among the types of Data that Web3Auth collects, by itself or through third parties, there are: Anonymized Identifiers; Anonymized Usage Data. +We collect and process the following types of data: -The only data that Web3Auth requires is anonymised unique strings from third party authentication providers or clients, while user identifiable data -from third party sources may be used to personalise user accounts on the user's client side, no user personal data is collected or stored by Web3Auth. +**Account Identifying Information:** AccountIDs like FacebookID. -With regards to Anonymized Usage Data, details on each type of Anonymized Usage Data collected are provided in the dedicated sections of this privacy -policy or by specific explanation texts displayed prior to the Data collection. Anonymized Usage Data is collected automatically when using Web3Auth. +**Personal Identification Information:** Usernames, first names, last names, email addresses, and +phone numbers. + +**Anonymised Usage Data:** Session history + +With regards to Anonymized Usage Data, details on each type of Anonymized Usage Data collected are +provided in the dedicated sections of this privacy policy or by specific explanation texts displayed +prior to the Data collection. Anonymized Usage Data is collected automatically when using Web3Auth. Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. -Web3Auth speficically does not use cookies to track users on its services. Cookies are explicitly used only on static sites defined in our Cookie -Policy. +Web3Auth specifically does not use cookies to track users on its services. Cookies are explicitly +used only on static sites defined in our Cookie Policy. ## Mode and Place of Processing the Data ### Methods of Processing -The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data whilst -on the users client-side. The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes -strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, -involved with the operation of Owner's \(administration, sales, marketing, legal, system administration\) or external parties \(such as third-party -technical service providers, mail carriers, hosting providers, IT companies, communications agencies\) appointed, if necessary, as Data Processors by -the Owner. The updated list of these parties may be requested from the Owner at any time. +The Owner takes appropriate security measures to prevent unauthorized access, disclosure, +modification, or unauthorized destruction of the Data whilst on the users client-side. The Data +processing is carried out using computers and/or IT enabled tools, following organizational +procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some +cases, the Data may be accessible to certain types of persons in charge, involved with the operation +of Owner's (administration, sales, marketing, legal, system administration) or external parties +(such as third-party technical service providers, mail carriers, hosting providers, IT companies, +communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list +of these parties may be requested from the Owner at any time. ### Legal Basis of Processing The Owner may process Personal Data relating to Users if one of the following applies: -- Users have given their consent for one or more specific purposes. Note: Under some legislations the Owner may be allowed to process Personal Data - until the User objects to such processing \(“opt-out”\), without having to rely on consent or any other of the following legal bases. This, however, - does not apply, whenever the processing of Personal Data is subject to European data protection law; -- provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof; +- Users have given their consent for one or more specific purposes. Note: Under some legislations + the Owner may be allowed to process Personal Data until the User objects to such processing + (“opt-out”), without having to rely on consent or any other of the following legal bases. This, + however, does not apply, whenever the processing of Personal Data is subject to European data + protection law; +- provision of Data is necessary for the performance of an agreement with the User and/or for any + pre-contractual obligations thereof; - processing is necessary for compliance with a legal obligation to which the Owner is subject; -- processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner; -- processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party. +- processing is related to a task that is carried out in the public interest or in the exercise of + official authority vested in the Owner; +- processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a + third party. -In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of -Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract. +In any case, the Owner will gladly help to clarify the specific legal basis that applies to the +processing, and in particular whether the provision of Personal Data is a statutory or contractual +requirement, or a requirement necessary to enter into a contract. ### Place -The Data is processed Owner's software on user devices. There is no user specific data that is processed on servers that can identify the user. +The Data is processed Owner's software on user devices. There is no user specific data that is +processed on servers that can identify the user. -The users' Anonymized Usage Data is processed on the Owner's offices and premises as well as cloud setups managed by the Owner. +The users' Anonymized Usage Data is processed on the Owner's offices and premises as well as cloud +setups managed by the Owner. -Users are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization -governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to +Users are also entitled to learn about the legal basis of Data transfers to a country outside the +European Union or to any international organization governed by public international law or set up +by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data. ### Retention Time -Anonymized Usage Data shall be processed and stored for as long as required by the purpose they have been collected for. +Anonymized Usage Data shall be processed and stored for as long as required by the purpose they have +been collected for. -Furthermore, the Owner may be obliged to retain Anonymized Usage Data for a longer period whenever required to do so for the performance of a legal -obligation or upon order of an authority. +Furthermore, the Owner may be obliged to retain Anonymized Usage Data for a longer period whenever +required to do so for the performance of a legal obligation or upon order of an authority. -Once the retention period expires, Anonymized Usage Data shall be deleted. Therefore, the right to access, the right to erasure, the right to -rectification and the right to data portability cannot be enforced after expiration of the retention period. +Once the retention period expires, Anonymized Usage Data shall be deleted. Therefore, the right to +access, the right to erasure, the right to rectification and the right to data portability cannot be +enforced after expiration of the retention period. ## The Purposes of Processing -The Data concerning the User is collected to allow the Owner to provide its Services, as well as for the following purposes: Analytics, Tag -Management, Registration and authentication, Displaying content from external platforms and Traffic optimization and distribution. +Your data is processed in the following ways: + +Collection + +Only Account Identifying Information is collected via account registrations with Web3Auth. + +Storage + +Account Identifying Information is then tokenised into anonymised strings and securely stored in +encrypted databases compliant with security standards. Personal Identification Information is only +used with the User’s session, and is not stored during the entire use of our service. + +Usage + +The Data concerning the User is collected to allow the Owner to provide its Services in Registration +and Authentication by associating Web3Auth wallets to User accounts, as well as for the following +purposes: Analytics, Tag Management, Displaying content from external platforms and Traffic +optimization and distribution. + +Personal Identification Information may be used to personalise and improve user experience. -Users can find further detailed information about such purposes of processing and about the specific Anonymized Usage Data used for each purpose in -the respective sections of this document. +Sharing + +Data may be shared with trusted service providers, affiliates, and legal authorities only as +necessary and in compliance with applicable laws. + +Users can find further detailed information about such purposes of processing and about the specific +Anonymized Usage Data used for each purpose in the respective sections of this document. ## Detailed Information on the Processing of Anonymized Usage Data @@ -90,54 +137,65 @@ Anonymized Usage Data is collected for the following purposes and using the foll ### Analytics -The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to optimized Web3Auth software. +The services contained in this section enable the Owner to monitor and analyze web traffic and can +be used to optimized Web3Auth software. ### Displaying Content from External Platforms -This type of service allows you to view content hosted on external platforms directly from the pages of Web3Auth and interact with them. This type of -service might still collect web traffic data for the pages where the service is installed, even when Users do not use it. +This type of service allows you to view content hosted on external platforms directly from the pages +of Web3Auth and interact with them. This type of service might still collect web traffic data for +the pages where the service is installed, even when Users do not use it. ### Registration and Authentication -By registering or authenticating, Users allow Web3Auth to identify them and give them access to dedicated services. Depending on what is described -below, third parties may provide registration and authentication services. In this case, Web3Auth will be able to access some Data (that it will not +By registering or authenticating, Users allow Web3Auth to identify them and give them access to +dedicated services. Depending on what is described below, third parties may provide registration and +authentication services. In this case, Web3Auth will be able to access some Data (that it will not store), by these third-party services, for registration or identification purposes. -**Google OAuth \(Google LLC\)** +Google OAuth (Google LLC) -Google OAuth is a registration and authentication service provided by Google LLC and is connected to the Google network. +Google OAuth is a registration and authentication service provided by Google LLC and is connected to +the Google network. Personal Data collected: various types of Data as specified in the privacy policy of the service. -Place of processing: United States – [Privacy Policy](https://policies.google.com/privacy). Privacy Shield participant. +Place of processing: United States – [Privacy Policy](https://policies.google.com/privacy). Privacy +Shield participant. ### Tag Management -This type of service helps the Owner to manage the tags or scripts needed on Web3Auth in a centralized fashion. This results in the Users' Data -flowing through these services, potentially resulting in the retention of this Data. +This type of service helps the Owner to manage the tags or scripts needed on Web3Auth in a +centralized fashion. This results in the Users' Data flowing through these services, potentially +resulting in the retention of this Data. -**Google Tag Manager \(Google LLC\)** +Google Tag Manager (Google LLC) Google Tag Manager is a tag management service provided by Google LLC. Personal Data collected: Cookies; Anonymized Usage Data. -Place of processing: United States – [Privacy Policy](https://policies.google.com/privacy). Privacy Shield participant. +Place of processing: United States – [Privacy Policy](https://policies.google.com/privacy). Privacy +Shield participant. ### Traffic Optimization and Distribution -This type of service allows Web3Auth to distribute their content using servers located across different countries and to optimize their performance. -Which Personal Data are processed depends on the characteristics and the way these services are implemented. Their function is to filter -communications between Web3Auth and the User's browser. Considering the widespread distribution of this system, it is difficult to determine the -locations to which the contents that may contain Personal Information User are transferred. +This type of service allows Web3Auth to distribute their content using servers located across +different countries and to optimize their performance. Which Personal Data are processed depends on +the characteristics and the way these services are implemented. Their function is to filter +communications between Web3Auth and the User's browser. Considering the widespread distribution of +this system, it is difficult to determine the locations to which the contents that may contain +Personal Information User are transferred. -**Cloudflare \(Cloudflare Inc.\)** +Cloudflare (Cloudflare Inc.) -Cloudflare is a traffic optimization and distribution service provided by Cloudflare Inc. The way Cloudflare is integrated means that it filters all -the traffic through Web3Auth, i.e., communication between Web3Auth and the User's browser, while also allowing analytical data from Web3Auth to be +Cloudflare is a traffic optimization and distribution service provided by Cloudflare Inc. The way +Cloudflare is integrated means that it filters all the traffic through Web3Auth, i.e., communication +between Web3Auth and the User's browser, while also allowing analytical data from Web3Auth to be collected. -Personal Data collected: Cookies; various types of Data as specified in the privacy policy of the service. +Personal Data collected: Cookies; various types of Data as specified in the privacy policy of the +service. Place of processing: United States – [Privacy Policy](https://www.cloudflare.com/privacypolicy/). @@ -145,132 +203,171 @@ Place of processing: United States – [Privacy Policy](https://www.cloudflare.c Users may exercise certain rights regarding their Data processed by the Owner. -In particular, Users have the right to do the following, if they can identify their Anonymized Data. Much of this exists for the right of the user, -but may not be technically enforcable by Web3Auth as Personal Data is not stored: - -- **Withdraw their consent at any time.** Users have the right to withdraw consent where they have previously given their consent to the processing of - their Anonymized Data. -- **Object to processing of their Data.** Users have the right to object to the processing of their Personal Data if the processing is carried out on - a legal basis other than consent. Further details are provided in the dedicated section below. -- **Access their Data.** Users have the right to learn if any forms of Personal Data is being processed by the Owner, obtain disclosure regarding - certain aspects of the processing and obtain a copy of the Data undergoing processing. -- **Verify and seek rectification.** Users have the right to verify the accuracy of their Personal Data and ask for it to be updated or corrected. -- **Restrict the processing of their Data.** Users have the right, under certain circumstances, to restrict the processing of their Data. In this - case, the Owner will not process their Data for any purpose other than storing it. -- **Have their Personal Data deleted or otherwise removed.** Users have the right, under certain circumstances, to obtain the erasure of their Data - from the Owner. -- **Receive their Data and have it transferred to another controller.** Users have the right to receive their Data in a structured, commonly used and - machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is - applicable provided that the Data is processed by automated means and that the processing is based on the User's consent, on a contract which the - User is part of or on pre-contractual obligations thereof. -- **Lodge a complaint.** Users have the right to bring a claim before their competent data protection authority. +In particular, Users have the right to do the following: + +- Withdraw their consent at any time. Users have the right to withdraw consent where they have + previously given their consent to the processing of their Anonymized Data. +- Object to processing of their Data. Users have the right to object to the processing of their + Personal Data if the processing is carried out on a legal basis other than consent. Further + details are provided in the dedicated section below. +- Access their Data. Users have the right to learn if any forms of Personal Data is being processed + by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of + the Data undergoing processing. +- Verify and seek rectification. Users have the right to verify the accuracy of their Personal Data + and ask for it to be updated or corrected. +- Restrict the processing of their Data. Users have the right, under certain circumstances, to + restrict the processing of their Data. In this case, the Owner will not process their Data for any + purpose other than storing it. +- Have their Personal Data deleted or otherwise removed. Users have the right, under certain + circumstances, to obtain the erasure of their Data from the Owner. +- Receive their Data and have it transferred to another controller. Users have the right to receive + their Data in a structured, commonly used and machine readable format and, if technically + feasible, to have it transmitted to another controller without any hindrance. This provision is + applicable provided that the Data is processed by automated means and that the processing is based + on the User's consent, on a contract which the User is part of or on pre-contractual obligations + thereof. +- Lodge a complaint. Users have the right to bring a claim before their competent data protection + authority. ### How to Exercise these Rights -Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be -exercised free of charge and will be addressed by the Owner as early as possible and always within one month. +Any requests to exercise User rights can be directed to the Owner through the contact details +provided in this document. These requests can be exercised free of charge and will be addressed by +the Owner as early as possible and always within one month. + +### Requesting Deletion of your Personal Data: + +To request the deletion of your personal data: + +- Contact us at hello@web3auth.io with the subject line: “Data Deletion Request.” +- Include information necessary to verify your identity, such as \[e.g., account details or + identification documents\]. +- You may be contacted by our staff to verify your identity and ownership of the account. ## Cookie Policy -Web3Auth uses Cookies on some static sites. To learn more and for a detailed cookie notice, the User may consult the -[Cookie Policy](https://docs.web3auth.io/legal/cookie-policy). +Web3Auth uses Cookies on some static sites. To learn more and for a detailed cookie notice, the User +may consult the [Cookie Policy](https://docs.web3auth.io/legal/cookie-policy). + +## Acceptance of this Privacy Policy + +By using Web3Auth services, you are agreeing to accept the entirety of this Privacy Policy. If you +are not in agreement of this Privacy Policy, you may refrain from using Web3Auth services. ## Additional information about Data collection and processing ### Legal Action -The User's Anonymized Usage Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from -improper use of Web3Auth or the related Services. The User declares to be aware that the Owner may be required to reveal personal data upon request of -public authorities. +The User's Anonymized Usage Data may be used for legal purposes by the Owner in Court or in the +stages leading to possible legal action arising from improper use of Web3Auth or the related +Services. The User declares to be aware that the Owner may be required to reveal personal data upon +request of public authorities. ### Additional Information About User's Anonymized Usage Data -In addition to the information contained in this privacy policy, Web3Auth may provide the User with additional and contextual information concerning -particular Services or the collection and processing of it upon request. +In addition to the information contained in this privacy policy, Web3Auth may provide the User with +additional and contextual information concerning particular Services or the collection and +processing of it upon request. ### System Logs and Maintenance -For operation and maintenance purposes, Web3Auth and any third-party services may collect files that record interaction with Web3Auth \(System logs\) -use other Usage Data \(such as the IP Address\) for this purpose. +For operation and maintenance purposes, Web3Auth and any third-party services may collect files that +record interaction with Web3Auth (System logs) use other Usage Data (such as the IP Address) for +this purpose. ### Information not Contained in this Policy -More details concerning the collection or processing of Anonymized Usage Data may be requested from the Owner at any time. Please see the contact -information at the beginning of this document. +More details concerning the collection or processing of Anonymized Usage Data may be requested from +the Owner at any time. Please see the contact information at the beginning of this document. ### How “Do Not Track” Requests are Handled -Web3Auth automatically respects “Do Not Track” requests as we do not store any user Personal Data. To determine whether any of the third-party -services it uses honor the “Do Not Track” requests, please read their privacy policies. +Web3Auth automatically respects “Do Not Track” requests as we do not store any user Personal Data. +To determine whether any of the third-party services it uses honor the “Do Not Track” requests, +please read their privacy policies. ### Changes to this Privacy Policy -The Owner reserves the right to make changes to this privacy policy at any time by giving notice to its Users on this page and possibly within Torus -Labs and/or - as far as technically and legally feasible - sending a notice to Users via any contact information available to the Owner. It is -strongly recommended to check this page often, referring to the date of the last modification listed at the bottom. +The Owner reserves the right to make changes to this privacy policy at any time by giving notice to +its Users on this page and possibly within Torus Labs and/or \- as far as technically and legally +feasible \- sending a notice to Users via any contact information available to the Owner. It is +strongly recommended to check this page often, referring to the date of the last modification listed +at the bottom. -Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where -required. +Should the changes affect processing activities performed on the basis of the User’s consent, the +Owner shall collect new consent from the User, where required. ## Definitions and Legal References -**Personal Data \(or Data\)** +Personal Data (or Data) + +Any information that directly, indirectly, or in connection with other information — including a +personal identification number — allows for the identification or identifiability of a natural +person. + +Account Identifying Information -Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the -identification or identifiability of a natural person. +Data used to identify unique accounts, which can include third party authentication token IDs and +randomized strings. -**Anonymized Identifier** +Personal Identification Information -Data used to identify unique accounts, which can include third party authentication token IDs and randomized strings. +Data used to personalize unique accounts, which can include usernames, first and last names, email +addresses, and phone numbers. -**Anonymized Usage Data** +Anonymized Usage Data -Information collected automatically through Web3Auth \(or third-party services employed in Web3Auth\), which can include: the IP addresses or device -type of the computers utilized by the Users who use Web3Auth, the time of the request, the method utilized to submit the request to the server, the -size of the file received in response, the numerical code indicating the status of the server's answer \(successful outcome, error, etc.\), the -features of the browser and the operating system utilized by the User, the various time details per visit \(e.g., the time spent on each page within -the Application\) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other -parameters about the device operating system and/or the User's IT environment. +Information collected automatically through Web3Auth (or third-party services employed in Web3Auth), +which can include: the IP addresses or device type of the computers utilized by the Users who use +Web3Auth, the time of the request, the method utilized to submit the request to the server, the size +of the file received in response, the numerical code indicating the status of the server's answer +(successful outcome, error, etc.), the features of the browser and the operating system utilized by +the User, the various time details per visit (e.g., the time spent on each page within the +Application) and the details about the path followed within the Application with special reference +to the sequence of pages visited, and other parameters about the device operating system and/or the +User's IT environment. -**User** +User The individual using Web3Auth who, unless otherwise specified, coincides with the Data Subject. -**Data Subject** +Data Subject The natural person to whom the Personal Data refers. -**Data Processor \(or Data Supervisor\)** +Data Processor (or Data Supervisor) -The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this -privacy policy. +The natural or legal person, public authority, agency or other body which processes Personal Data on +behalf of the Controller, as described in this privacy policy. -**Data Controller \(or Owner\)** +Data Controller (or Owner) -The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the -processing of Personal Data, including the security measures concerning the operation and use of Web3Auth. The Data Controller, unless otherwise +The natural or legal person, public authority, agency or other body which, alone or jointly with +others, determines the purposes and means of the processing of Personal Data, including the security +measures concerning the operation and use of Web3Auth. The Data Controller, unless otherwise specified, is the Owner of Web3Auth. -**Web3Auth \(or this Application\)** +Web3Auth (or this Application) The means by which the Data of the User is collected and processed. -**Service** +Service -The service provided by Web3Auth as described in the relative terms \(if available\) and on this site/application. +The service provided by Web3Auth as described in the relative terms (if available) and on this +site/application. -**European Union \(or EU\)** +European Union (or EU) -Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and -the European Economic Area. +Unless otherwise specified, all references made within this document to the European Union include +all current member states to the European Union and the European Economic Area. -**Cookies** +Cookies Small sets of data stored in the User's device. -**Legal information** +Legal information -This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation \(EU\) 2016/679 \(General -Data Protection Regulation\). +This privacy statement has been prepared based on provisions of multiple legislations, including +Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation). This privacy policy relates solely to Web3Auth, if not stated otherwise within this document.