Privacy policy

i. Introduction

The Crystal Sciences Association (the "Association", "we", "our", or "us") is a Swiss Verein organized under the laws of Switzerland with its registered office in Zug, Switzerland. This Privacy Policy (the "Policy") describes how we collect, use, disclose, and protect information in connection with the Elata platform (the "Platform"), including our websites, developer tools and libraries (the "SDK"), decentralized protocol (the "Protocol"), and all related services (collectively, the "Services").

This Policy should be read together with our Terms of Use, which are incorporated herein by reference. By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Policy.

If you do not agree with this Policy, please do not access or use the Platform or any of the Services.

ii. Data Controller

For the purposes of the Swiss Federal Act on Data Protection ("FADP"), the EU General Data Protection Regulation ("GDPR"), and any other applicable data protection legislation, the data controller is:

Crystal Sciences Association

Zug, Switzerland

info@elata.bio

If you have any questions or concerns about our data practices, or wish to exercise your rights under applicable data protection law, please contact us at the address above.

iii. Information We Collect

A. Information You Provide Directly

When you interact with the Platform, you may voluntarily provide us with certain information, including:

1. Contact Information: If you sign up for our mailing list, newsletter, waitlist, or contact us through a form, we collect your email address and any other information you choose to provide.

2. Communications: If you contact us directly (e.g., via email or a support channel), we may retain the content of your communications along with your contact details.

3. Feedback and Contributions: If you submit feedback, bug reports, or contributions to the Platform, we may collect the content of those submissions.

B. Information Collected Automatically

When you access or use the Platform's websites, we automatically collect certain information through our self-hosted analytics infrastructure, including:

4. Usage Data: Pages visited, features used, click patterns, scroll depth, time spent on pages, referral sources, and similar interaction data.

5. Session Recordings: We use self-hosted analytics software that may record your interactions with our websites, including mouse movements, clicks, and scrolling behavior. Sensitive form input fields (such as passwords and email fields) are masked and are not captured in recordings.

6. Feature Flags and Experimentation: We may use feature flag and A/B testing tools to evaluate and improve Platform features. This may involve tracking which feature variants you are exposed to and how you interact with them.

7. Device and Browser Information: Browser type and version, operating system, device type, screen resolution, and language preferences.

8. Network Information: IP address, approximate geographic location derived from IP address, and internet service provider.

C. On-Chain Data

If you interact with the Protocol, certain information is recorded on the public blockchain, including but not limited to your wallet address, transaction history, token balances, staking activity, governance votes, and participation metrics. This data is publicly accessible, immutable, and outside the Association's control once recorded. The Association does not control the blockchain and cannot modify, delete, or restrict access to on-chain data.

D. Information We Do Not Collect: Biosensor Data

The SDK is architecturally designed to perform all physiological signal processing on the client side (i.e., within the end user's browser or device). The Association does not receive, collect, store, or process any Biosensor Data (as defined in our Terms of Use). Raw physiological signals never leave the user's device through the SDK. The processing pipeline produces non-identifying derived metrics by design.

Important: Third-party developers who build applications using the SDK may have their own data collection practices. The Association is not responsible for and does not control the data practices of third-party applications. Please refer to the privacy policies of any third-party applications you use.

iv. How We Use Your Information

We use the information we collect for the following purposes:

Purpose

Legal Basis (GDPR/FADP)

Data Categories

To operate and maintain the Platform and Services

Legitimate interest; performance of contract

Usage data, device information

To communicate with you (e.g., responding to inquiries, sending updates you have opted into)

Consent; legitimate interest

Contact information, communications

To analyze and improve the Platform through analytics, session recordings, heatmaps, and experimentation

Legitimate interest

Usage data, session recordings, device information, network information

To detect, prevent, and address technical issues, security incidents, and fraud

Legitimate interest; legal obligation

Usage data, device information, network information

To comply with legal obligations and enforce our Terms of Use

Legal obligation; legitimate interest

All categories as necessary

To send marketing communications (only with your consent)

Consent

Contact information

We do not sell your personal information. We do not use your information for automated decision-making or profiling that produces legal or similarly significant effects.

v. Cookies and Similar Technologies

We use cookies and similar technologies on our websites. Cookies are small text files placed on your device that help us operate and analyze the Platform.

Cookie Type

Purpose

Duration

Essential / Functional

Required for the Platform to function correctly (e.g., session management, security, preferences)

Session or up to 12 months

Analytics

Help us understand how visitors interact with the Platform, which pages are visited, and how features are used. Collected through our self-hosted analytics infrastructure.

Up to 12 months

Feature Flags

Used to deliver and evaluate different feature variants as part of product experimentation

Session or up to 12 months

Managing Cookies. You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling cookies may affect the functionality of the Platform. You may also opt out of non-essential cookies through the cookie consent mechanism on our websites, where available.

We do not use third-party advertising cookies or tracking pixels. Our analytics infrastructure is self-hosted and does not share data with third-party analytics providers.

vi. How We Share Your Information

We do not sell your personal information. We may share your information in the following limited circumstances:

A. Infrastructure Providers. We use third-party infrastructure providers to host our servers, databases, and self-hosted analytics tools. These providers process data on our behalf and are contractually obligated to protect your information. Our infrastructure is currently hosted on servers located in the United States.

B. Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of the Association, our users, or the public.

C. Business Transfers. If the Association undergoes a merger, acquisition, reorganization, dissolution, or similar transaction, your information may be transferred as part of that transaction. We will notify you of any such change by posting a notice on the Platform.

D. With Your Consent. We may share your information with third parties when you have given us explicit consent to do so.

E. On-Chain Data. As noted above, information recorded on the public blockchain (wallet addresses, transactions, governance activity, participation metrics) is publicly accessible by anyone. This is an inherent property of blockchain technology and is not a disclosure by the Association.

vii. International Data Transfers

The Association is established in Switzerland. However, our infrastructure is hosted on servers located in the United States. This means that personal data collected from users in Switzerland, the European Economic Area ("EEA"), or the United Kingdom may be transferred to, stored, and processed in the United States.

Where personal data is transferred outside Switzerland or the EEA, we ensure that appropriate safeguards are in place in accordance with the FADP and the GDPR, as applicable. These safeguards may include:

9. Standard Contractual Clauses (SCCs) approved by the European Commission or the Swiss Federal Data Protection and Information Commissioner (FDPIC);

10. Adequacy decisions by the relevant authorities recognizing the receiving country as providing an adequate level of data protection; or

11. Other legally recognized transfer mechanisms under applicable law.

You may request a copy of the safeguards we have in place by contacting us at the address provided in Section ii.

viii. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

Data Category

Retention Period

Contact information (email addresses)

Until you unsubscribe or request deletion, plus a reasonable wind-down period not exceeding 30 days

Analytics and usage data

Up to 24 months from the date of collection

Session recordings

Up to 12 months from the date of recording

Communications and support inquiries

Up to 36 months from the date of last communication

On-chain data

Permanent and immutable (inherent to blockchain technology; outside our control)

When personal data is no longer required, we will securely delete or anonymize it. Where anonymization is used, the anonymized data may be retained indefinitely for analytical purposes.

ix. Your Rights

Depending on your location and applicable law (including the FADP, GDPR, CCPA/CPRA, and similar frameworks), you may have some or all of the following rights regarding your personal information:

A. Right of Access. You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data.

B. Right to Rectification. You have the right to request correction of inaccurate or incomplete personal data.

C. Right to Erasure. You have the right to request deletion of your personal data, subject to certain exceptions (e.g., where retention is required by law). Please note that we cannot delete data recorded on the public blockchain, as this data is immutable and outside our control.

D. Right to Restrict Processing. You have the right to request that we restrict the processing of your personal data in certain circumstances.

E. Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

F. Right to Object. You have the right to object to processing of your personal data based on legitimate interests. Where we process your data for direct marketing purposes, you have the right to object at any time.

G. Right to Withdraw Consent. Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

H. Right to Lodge a Complaint. You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, if applicable, your local supervisory authority under the GDPR.

To exercise any of these rights, please contact us at the address provided in Section ii. We will respond to your request within thirty (30) days, or within the timeframe required by applicable law. We may request verification of your identity before fulfilling your request.

Additional Rights for California Residents. If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at the address provided in Section ii.

x. Security

We implement reasonable technical and organizational measures to protect the personal information we collect and process, including encryption in transit, access controls, and regular security assessments of our infrastructure.

Our analytics infrastructure is self-hosted, meaning that analytics data (including session recordings) is stored on servers we control and is not shared with third-party analytics providers.

However, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security and are not responsible for unauthorized access to our servers or databases that is beyond our reasonable control.

xi. Children's Privacy

The Platform is not directed at and is not intended for use by individuals under the age of eighteen (18) or the applicable age of majority in their jurisdiction, whichever is higher. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe that a child has provided us with personal information, please contact us at the address provided in Section ii.

xii. Third-Party Links and Services

The Platform may contain links to third-party websites, services, or applications that are not operated or controlled by us. This Policy does not apply to third-party services. We are not responsible for the privacy practices of third-party services, and we encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform.

In particular, third-party developers who build applications using the SDK may collect, process, or store Biosensor Data or other personal information through their own applications. The Association does not control and is not responsible for the data practices of these third-party applications. You should review the privacy policies of any third-party applications before providing them with access to your data.

xiii. Blockchain Data and Immutability

The Protocol operates on a public blockchain. When you interact with the Protocol, certain data is recorded on-chain, including but not limited to your wallet address, transaction history, token balances, staking and lock activity, governance votes, and participation metrics.

You should be aware of the following:

12. Public Accessibility. On-chain data is publicly accessible to anyone with access to the blockchain. This includes your wallet address and all associated transaction history.

13. Immutability. Data recorded on the blockchain is permanent and cannot be modified or deleted by the Association or any other party. This means that the right to erasure under the FADP, GDPR, or similar laws cannot be exercised with respect to on-chain data.

14. Pseudonymity, Not Anonymity. Wallet addresses are pseudonymous. While they do not directly reveal your identity, they may be linked to your identity through on-chain analysis, public disclosures, or third-party services. The Association does not attempt to link wallet addresses to real-world identities.

15. No Association Control. The Association does not control the blockchain network and cannot restrict who accesses or analyzes on-chain data.

By interacting with the Protocol, you acknowledge and accept these inherent properties of blockchain technology.

xiv. SDK Privacy Architecture

The SDK is designed with privacy as an architectural property, not a feature that can be toggled. The following describes how the SDK handles data:

16. Client-Side Processing. All physiological signal processing (including remote photoplethysmography and electroencephalography) occurs entirely on the user's device. Raw signals are never transmitted to the Association or any third party through the SDK.

17. Non-Identifying Outputs. The SDK's processing pipeline produces derived metrics that do not identify individuals. The pipeline does not seek or capture user identity.

18. No Server-Side Collection. The Association does not operate any servers that receive, store, or process Biosensor Data from the SDK.

This privacy architecture applies to the SDK as distributed by the Association. Developers who modify the SDK or integrate it into their own applications may alter these properties. The Association is not responsible for modifications made by third-party developers. Please refer to Section iii of our Terms of Use for developer obligations regarding Biosensor Data.

xv. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this Policy and, where required by applicable law, provide additional notice (such as posting a notice on the Platform or sending you an email).

We encourage you to review this Policy periodically. Your continued use of the Platform after any changes to this Policy constitutes your acceptance of the updated Policy.

xvi. Contact Us

If you have questions about this Policy, wish to exercise your data protection rights, or have a complaint about our data practices, please contact:

Crystal Sciences Association

Zug, Switzerland

Email: info@elata.bio

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, where applicable, your local data protection supervisory authority.

Swiss FDPIC: https://www.edoeb.admin.ch/