Privacy Policy
- Who we are and what we do
This Privacy Policy governs the processing of personal data by the Concordium group of entities, including without limitation Concordium Foundation, and Concordium AG, each having its registered office at Bahnhofstrasse 20, 6300 Zug, Switzerland, Concordium Research ApS Denmark, Concordium Software ApS Denmark and Concordium UK Ltd, together with any present or future affiliated entities participating in the development, operation, governance, or commercialisation of the Concordium protocol, ecosystem, websites, documentation portals, community platforms, token-related activities, and associated services, whether acting individually or collectively, each hereinafter referred to as “Concordium,” “we,” “us,” or “our,” and is intended to provide a comprehensive, transparent, and legally sufficient explanation of how personal data is collected, used, disclosed, transferred, and otherwise processed in accordance with Regulation (EU) 2016/679, the UK General Data Protection Regulation as incorporated into domestic law pursuant to the Data Protection Act 2018, the Swiss Federal Act on Data Protection of 25 September 2020 and its implementing ordinance, and any other applicable data protection or privacy legislation, all of which Concordium acknowledges as binding frameworks governing its activities (“Applicable Data Protection Laws”).
Concordium operates a multi-entity and multi-layered ecosystem in which different legal persons may act as controllers, joint controllers, or processors depending on the specific processing activity, and in this respect Concordium Foundation typically acts as the primary controller responsible for determining the purposes and means of processing personal data in connection with the operation of Concordium’s websites and ecosystem, while Concordium AG and other affiliated entities may act as processors or independent controllers depending on the nature of the service being provided, including where such entities process personal data on behalf of the Foundation or in connection with their own operational or governance responsibilities. Where Concordium determines the purposes and means of processing jointly with other Concordium or external entities, they shall be deemed joint controllers within the meaning of Article 26 GDPR and equivalent provisions under Applicable Data Protection Laws, subject to internal arrangements that allocate compliance responsibilities while preserving the right of data subjects to exercise their rights against any relevant entity. The essence of the arrangement can be made available upon request using the contact details provided below.
- Collected information
For the purposes of this Privacy Policy, “personal data” means any information relating to an identified or identifiable natural person, including any information that directly or indirectly identifies such person, whether alone or in combination with other information reasonably available, including pseudonymised data where re-identification remains reasonably possible, and such definition shall be interpreted consistently with applicable law across all jurisdictions in which Concordium operates.
Concordium collects and processes personal data in the context of its websites, including www.concordium.com and associated documentation platforms, as well as in connection with community participation, developer engagement, token issuance and private placement activities, partner onboarding, governance participation, and other interactions with Concordium’s ecosystem, and such data may be obtained directly from individuals, automatically through technical means, or indirectly from third-party platforms or partners where individuals interact with Concordium through external channels.
The categories of personal data processed by Concordium include, without limitation, technical and usage data such as IP addresses, device identifiers, browser and operating system information, timestamps, referral URLs, log files, and cookie-derived data; communication and account data such as names, email addresses, usernames, credentials, and correspondence; transactional and token-related data including identity information, jurisdictional data, compliance attestations, and transaction metadata associated with private placements or token activities; professional and business contact data relating to representatives of partners, validators, identity providers, or counterparties; and compliance and governance data processed to satisfy legal and regulatory obligations including anti-money laundering, sanctions, tax, and financial reporting requirements, in each case strictly limited to what is necessary and proportionate for the purposes for which it is processed. Where required for identity verification, fraud prevention, compliance or anti-money laundering purposes, Concordium or relevant ecosystem participants may also process biometric data or other special categories of personal data, including facial images or similar verification data used for the purposes of uniquely identifying an individual, subject to appropriate safeguards and lawful bases under Applicable Data Protection Laws.
- Purposes and lawful bases of processing
Concordium processes personal data only for specified, explicit, and legitimate purposes and relies on one or more lawful bases depending on the context of the processing and the relevant relationship with the individual concerned. These lawful bases may include: the performance of a contract or steps prior to entering into a contract where individuals engage with Concordium services, blockchain ecosystem functionalities, identity verification processes or request access to ecosystem features; compliance with legal obligations to which Concordium is subject, including financial, anti-money laundering, regulatory, and governance requirements; legitimate interests pursued by Concordium, including maintaining the security, integrity, and performance of its systems and services, improving user experience, preventing fraud or misuse, and enabling effective operation of a decentralised protocol environment, provided that such interests are not overridden by the rights and freedoms of data subjects; and consent where required under Applicable Data Protection Laws, including for non-essential cookies, marketing communications, or other processing activities requiring an explicit opt-in under applicable law, which consent shall be freely given, specific, informed, and revocable at any time without detriment.
Depending on the nature of the processing activity, Concordium may process certain information in pseudonymised form, including blockchain-related identifiers or encrypted account-linked information, while implementing technical and organisational measures designed to minimise the direct identification of individuals.
- Cookies and similar technologies
In operating its websites and digital interfaces, Concordium uses cookies and similar technologies, including strictly necessary cookies required for the operation and security of the website, functional cookies enabling enhanced features, analytics cookies used to understand and improve performance, and, where applicable, marketing or targeting cookies, and such technologies are deployed in compliance with applicable ePrivacy and data protection laws, including the requirement to obtain prior consent for non-essential cookies and to provide clear and granular controls enabling users to manage their preferences, and users may also manage cookies through browser settings, although disabling certain cookies may affect functionality. Consent to non-essential cookies can be managed through our cookie banner, available when you first access our website and at any time in the right bottom corner of our website.
- Recipients of your data
Personal data may be disclosed to third parties where necessary to fulfil the purposes described herein, including to hosting providers, infrastructure and cloud service providers, analytics and security vendors, communication platforms, professional advisers, compliance, and verification providers, and ecosystem participants such as identity providers or partners, in each case subject to appropriate contractual safeguards, confidentiality obligations, and technical and organisational measures designed to ensure a level of protection consistent with applicable law, and Concordium shall not sell personal data nor disclose it for unrelated purposes.
Personal data may also be disclosed where required by applicable law, regulation, court order or lawful request from competent authorities. Where applicable, certain disclosures may occur as part of legally mandated identity disclosure, compliance, anti-money laundering, fraud prevention, or law enforcement processes subject to applicable legal safeguards and jurisdictional requirements
- International data transfers
Given the global and decentralised nature of the Concordium ecosystem, personal data may be transferred to jurisdictions outside Switzerland, the European Economic Area, or the United Kingdom, including the United States, the United Arab Emirates, New Zealand and other jurisdictions. Where such transfers occur, Concordium ensures that appropriate safeguards are implemented, including reliance on adequacy decisions, Standard Contractual Clauses, the EU-US, UK-US, and Swiss-US Data Privacy Frameworks where applicable, and supplementary measures informed by transfer impact assessments addressing the legal and factual circumstances of the destination jurisdiction, including potential access by public authorities. Concordium does not rely on consent as a default transfer mechanism but instead structures transfers in a manner consistent with regulatory expectations following Schrems II.
- Data retention
Concordium retains personal data only for as long as necessary to fulfil the purposes for which it was collected, taking into account legal, regulatory, contractual, and operational requirements, including statutory retention periods that may extend up to ten years for certain financial or contractual records, after which data is securely deleted, anonymised, or restricted, and retention decisions are documented and aligned with internal data governance frameworks. Technical and organisational measures
Concordium implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of individuals. Such measures may include encryption, pseudonymisation, access controls, authentication mechanisms, system monitoring, logging, vulnerability management, incident response procedures, and vendor risk management. Where appropriate, Concordium may also implement privacy-enhancing technologies and data minimisation techniques, including cryptographic or zero-knowledge verification mechanisms
Concordium does not ordinarily make decisions based solely on automated processing that produce legal or similarly significant effects without meaningful human involvement, unless otherwise permitted or required under Applicable Data Protection Laws.
Concordium regularly reviews and updates its security and governance measures in line with applicable legal requirements, industry standards, technological developments, and the evolving risk profile associated with decentralised and distributed technology environments.
- Data subjects rights
Individuals whose personal data is processed by Concordium have rights under Applicable Data Protection Laws, including the right of access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent where applicable, as well as the right not to be subject to decisions based solely on automated processing where such decisions produce legal or similarly significant effects, and such rights may be exercised by contacting Concordium using the details provided below, subject to verification of identity and applicable legal limitations, and Concordium shall respond within the statutory timeframe and maintain records of all requests and responses to demonstrate compliance.
Where processing of personal data is necessary to access certain functionalities of the Concordium network or ecosystem, the exercise of certain rights, including erasure or objection, may result in the inability to continue providing those services, and Concordium shall communicate such consequences clearly to the data subject at the time of the request.
Due to the nature of distributed ledger and blockchain technologies, certain transaction-related records or cryptographically linked information may remain recorded on-chain in pseudonymised or encrypted form where modification or deletion is technically limited, although Concordium shall implement measures designed to minimise identifiability and support compliance with applicable data protection principles.
Concordium does not knowingly collect personal data from individuals below the age of eighteen and its services are not directed at children, and where such data is identified it shall be deleted without undue delay unless a lawful basis for retention exists.
- Contact and complaints
Concordium has appointed Aphaia B.V. as its Data Protection Officer responsible for overseeing compliance with data protection laws and this Privacy Policy, who may be contacted at [email protected] for all data protection-related inquiries, including the exercise of data subject rights and regulatory matters.
Individuals who have questions, concerns, or complaints regarding the handling of their personal data or who consider that their data protection rights may have been infringed may contact Concordium using the contact details provided in this Privacy Policy. Concordium encourages individuals to raise concerns directly in the first instance in order to facilitate a prompt review and resolution of the matter. Complaints may be submitted through the applicable privacy complaints form or by using the contact details set out in this Privacy Policy.
In order to assist with the handling of a complaint, Concordium may request information necessary to identify the individual concerned, understand the nature of the complaint and assess the relevant circumstances, including contact details, relevant dates, supporting documentation, and prior correspondence where applicable.
Concordium shall acknowledge receipt of a complaint within 30 days and shall take appropriate steps to investigate and respond without undue delay. Where possible, Concordium aims to provide a substantive response within three months, although certain matters may require additional time where the complaint is particularly complex, involves multiple jurisdictions or parties or requires further investigation. Where applicable, Concordium shall keep the individual informed regarding the status and expected timeframe of the review process. Complaints relating to personal data breaches, security incidents or matters requiring urgent attention may be prioritised accordingly.
Individuals also have the right to lodge a complaint with the competent supervisory authority, including the UK Information Commissioner’s Office (“ICO”) in the United Kingdom. Further information regarding complaints submitted to the ICO is available at https://ico.org.uk/make-a-complaint/ or by writing to the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, or by calling 0303 123 1113. Individuals located in the EEA, Switzerland, or other jurisdictions may also lodge a complaint with the supervisory authority of their habitual residence, place of work or place of the alleged infringement, without prejudice to any other administrative or judicial remedy available under applicable law. You can find a list of EU supervisory authorities here. You can also find the relevant information to contact the ICO and the FDPIC.
This Privacy Policy may be updated from time to time to reflect changes in legal requirements, technological developments, or Concordium’s operational practices, and updated versions shall be published on Concordium’s websites with immediate effect, and continued use of the websites or services shall constitute acknowledgment of such updates to the extent permitted by law.