Contents

GDPR Compliance Statement

Our commitment to protecting personal data under the General Data Protection Regulation

Introduction

This GDPR Compliance Statement explains how DEOSX Foundation ("we," "us," or "our") complies with the European Union's General Data Protection Regulation (GDPR) when processing personal data of users in the European Economic Area (EEA), United Kingdom, and Switzerland. This statement should be read alongside our main Privacy Policy.

Data Controller Information

Data Controller: DEOSX Foundation
Registered Address: [To be completed with legal address]
Privacy Contact: privacy@deosx.com
Data Protection Officer: dpo@deosx.com
Company Registration: [To be completed]

Lawful Basis for Processing Personal Data

We process personal data only when we have a valid legal basis under Article 6 of the GDPR:

Legitimate Interest (Article 6(1)(f))

We rely on legitimate interest for:

  • Network optimization and performance monitoring to ensure service quality
  • Security monitoring and fraud prevention to protect our network and users
  • Technical support and troubleshooting to resolve user issues
  • Service improvement and development based on usage patterns
  • Business analytics for operational efficiency

Contract Performance (Article 6(1)(b))

We process data to fulfill our contractual obligations when:

  • Distributing token rewards and managing your participation in our network
  • Providing account management and authentication services
  • Delivering core network services and maintaining your access
  • Processing payments and managing your subscription

Consent (Article 6(1)(a))

We ask for your explicit consent for:

  • Marketing communications and promotional materials
  • Optional data sharing for research and development purposes
  • Beta testing programs and feature previews
  • Cookies that are not strictly necessary for service operation

Legal Obligation (Article 6(1)(c))

We process data to comply with legal requirements including:

  • Tax reporting and regulatory compliance
  • Anti-money laundering (AML) and know-your-customer (KYC) requirements
  • Responding to lawful government requests and court orders
  • Data breach notification requirements

Your Rights Under GDPR

As a data subject under GDPR, you have comprehensive rights regarding your personal data. You can exercise these rights free of charge, and we will respond within one month (extendable by two months for complex requests).

Right of Access (Article 15)

You have the right to know whether we process your personal data and to access that data. You can request:

  • Confirmation of whether we process your personal data
  • A copy of your personal data in our possession
  • Information about how we use your data and who we share it with
  • Details about data retention periods and your other rights

How to request: Email privacy@deosx.com with "Data Access Request" in the subject line, including verification of your identity.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data:

  • Update your profile information directly through your account settings
  • Contact our support team at support@deosx.com for technical assistance
  • Request updates to information we cannot technically modify

Note: Blockchain transaction data cannot be modified due to the immutable nature of distributed ledgers.

Right to Erasure ("Right to be Forgotten") (Article 17)

You can request deletion of your personal data when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and no other legal basis applies
  • You object to processing and no overriding legitimate grounds exist
  • The data has been unlawfully processed

Important limitations: We cannot delete data that is:

  • Recorded on immutable blockchain ledgers
  • Required for legal compliance or defending legal claims
  • Necessary for exercising freedom of expression
  • Required for public health or scientific research purposes

Right to Restrict Processing (Article 18)

You can request that we limit how we process your data in certain circumstances:

  • While we verify the accuracy of disputed data
  • When processing is unlawful but you prefer restriction over deletion
  • When we no longer need the data but you need it for legal claims
  • While we consider your objection to processing

Right to Data Portability (Article 20)

You can request your data in a machine-readable format to:

  • Transfer your data to another service provider
  • Use your data with other services
  • Keep a personal copy of your data

We provide data exports in standard formats (JSON, CSV) for data processed with your consent or under contract.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing:

  • Opt out of all marketing communications at any time
  • Object to profiling for marketing purposes
  • Request cessation of specific processing activities
  • Object to automated decision-making (subject to certain exceptions)

Rights Related to Automated Decision-Making (Article 22)

DEOSX uses automated systems for operational purposes including:

  • Network routing optimization through our NeoEngine technology
  • Reward calculation algorithms based on network contribution
  • Security threat detection and fraud prevention
  • Performance metrics and quality assessment

You have the right to request human review of automated decisions that significantly affect you, obtain an explanation of the decision, and express your point of view.

Categories of Personal Data We Process

Data Processing Overview

Data CategoryExamplesProcessing PurposeLegal BasisRetention Period
Account DataEmail address, username, password hash, preferencesService delivery and account managementContract performanceAccount lifetime + 30 days
Technical DataIP address, device specifications, performance metricsNetwork optimization and securityLegitimate interest30 days rolling
Blockchain DataWallet addresses, transaction history, token balancesToken operations and reward distributionContract performancePermanent (immutable)
Communication DataSupport tickets, feedback, correspondenceCustomer service and supportContract performance3 years after resolution
Usage AnalyticsFeature usage, session duration, error logsService improvement and developmentLegitimate interest12 months

Special Categories of Personal Data

DEOSX does not intentionally collect or process special categories of personal data (sensitive data) as defined in Article 9 of GDPR. This includes data revealing:

  • Racial or ethnic origin
  • Political opinions or affiliations
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data for identification
  • Health information
  • Data concerning sex life or sexual orientation

If you inadvertently provide such information, please contact us immediately so we can delete it from our systems where technically feasible.

International Data Transfers

Transfer Safeguards

DEOSX operates a global network, which may require transferring your personal data outside the EEA. We ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
  • Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with third-party processors
  • Binding Corporate Rules: Internal privacy standards for data transfers within our organization
  • Technical Safeguards: Encryption and pseudonymization for data in transit and at rest

Countries We Transfer Data To

Personal data may be transferred to:

  • United States: Using Standard Contractual Clauses and additional safeguards
  • Singapore: Based on European Commission adequacy decision
  • Canada: Based on European Commission adequacy decision (commercial organizations)
  • Other jurisdictions: Only with appropriate safeguards in place

Data Protection by Design and Default

Technical Measures

  • Zero-Telemetry Architecture: We collect only essential data for service operation
  • End-to-End Encryption: All communications are encrypted in transit
  • Local Processing Preference: Data is processed locally when technically feasible
  • Access Controls: Role-based access ensures only authorized personnel can access personal data
  • Data Minimization: We process only the minimum data necessary for each purpose
  • Pseudonymization: Personal identifiers are replaced with pseudonyms where possible

Organizational Measures

  • Comprehensive privacy training for all staff members
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Regular security audits and penetration testing
  • Incident response procedures and breach notification protocols
  • Privacy-by-design principles in all product development
  • Regular review and updating of privacy practices

Data Breach Notification

Our Response Obligations

In the event of a personal data breach, we commit to:

  • Notify the relevant supervisory authority within 72 hours of becoming aware
  • Inform affected individuals without undue delay if there's a high risk to their rights and freedoms
  • Document the breach, its effects, and the remedial action taken
  • Implement immediate measures to address the breach and prevent recurrence
  • Cooperate fully with supervisory authority investigations

Information We Provide to Affected Individuals

Breach notifications to individuals will include:

  • Nature of the personal data breach and categories of data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact details for our Data Protection Officer
  • Recommendations for protective measures you can take

Children's Privacy

DEOSX services are not directed to or intended for use by children under 16 years of age. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected such data, we will:

  • Immediately cease all processing of the child's data
  • Delete the data from our systems where technically feasible
  • Notify the child's parent or legal guardian if contact information is available
  • Implement additional verification measures to prevent future occurrences
  • Review and strengthen our age verification processes

Supervisory Authority and Complaints

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR requirements. You can contact:

Lead Supervisory Authority (Ireland)

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Phone: +353 57 868 4800
Email: info@dataprotection.ie
Website: www.dataprotection.ie

Your Local Supervisory Authority

You may also contact the supervisory authority in your country of residence or where the alleged infringement occurred. A complete list is available athttps://edpb.europa.eu/about-edpb/about-edpb/members_en

Exercising Your Rights

How to Contact Us

To exercise any of your GDPR rights or ask questions about data processing:

  • Data Protection Officer: dpo@deosx.com
  • Privacy Team: privacy@deosx.com
  • General Support: support@deosx.com

Response Timeframes

  • Standard Response: Within 30 days of receiving your request
  • Complex Requests: May be extended by an additional 60 days
  • Urgent Security Matters: Immediate response during business hours

Identity Verification

To protect your privacy, we may request additional information to verify your identity before processing requests that involve access to personal data.

Blockchain-Specific Considerations

Technical Limitations of Blockchain Technology

The decentralized nature of blockchain technology creates certain limitations for GDPR compliance:

  • Immutability: Once data is recorded on the blockchain, it cannot be modified or deleted
  • Decentralization: No single entity has complete control over all network data
  • Transparency: Transaction data is publicly visible on the blockchain
  • Pseudonymization: Wallet addresses provide some privacy but are not completely anonymous

Our Privacy-Preserving Approach

To address these challenges, we:

  • Minimize personal data recorded directly on the blockchain
  • Use pseudonymous wallet addresses instead of direct personal identifiers
  • Store sensitive personal data off-chain in systems where GDPR rights can be exercised
  • Implement data minimization principles in smart contract design
  • Provide clear information about blockchain limitations in our consent mechanisms
  • Use privacy-enhancing technologies where technically feasible

Exercising Rights with Blockchain Data

While we cannot modify blockchain data directly, we can:

  • Delete off-chain personal data linked to your blockchain addresses
  • Remove personal identifiers that connect you to blockchain addresses
  • Cease all off-chain processing of your data
  • Provide data exports that include both on-chain and off-chain information

Updates to This Statement

We may update this GDPR compliance statement to reflect:

  • Changes in our data processing activities or business operations
  • New legal requirements or regulatory guidance
  • Improvements to our privacy practices and technologies
  • Feedback from supervisory authorities or privacy experts
  • Changes to our services or product offerings

We will notify you of material changes through our usual communication channels and update the "Last Updated" date at the top of this document. For significant changes that affect your rights, we may seek your renewed consent where required by law.

Additional Resources

For more information about GDPR and your rights:

If you have any questions about this gdpr compliance statement, please contact us at legal@deosx.com

© 2025 DEOSX, Inc. All rights reserved.