Privacy Policy

GoldFinger Foundation (the “Foundation,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy (“Policy”) explains how we collect, use, store, share, and protect information when you access or use the GoldFinger platform (the “Platform”), including services related to Aurum Reserve Token (“$ART”) and GoldFinger Governance Token (“$GF”) (collectively, the “Tokens”).

By using the Platform, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Policy. This Policy is part of the GoldFinger Terms of Service; capitalized terms not defined herein have the meaning set forth in the Terms of Service.

1. Scope of This Policy

This Policy applies to all information we collect from or about you when:

1. You register to use the Platform (e.g., create a profile, connect a wallet);

2. You use Platform services (e.g., mint or redeem $ART, stake $ART/$GF, participate in governance);

3. You interact with our official channels (e.g., website, community forums, customer support);

4. You provide information to third-party service providers acting on our behalf (e.g., KYC/AML verification providers).

This Policy does not apply to information collected by third parties (e.g., exchanges hosting $ART/$GF trading, your crypto wallet provider) — we encourage you to review the privacy policies of these third parties.

2. Information We Collect

We collect two categories of information: Personal Information (information that identifies or can be linked to you) and Non-Personal Information (information that cannot be linked to you, such as aggregated data).

2.1 Personal Information

We collect Personal Information only when you provide it voluntarily or as required to use Platform services:

5. Identity Verification Information: To comply with KYC/AML requirements (e.g., for minting/redeeming $ART), we collect:

1. Full name, date of birth, and nationality;

2. Government-issued identification (e.g., passport, driver’s license, national ID card);

3. Proof of address (e.g., utility bill, bank statement, rental agreement) dated within the last 3 months;

4. Facial recognition data (if required by our KYC provider for identity verification).

6. Contact Information: Email address, phone number, and (if provided) postal address — used to send service updates, account notifications, or compliance-related communications.

7. Wallet and Transaction Information: Public crypto wallet addresses linked to your Platform activity (e.g., wallets used to mint $ART or stake $GF); transaction history (e.g., $ART minting/redeeming records, $GF staking rewards) — we do not collect private wallet keys.

8. Account and Usage Information: Username, password (hashed), and preferences (e.g., notification settings); records of your Platform usage (e.g., features accessed, governance votes cast).

2.2 Non-Personal Information

We automatically collect Non-Personal Information to improve the Platform and analyze usage trends:

9. Device and Technical Information: Device type (e.g., smartphone, laptop), operating system, browser type, IP address (anonymized where possible), and internet service provider;

10. Usage Data: Time and date of Platform access, pages viewed, and duration of use;

11. Aggregated Data: Combined information about multiple users (e.g., “50% of users mint $ART using stablecoins”) — this data cannot be linked to any individual.

3. How We Use Your Information

We use your information only for legitimate purposes consistent with this Policy and applicable data protection laws (e.g., GDPR, CCPA, PDPA):

3.1 To Provide and Maintain Platform Services

12. Verify your identity to enable access to restricted features (e.g., $ART minting/redeeming);

13. Process transactions (e.g., track $ART redemption requests, distribute $GF staking rewards);

14. Manage your account (e.g., update your preferences, resolve login issues).

3.2 To Comply with Legal and Regulatory Obligations

15. Fulfill KYC/AML requirements and prevent money laundering, terrorist financing, or sanctions violations;

16. Respond to requests from regulatory authorities (e.g., financial watchdogs, courts) or comply with subpoenas, warrants, or laws;

17. Maintain records required by financial regulations (e.g., storing transaction history for 5 years post-transaction).

3.3 To Protect Security and Prevent Fraud

18. Monitor Platform activity for suspicious behavior (e.g., unusual login attempts, large $ART redemption requests);

19. Detect and prevent fraud, unauthorized access, or misuse of the Platform (e.g., blocking wallets linked to malicious activity);

20. Secure our systems (e.g., using IP address data to identify and block cyber threats).

3.4 To Improve the Platform and Develop New Features

21. Analyze usage data to identify user needs (e.g., optimizing the staking interface based on user behavior);

22. Test and launch new services (e.g., expanding cross-chain support for $ART);

23. Conduct internal research (e.g., evaluating the effectiveness of governance voting mechanisms).

3.5 To Communicate with You

24. Send service-related notifications (e.g., “Your $ART redemption request has been approved,” “$GF staking rewards are available”);

25. Share important updates (e.g., changes to the Platform, regulatory compliance requirements);

26. Respond to your inquiries (e.g., customer support tickets about $ART NAV calculations).

We will never use your Personal Information for marketing purposes without your explicit consent. If you opt in to marketing communications, you may unsubscribe at any time.

4. When We Share Your Information

We do not sell, rent, or trade your Personal Information to third parties for commercial purposes. We may share your information only in the following limited circumstances:

4.1 With Third-Party Service Providers

We engage trusted third parties to assist with Platform operations — these providers are contractually required to protect your information and use it only as directed by us:

27. KYC/AML Providers: (e.g., IdentityMind, Chainalysis) — to verify your identity and screen for compliance risks;

28. Custodians and Financial Partners: (e.g., licensed gold custodians, stablecoin issuers) — to process $ART minting/redeeming and manage underlying assets;

29. Technology Providers: (e.g., cloud hosting services, cybersecurity firms) — to host the Platform, secure our systems, and analyze usage data;

30. Payment Processors: (if applicable) — to process fees related to $ART redemption or $GF transactions.

4.2 For Legal and Regulatory Purposes

31. With regulatory authorities, law enforcement, or courts — to comply with legal obligations, respond to investigations, or protect public safety;

32. With legal advisors — to obtain legal guidance or defend against claims.

4.3 In Connection with Business Transfers

If the Foundation undergoes a merger, acquisition, sale of assets, or dissolution, we may transfer your information to the successor entity — this transfer will be subject to a privacy policy consistent with this Policy.

4.4 With Your Consent

We may share your information with third parties if you explicitly authorize us to do so (e.g., sharing your wallet address with an exchange to facilitate $ART trading).

5. Your Rights Regarding Your Information

Under applicable data protection laws, you have the following rights regarding your Personal Information. To exercise these rights, contact us using the information in Section 10:

5.1 Access and Correction

33. Request access to the Personal Information we hold about you (e.g., a copy of your KYC records);

34. Request correction of inaccurate or incomplete information (e.g., updating your contact details).

5.2 Deletion and Restriction

35. Request deletion of your Personal Information if it is no longer needed for the purposes for which it was collected (e.g., after your KYC retention period expires);

36. Request restriction of processing (e.g., pausing use of your data while we resolve a dispute about its accuracy).

5.3 Data Portability

37. Request a copy of your Personal Information in a structured, machine-readable format (e.g., a CSV file of your transaction history) — where technically feasible.

5.4 Withdrawal of Consent

38. Withdraw consent for non-essential uses of your information (e.g., unsubscribing from marketing emails) — this will not affect the lawfulness of processing based on consent before withdrawal.

5.5 Objection to Processing

39. Object to processing of your Personal Information for legitimate interests (e.g., objecting to use of your usage data for Platform improvements) — we will cease processing unless we have compelling legitimate grounds.

We will respond to your request within 30 days (or within the timeframe required by applicable law). We may request additional information to verify your identity before fulfilling your request.

6. How We Protect Your Information

We implement technical, administrative, and physical safeguards to protect your information from unauthorized access, disclosure, alteration, or destruction:

6.1 Technical Security

40. Encryption: Personal Information (e.g., KYC data, wallet addresses) is encrypted in transit (using SSL/TLS) and at rest (using AES-256 encryption);

41. Access Controls: Only authorized personnel with a legitimate business need may access your Personal Information — access is granted on a “least privilege” basis;

42. Security Audits: We conduct regular third-party audits of our systems and smart contracts to identify and remediate vulnerabilities;

43. Incident Response: We maintain a cybersecurity incident response plan to address data breaches — if a breach occurs, we will notify you and regulatory authorities as required by law.

6.2 Administrative and Physical Security

44. Employee Training: All staff receive training on data protection laws and security best practices;

45. Confidentiality Agreements: Third-party service providers and employees sign agreements to protect your information;

46. Physical Security: Our servers and data centers are protected by access controls (e.g., biometric authentication, 24/7 monitoring).

No security system is completely infallible. You are responsible for protecting your wallet and account (e.g., not sharing private keys, using two-factor authentication for your email).

7. Data Retention

We retain your Personal Information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law:

47. KYC/AML Data: Retained for 5 years after your last Platform activity (consistent with financial regulatory requirements);

48. Transaction and Account Data: Retained for 3 years after your account is closed;

49. Usage and Non-Personal Data: Retained indefinitely in aggregated form (no longer linked to you).

When your information is no longer needed, we will delete it securely (e.g., permanent erasure) or anonymize it so it cannot be linked to you.

8. Cross-Border Data Transfers

The Foundation operates globally, and your information may be transferred to, stored in, or processed in countries other than your country of residence (e.g., if our cloud provider is based in the United States). We ensure cross-border transfers comply with applicable law:

50. For transfers to countries without “adequacy” status (e.g., under GDPR), we use standard contractual clauses (SCCs) approved by regulatory authorities;

51. We require third-party service providers to adhere to the same data protection standards regardless of their location.

9. Children’s Privacy

The Platform is not intended for use by individuals under the age of 13 (or the age of digital consent in your jurisdiction). We do not knowingly collect Personal Information from children. If we learn we have collected information from a child, we will delete it immediately. Parents or guardians who believe their child has provided information to us may contact us to request deletion.

10. Updates to This Policy

We may update this Policy from time to time to reflect changes in law, technology, or Platform services. When we update the Policy:

52. We will post the revised version on the Platform’s official website, with a new “Last Updated” date;

53. We will notify you of material changes (e.g., changes to how we share your information) via email or a prominent notice on the Platform;

54. The revised Policy will take effect 14 days after posting (unless a shorter timeframe is required by law).

Your continued use of the Platform after the effective date of the revised Policy constitutes acceptance of the changes. We encourage you to review this Policy periodically.