The terms "Users", “User” or “You” refer to any natural or legal person who makes use of the Services as fans, stars, members of the community, advertisers or any other type of users of the Services.
Olyseum shall process User’s personal data in accordance with the Swiss Federal Act on Data Protection (“FADP”) and the General Data Protection Regulation of the European Union (“GDPR”).
If at any time, the User have questions or concerns about their privacy practices, they are invited to contact our Data Protection Officer (DPO) at firstname.lastname@example.org.
1. Controller identity and contact details
Place Longemalle 1,1204 Geneva, SWITZERLAND
Representative in the European Union:
Miguel Angel Lopez Fernandez
Data Protection Officer (DPO):
Avinguda Santa Coloma 7, AD500 Andorra la Vella, Andorra
Kindly note that an appointment is mandatory prior to any visit.
2. What personal data we process
Olyseum collects identity information about Users in a range of ways that depends on the registration method chosen by the User. Users registering through social login methods such as Facebook, Apple or Google will need to connect to Olyseum through those services and therefore their account email, name and picture may be imported into the Platform for the purposes of identification and authentication. Alternatively, Users registering with email, password, and nickname will be required to login to the Platform with that particular email and password for authentication, and will be allowed to provide a Reference Code (if available) to use in accordance with the terms and conditions of the Platform. The Platform uses email as the identifier of the User's account. Users can enter it through any access method with the same email, but not from one whose email differs from the one used to identify your account.
Personal data the User directly give us, which may include:
- Identity information, such as the profile picture, nickname, email and password of the User’s profile, the wallet address (public key) User has connected to their Platform account, the UserID of their Telegram account, or the email address they use to contact us or to receive our newsletters;
- Personal characteristics, such as the User's date of birth and gender (only if the User chooses to provide us with this optional information through their profile so that we can better communicate with them).
- Social circumstances, such as how familiar the User is with blockchain technology (again, only if the User chooses to provide this optional information through their profile to allow us to tailor our communication to the level of knowledge selected by them at any time), the code that a friendly user gave to the User at the time of their affiliation to mutually benefit
- Feedback and correspondence, such as the information the User provide when they report a problem with Service, receive customer support, tell us about the helpfulness of an article or submit us a request, or otherwise correspond with us;
- Transaction information, such as details about purchases you made through the Platform, OLYs and non-fungible tokens (NFT) involving a User, which include, among others, the option they vote, the NFT (type ERC-721) and the wallet addresses involved in the transaction;
- Usage information, such as information about how the User uses the Service and interact with us (including User’s activities in our metaverse); and
- Additional information the User provides to us to comply with anti-money laundering (AML) laws and know-your-customer (KYC) requirements (such as nationality and place of birth).
Information we generate in relation to our Platform, such as the number of OLY the User has in the account they logged into the Platform with.
Information we collect from others (third party sources) such as the identity information (user identifier in social network, name, e-mail and profile picture) we collect from the identity provider when the User registers or initiates a session in the Platform. We use following identity (or “sign in”) providers:
- Google Ireland Ltd, Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (hereinafter referred to as “Google”).
- Apple Distribution International Ltd. Hollyhill Industrial Estate Hollyhill, Cork Republic of Ireland (hereinafter referred to as “Apple”), whose Data Protection Officer the User can contact at apple.com/legal/privacy/contact.
- Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (hereinafter referred to as “Facebook”), whose Data Protection Officer the User can contact at https://www.facebook.com/help/contact/540977946302970.
- Torus Labs Private Limited, 38 Lor Stangee, Singapore 425021, which provides us with the User’s Ethereum address and nickname of User’s wallet (the wallet public encryption key). The Platform will ask the User to sign in his Web3Auth wallet to complete its integration in the Platform.
- Our Payments Service Provider provides us with the last four digits of User’s credit card and a number that identifies the payment operation for future referral.
Information we collect automatically:
- Olyseum may also collect personal data from Users’ activities that are publicly visible and/or accessible on blockchains. This may include blockchain addresses and information regarding purchases, sales, or transfers of OLY Tokens or NFTs, which may then be associated with other data Users have provided us.
- We may also automatically collect Users’ IP address in order to charge value-added taxes and other duties during NFT payments.
- We may also use Google Analytics to help us offer the User an optimized user experience. You can find more information about Google Analytics’ use of User’s personal data here: https://www.google.com/analytics/terms/us.html.
Information we will never collect. We will never ask a User to share their private keys or wallet seed. Never trust anyone or any site that asks a User to enter their private keys or wallet seed.
3. How we use personal data and what is our legal bases
3.1 To sign in in the Platform
We collect the personal data that the User provides us through the registration form in order to create an account for the User with their email, password and nickname. Said email and password will allow the User to log in to the Platform and use our Services.
Alternatively, the Platform uses social logins from various identity providers, such as Facebook, Google and Apple in order to let the User to complete the registration and login without needing a separate email and password (see section “Information we collect from others” in chapter 2). It means the User can set up an account in Olyseum identifying themself with the email they already have registered in the identity provider. Then, there is no need to fill out forms or choose another new password.
We process personal data to create User’s account on the basis of the consent the User explicitly gives us by sending us the registration form, or gives the sign in provider to transfer us your login information. The User is not required to provide Olyseum with the personal data we request during the sign-in process, but if they choose not to do so, Olyseum will not be able to create their account into the Platform and provide them with the Services.
We process personal data to log the User in the Platform on the legal basis of the contract governed by the terms and conditions the User accepts during the registration process.
Users can always change the data they provide us during registrationby editing their profile on the Platform. Additionally, editing the profile allows the User to provide us with optional information, such as date of birth, gender, country, and how familiar they are with blockchain technology.
We will process this information, if provided, to improve the quality and intelligibility of our future communication with the User.
3.2 To connect the User's account with the User's wallet
Once the User registers, they can connect their account with their Brave or MetaMask wallet (or create a wallet on the Platform associated with their email).
We process the personal data that the User provides us when they decide to connect their User’s account with a wallet based on the consent that the User explicitly gives us upon successful completion of the connection process. The User is not required to provide Olyseum with the personal data that we request during the connection process, but if they choose not to do so, Olyseum will not be able to connect their wallet to the Platform and provide them with the related Services.
3.3 To provide our Services
We will use User’s personal information in the following ways:
- To enable them access and use the Services
- To provide and deliver products and services that User may request, including facilitating cryptocurrency transactions through User’s wallet.
- To process votes and codes in order to allow Users co-directing the scripts.
- To connect a wallet to a User’s account.
- To buy and mint NFTs with User’s credit card, OLYs or ETHs
- To provide User with the NFTs or OLYs they bought.
- To process and complete acquisitions and transactions, including those involving credit cards, ETHs or OLY tokens, and send them related information, including purchase confirmations.
- To send information, including confirmations, technical notices, updates, security alerts, and support and administrative messages.
- To collect face blendshape information and synchronize the collected information with User’s avatar (to create personalized users’ avatars).
- To let User invites friends or finds other Users
Our processing of the User’s personal information is necessary to perform the contract governing our provision of the Services or to take steps they request before signing up for the Service.
3.4 To comply with law
We use personal information as we believe necessary or appropriate to comply with applicable laws (including value-added taxes duties, anti-money-laundering laws and know-your-customer requirements), lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
The legal base of this processing is our legal obligation.
3.5 To communicate with our Users
We use personal information to send the User the invoice for NFTs they purchased and other transactional data, to provide the User with information about their login activity on the Platform and other functional purposes (for example, to complete a password change request), to provide the User with information about the current values of the aggregated vote of each of the options that will determine the evolution of an episode, and to communicate to the Users our promotions, contests or raffles, upcoming events, send them our newsletters and keep them informed about our stars, the episodes or the Services.
The legal base of this processing is our legitimate interest. We make sure we consider and balance any potential impacts on User (both positive and negative) with User’s rights before processing personal information for our legitimate interests. We do not use User’s personal information for activities where our interests are overridden by any adverse impact on the User (unless we have their consent or are otherwise required or permitted to by law).
The User may always oppose our legitimate interest by exercising their right as explained below, or by clicking on the link that will always be in the messages other than the merely technical or administrative ones that are necessary to maintain the relationship between the User and Olyseum.
3.6 To send our newsletters to non-registered data subjects
We process the User’s email address with their consent, expressed at the time they voluntarily subscribe to our newsletters, to provide them with information of interest, news and promotions related to the Platform and our Services.
User has the right to withdraw their consent at any time by contacting us at email@example.com or by clicking on the link provided at the bottom of each newsletter to that effect.
3.7 For customer support and bug removal
We use personal data to track and respond to data subject requests and inquiries, and to manage data subject claims or complaints, and the bug or vulnerability reports that could be submitted to us, as well as to include the submitter, where appropriate, in our bounty program.
We may also use data subject email address to provide general customer service.
We process User’s inquiries, complaints and bug reports with their consent, expressed at the time they voluntarily contact us, which they have the right to withdraw at any time in the manner indicated by our Service Desk or by contacting us at firstname.lastname@example.org. Additionally, where appropriate, we process their personal data to execute our bounty program agreement.
We keep the data necessary to manage possible data subject claims, or ours, based on our legitimate interest in defending ourselves to safeguard our rights.
3.8 To optimize Olyverse services and develop new ones
We may use personal information to operate, maintain and improve the Platform and our Services, always with the aim of optimizing user experience. To achieve this, among other data sources we use the information provided by “cookies” and other type of storage objects accepted by the data subject web browser as detailed in our cookies policy.
We process the data collected by these objects with the User’s prior consent, unless they are necessary for the proper functioning of the website. They have the right to withdraw this consent at any time in the manner indicated in our cookies policy.
Regarding the rest of the personal information we use to optimize our Platform, the legal basis for its processing is our legitimate interest after considering your rights and the balance of interests between them and us.
3.9 For fraud prevention and safety
We may use personal information to protect, investigate and deter against fraudulent, unauthorized or illegal activities, and the legal base of this processing is our legitimate interest.
3.10 For giving media coverage to events and awards ceremonies
If User participates in person or virtually in our events or we give them a prize, the independent press and our own professionals may record their image, and on previously agreed occasions, their voice, in the context of the (digital) event.
The legal basis for this processing is our legitimate interest in media coverage of events we organize or sponsor in order to use the recordings in our promotional materials, including our website and social media accounts.
Users are not required to appear on the recordings. If they wish, they have the right to oppose our legitimate interest and ask us to remove the material in which they are identified. In order to evaluate their opposition against our legitimate interest, and, if necessary, immediately remove the images that identify them, we will ask them to indicate where they have seen them.
3.11 To extract aggregate statistics in surveys
We use the data that data subject provides us when they agree to participate in a survey, for example, a satisfaction survey, for the purpose or purposes indicated in the survey itself.
The basis that legitimizes us to process this personal data is the participant’s consent to answer the survey.
3.12 To be able to use Google services
Additionally, as an obligation that Google LLC imposes on the entities that, like us, use the Google services, we inform the User that these services are operated by Google Inc., domiciled at 1600 Amphitheater Parkway, Mountain View, CA 94043, USA, and that Google Inc. is a beneficiary party of them.
We inform Users that we have activated the IP anonymization function to our website, in order to add additional safeguards in the standard contractual clauses that protect this international data transfer to the USA. With this, Google will shorten User’s IP address before transmitting it to the USA (identity obfuscation process). Only in exceptional cases is the full IP address sent to a Google server in the USA and abbreviated there. Google guarantees that the IP address transmitted by User’s browser to Google Analytics will not be processed together with any other data held by Google.
User can review the categories of personal data processed by these services at privacy.google.com/businesses/adsservices
3.13 To notify Users of security breaches
At Olyseum we assume security measures appropriate to the level of risk to protect personal information against loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal information; however, if we determine that personal data has been misappropriated (including by an employee or former employee of Olyseum), exposed by a security breach, or improperly acquired by a third party, exposing data subjects to high risk, we will inform those data subjects immediately about this security breach, misappropriation or acquisition, and about the measures we have taken and those that are recommended to the data subject so that the breach does not affect them.
The basis that legitimizes this treatment is the legal obligation set forth in article 24 of the FADP and 34 of the GDPR, and our legitimate interest in preventing this security breach from harming data subjects.
3.14 For new compatible purposes
Finally, we may use User’s personal information for reasons not described in this Policy, where we are permitted by law to do so and where the reason is compatible with the purpose for which we originally collected it. If we need to use their personal information for an unrelated purpose, we will notify them and explain the applicable legal basis for that use. If we need to use their personal information for an unrelated purpose, we will notify them and explain the applicable legal basis for that use.
4. With whom we share User’s personal data
Aside as described below, we do not share the personal information that a User provide us with third parties without their express consent. We disclose personal information to third parties under the following circumstances:
- We may share information with those who need it to do work for us (our service providers). These recipients may include third party companies and individuals to administer and provide the Service on our behalf (such as customer support, hosting, email delivery and database management services).
- We may share information with whoever we need to execute the terms and conditions of the Services we provide to the User at their request, as long as they do so on their behalf ( wallet providers and payment service providers, for example, as well as lawyers and auditors).
- We may share personal information to comply with legal, regulatory, protection, and safety purposes, as well as to respond to lawful requests of authorities, regulators, self-regulatory authorities or courts and legal processes.
- We may share information when Users request it, based on their consent, such as when they share their vote on social networks.
- We may share personal information when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
- We may share information in an emergency. This includes protecting the safety of our employees and agents, our customers, or any person.
- Finally, the Platform may publish the nickname and photo of its Users.
Please note that we do not disclose personal information with any online tailored advertisement providers.
5. Transfer of data abroad
Users are informed that in order to provide the Service personal data may have to be transferred outside of Switzerland, to member estates’ of the European Economic Area and countries that have been granted an adequacy decision according to the Federal Data Protection and Information Commissioner (FDPIC) and the European Commission. In the event that User’s personal information needs to be transferred to a country that does not benefit of such adequacy decision, Olyseum undertakes to base the transfer on a data transfer mechanism recognized by the FDPIC and the European Commission as providing adequate protection for the User’s personal information, or to inform them and obtain their prior written consent regarding such processing. User may contact us if they want further information on the specific mechanism used by us when transferring their personal information to such third-party countries.
6. Data conservation
Olyseum shall only store Users’ personal data for as long as Users use the Platform and as long as their personal data are necessary for Olyseum to comply with its contractual and legal obligations (in particular the tax regulations and the Swiss code of obligations).
In some circumstances we may anonymize Users personal information (so that it can no longer be associated with any data subject), in which case we may use this anonymized information indefinitely.
7. Rights and Requests of Users
Under the GDPR and the FADP, the User has the following rights regarding their personal information:
Right to opt-out: withdraw the consent for the processing activities that the User has previously consented, without this affecting the lawfulness of the processing performed by Olyseum before the withdrawal of the consent. In such circumstances, Users understand that Olyseum may not be able to provide the Service that depended on that consent.
- Right to access: Provide User with information about our processing of their personal data and give them access to their personal information
- Right to have their personal data corrected: Update or correct inaccuracies in User’s personal information.
- Right to restrict: Restrict the processing of User’s personal information.
- Right to object: Object to our processing of User’s personal data, in particular our reliance on our legitimate interests as the basis of our processing of their personal information.
- Right to have their data deleted: Delete User’s personal information.
- Right to data portability: Transfer a machine-readable copy of User’s personal information to the User or a third party of their choice.
- Right to file a complaint with a supervisory authority, in particular in the state of the User’s habitual residence or at the place of the alleged infringement, if they consider that our processing of their personal data breaches the applicable data protection laws.
User can submit all the above requests by email to email@example.com. We may request specific information from the User to help us confirm their identity and process their request. Applicable law may require or permit us to decline User’s request. If we decline their request, we will tell them why, subject to legal restrictions.
If the User would like to submit a complaint about our use of their personal information or response to their requests regarding their personal information, they may contact us at firstname.lastname@example.org or submit a complaint to the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Berne, phone +41 58 462 43 95, fax +41 58 465 99 96, www.edoeb.admin.ch/.
Please note that our Services are not directed to persons under the age of 18 (Minor). We do not knowingly collect personally identifiable information from any Minor. If you are a parent or guardian and you are aware that a Minor has provided us with personal data, please contact us. If we become aware that we have collected personal data from a Minor, we will take steps to remove that information from the Platform.
Finally, we inform the User that regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. For more information, please see our Cookies Policy. Specifically, for what regards the statistical cookies that we use in conjunction with the Google Analytics service, the User may exercise choices regarding the use of these cookies by going to https://tools.google.com/dlpage/gaoptout and downloading the Google Analytics Opt-out Browser Add-on.
8. Security measures
We are fully committed to protecting User’s privacy and personal data. We have prepared a record of all the personal data processing activities (ROPA) that we carry out, we have analysed the risk that each of these activities may pose to them, and we have implemented the appropriate legal, technical and organizational safeguards to avoid, as far as possible, the alteration of their personal data, its misuse, loss, theft, unauthorized access, or unauthorized processing. We keep our policies up to date to ensure that we provide them with all the information we have about the processing of their personal data, and to ensure that our staff receive the appropriate guidelines regarding how they should treat their personal data. We have signed data protection clauses and or data protection agreement with all our service providers, taking into account the need that each one has to process personal data.
We restrict access to personal data to those employees who really need to know it to carry out any of the processing activities referred to in this policy, and we have trained and made them aware of the importance of confidentiality and maintaining the integrity and availability of information, as well as on the disciplinary measures that any possible infraction in this matter would imply.
However, if we determine that User’s data has been misappropriated (including by an employee or former employee of Olyseum), exposed by a security breach, or improperly acquired by a third party, exposing them to high risk, we will notify them immediately about this security breach, misappropriation or acquisition, and about the measures we have taken and those that we recommend them take so that the breach does not affect them or affects the minimum.
Last update: 21 May 2023