Privacy Policy

Entered into force on February 21, 2026.

On-chain voting result: association.dao.eth/transaction-hash

1. General Provisions

1.1. Subject: This Privacy Policy (hereinafter the "Policy") regulates the procedures for collecting, using, storing, and protecting data related to the activities of New Epoch Association (hereinafter the "Association"), its website, and software.

1.2. Acceptance: Use of the website, software, and/or ownership of the Association’s Tokens constitutes unconditional acceptance of this Policy.

1.3. Recognition: The Association and Authorized Representatives acting within its protocol acknowledge the importance of protecting the privacy and confidentiality of users' personal data and commit to complying with applicable legal norms, including but not limited to: the European Union General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s General Data Protection Law (LGPD), China’s Personal Information Protection Law (PIPL), as well as other applicable international and national regulations.

1.4. Jurisdictions: This Policy applies to the processing of data relating to data subjects located in the jurisdictions where the Association operates.

1.5. Decentralization: The User acknowledges that the Association is a decentralized autonomous association.

1.6. Applicable Law: This Policy is governed by the substantive law of Switzerland. Lex Cryptographica (protocol code) is applied subsidiarily.

2. Responsible Entity

2.1. Appointment: In accordance with the Governance Resolution, the Association, represented by the Data Protection Authorized Representative (hereinafter "DPAR"), engages an external Data Processor, responsible for overseeing compliance with nDSG, GDPR, and this Policy.

2.2. Contact Information: Data Protection Authorized Representative (Data Protection Coordinator): privacy@newepoch.org

2.3. Information Provision: Upon receiving a lawful and justified request from governmental or regulatory authorities, the Association will forward such request to the designated Data Processor for processing according to applicable law.

3. Data Collection and Use

3.1. Data Collection: The Association collects only data necessary for the operation of the website, software, decentralized protocol, and ensuring transparency of their activities. Such data include:

3.1.1. Personal Data:

3.1.1.1. Identification data: During website registration, email address, login, and password (stored in encrypted or hashed form, making it unreadable) are requested.

3.1.1.2. Mailing data: When subscribing to newsletters, name and email address are requested.

3.1.1.3. Profile data: Depending on the website features used, such as membership-based access control systems, other necessary data may be requested to provide specific services.

3.1.2. Public Blockchain Data: Cryptographic addresses, records of transactions with Association Tokens (FT and GT), voting records, and other data voluntarily published by users on the blockchain.

3.1.3. Technical Data: Information generated when accessing the Association’s website and software, necessary solely for security and operability:

3.1.3.1. Website usage data: IP address, browser type, operating system, pages visited, time, and date of access. These data may become identifiable when combined with other information and thus be considered personal data. They are collected automatically through web analytics systems and similar technologies.

3.1.3.2. Device data: Information about the device used, including device type (desktop, mobile), model, and screen resolution. Exact location data are neither requested nor collected.

3.1.3.3. Content interaction data: Information on website usage, including content viewing and participation in interactive modules.

3.2. Data Use: Collected data are used exclusively for the purposes of:

3.2.1. Providing website access: Processing data to allow registration, account management, and content access (legal basis: contract performance).

3.2.2. Communication with users: Processing data to send newsletters, important updates, and respond to inquiries (legal basis: consent for newsletters, and legitimate interest for replies and service notifications).

3.2.3. Ensuring security: Processing data to prevent fraud, protect site integrity, and safeguard user data (legal basis: legitimate interest and legal obligation performance).

3.2.4. Service analysis and improvement: Processing data to analyze user interaction with the site, optimizing functionality and developing new features (legal basis: legitimate interest).

3.2.5. Ensuring operation: Processing data for proper functioning of smart contracts and protocol, verifying voting rights, processing on-chain transactions, and ensuring transparency of financial activities and governance of the Association (legal basis: contract performance).

3.2.6. Compliance with legal obligations: Processing data to fulfill legal obligations, such as lawful requests from governmental bodies (legal basis: legal obligation).

3.3. Processing of Non-Public Data: The Association does not collect data that directly identifies individuals except for login, name, email address, and public cryptographic addresses. Processing of any non-public data provided to Authorized Representatives under their Mandate is conducted in accordance with Swiss data protection principles.

3.4. KYC/KYB: The Association conducts necessary risk-oriented "Know Your Customer" (KYC) or "Know Your Business" (KYB) procedures, as set forth in the Mandate Agreement.

4. Use of Cookies

4.1. Cookies: Cookies are used to enhance user experience and collect analytics information. A cookie is a small text file saved on the user's device upon site visit. More details are provided in the Cookie Policy.

5. Data Sharing with Third Parties

5.1. Data Sharing: The Association does not sell, rent, or exchange users’ personal data. Data may be shared with third parties only in the following cases:

5.1.1. Service Providers: The Association may engage third-party providers for website operation, including hosting providers, content management systems, newsletter services, web analytics services, and membership platforms. These providers, acting as data processors, commit to confidentiality and use data solely to perform their functions per instructions. Data processing agreements are concluded to ensure compliance with applicable laws. The full list of key service providers is available upon justified request.

5.1.2. Internal Sharing within the Association: Some data may be accessible to other Association members, for example, via public profiles, comments, or voting systems. Such data sharing occurs based on explicit user consent.

5.1.3. Legal Requirements: In case of lawful requests from governmental authorities or courts, and to protect the rights and interests of the Association.

6. International Data Transfers

6.1. Data Transfers: As an international organization, the Association may transfer, store, and process personal data in jurisdictions outside the user’s country of residence.

6.2. Security Measures: The Association takes all necessary measures to ensure an adequate level of data protection in accordance with applicable laws. When required, the Association uses Standard Contractual Clauses approved by the European Commission and applies additional technical and organizational measures (e.g., zero-access encryption) to ensure an equivalent protection level to GDPR/nDSG, including risk assessment of data transfers to third countries.

7. Data Retention

7.1. Data Retention: Personal data are stored only as long as necessary to achieve the purposes for which they were collected. Criteria for determining retention periods include:

7.1.1. Duration of service use: Data necessary for content access and account management are retained for the entire period of use.

7.1.2. Legal obligations: Data may be retained longer if required for legal compliance.

7.1.3. Dispute resolution and rights protection: Data may be retained to resolve disputes or protect the Association’s lawful rights.

7.2. Data Deletion: Upon expiration of retention periods, personal data are deleted or anonymized. The Association commits to deleting account-related data in accordance with legal requirements.

7.3. Blockchain Data Storage: Blockchain data are stored in a decentralized public ledger and cannot be deleted due to technical impossibility.

8. Security Measures

8.1. Data Protection: The Association undertakes reasonable technological measures to protect personal data under its control from unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to, data encryption (SSL/TLS) during transmission and storage, access control, two-factor authentication, regular audits, and backups. Privacy by Design principles are integrated into the Association’s system architecture.

8.2. Risk Assessment: Before transferring data to any new jurisdiction, the Association conducts a risk assessment and, if necessary, implements additional safeguards. These include, but are not limited to, data encryption in transit, anonymization or pseudonymization where possible, and data minimization to protect against unauthorized access.

8.3. Impact Assessment: For high-risk processing of personal and special category data (e.g., KYC/KYB), the Association initiates a Data Protection Impact Assessment (DPIA) as required by nDSG and GDPR to systematically analyze and mitigate risks to data subjects’ rights and freedoms.

8.4. Acknowledgment: The User acknowledges that due to the nature of the internet and blockchain, absolute security cannot be guaranteed by the Association.

9. Data Subject Rights

9.1. Rights of Data Subjects: In accordance with applicable law, data subjects have the right to:

9.1.1. Access: Request information about personal data processed by the Association.

9.1.2. Rectification: Request correction of inaccurate or incomplete data.

9.1.3. Erasure ("right to be forgotten"): Request deletion of data in certain cases.

9.1.4. Restriction: Request restriction of data processing.

9.1.5. Opt-out of sale or transfer: Request information on data categories collected and exercise the right to prohibit sale or transfer. The Association does not "sell" or "transfer" personal data. Nevertheless, users may exercise their rights by contacting the Association at the address provided in section 2.2.

9.1.6. Data Portability: Receive data in a structured, commonly used format.

9.1.7. Objection: Object to data processing.

9.1.8. Consent Withdrawal: Withdraw previously given consent to processing at any time.

9.1.9. Non-Discrimination: The Association does not discriminate against users exercising privacy rights.

9.2. Rights Implementation: To exercise these rights, users may contact the Association at the email address provided in section 2.2 of this Policy.

10. Dispute Resolution

10.1. Internal Arbitration: All internal disputes, disagreements, or claims arising between the user and the Association shall be resolved in accordance with the Association’s Conflict Resolution and Ethics Regulation.

10.2. External Arbitration: All external disputes, disagreements, or claims arising between an external counterparty and the Association shall be finally resolved by mandatory arbitration under the Arbitration Rules, incorporated by reference into this Policy and an integral part thereof.

11. Effective Date and Amendments

11.1. Effective Date: This Policy enters into force simultaneously with the date and time the Governance Resolution enters into force.

11.2. Amendments: Any changes to this Policy may only be made through Voting with Qualified Confirmation performed in accordance with provisions established in the Governance Resolution.

11.3. Notice: Continued use of the Association’s website, software, and Tokens after publication of amendments constitutes user acceptance of the updated Policy.