# Privacy Policy

### 1. Introduction

**Codepp Pte. Ltd.**, a company incorporated in the Republic of Singapore (the "**Company**," "we," "us," or "our"), operates the Vote.Token service (the "**Service**") and is the data controller responsible for processing your personal data.

This Privacy Policy describes how we collect, use, disclose, and safeguard your personal data when you access or use the Service. This Policy is designed to comply with applicable data protection laws, including:

* Singapore **Personal Data Protection Act 2012** (PDPA);
* European Union **General Data Protection Regulation 2016/679** (GDPR) and the United Kingdom Data Protection Act 2018, where applicable to users accessing the Service from the EU or the UK.

"Nestree" refers to an affiliated group of entities that may support the development and promotion of the Service but is not the data controller of the Service.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

***

### 2. Scope of This Policy

This Policy governs all personal data collected through the Site, the Interface, and the Service. It does not cover information collected offline or through third-party websites, affiliates, or subsidiaries operated by other entities. Aggregated or anonymized data that cannot identify a user is not considered personal data.

***

### 3. Personal Data We Collect

We collect the following categories of personal data:

#### 3.1 Data You Provide

* **Account Information**: Email address, nickname, password (hashed), date of birth
* **Authentication Data**: Google OAuth tokens (if you log in via Google)
* **Contact and Support Information**: Any information you provide when contacting customer support

#### 3.2 Data Automatically Collected

* **Blockchain Data**: Public wallet addresses associated with your account, voting participation records recorded on the blockchain, Vote Ticket balances
* **Usage Data**: IP address, device type, browser type, operating system, referring URL, pages visited, time spent on pages, interaction data
* **Cookies and Similar Technologies**: Session cookies, analytics cookies (see Section 9)

#### 3.3 Data From Third Parties

* **Analytics Providers**: We use Google Analytics to collect aggregated usage statistics. Google Analytics may collect IP addresses and device identifiers. For more information, see Google's Privacy Policy.

***

### 4. Legal Basis for Processing (GDPR Users)

For users accessing the Service from the European Economic Area, the United Kingdom, or Switzerland, we process personal data on the following legal bases:

| Processing Purpose                                                     | Legal Basis                              |
| ---------------------------------------------------------------------- | ---------------------------------------- |
| Provide the Service (account creation, voting, Vote Ticket management) | Contract (Art. 6(1)(b) GDPR)             |
| Comply with legal obligations (KYC, AML, tax, regulatory requests)     | Legal obligation (Art. 6(1)(c) GDPR)     |
| Analyze usage and improve the Service                                  | Legitimate interests (Art. 6(1)(f) GDPR) |
| Send service announcements and important notices                       | Legitimate interests (Art. 6(1)(f) GDPR) |
| Send marketing communications (where applicable)                       | Consent (Art. 6(1)(a) GDPR)              |
| Protect the Service from fraud and abuse                               | Legitimate interests (Art. 6(1)(f) GDPR) |

***

### 5. Purposes of Use

We use your personal data for the following purposes:

* To provide, operate, and maintain the Service;
* To verify your identity and age (18+ requirement);
* To process your participation in voting and manage Vote Ticket balances;
* To communicate with you regarding your account and the Service;
* To send service announcements, updates, and (with your consent) marketing materials;
* To detect, prevent, and respond to fraud, abuse, security incidents, and unauthorized access;
* To comply with applicable laws and respond to lawful requests from authorities;
* To analyze and improve the Service.

If you wish to opt out of marketing emails, please contact us at [**social@nestree.io**](mailto:social@nestree.io) or use the unsubscribe link in the emails.

***

### 6. Users Under the Age of 18

The Service is not intended for children under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected personal data from someone under 18, we will delete it promptly. If you believe that a child under 18 has provided personal data to us, please contact us at [**social@nestree.io**](mailto:social@nestree.io).

***

### 7. Retention of Personal Data

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by applicable law.

| Data Category                | Retention Period                                                                                                         |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| Account Information          | Until account deletion, plus up to 90 days for backup purposes                                                           |
| Authentication Data          | Duration of active session, plus 30 days                                                                                 |
| Customer Support Records     | 3 years from last interaction                                                                                            |
| Transaction / Voting Records | Retained on the blockchain indefinitely (immutable); off-chain index may be retained for 7 years for regulatory purposes |
| Usage / Analytics Data       | 26 months (Google Analytics default)                                                                                     |
| Marketing Consent Records    | Until consent withdrawal, plus 3 years for evidentiary purposes                                                          |

**Blockchain Data**: Due to the nature of blockchain technology, transaction records and wallet addresses recorded on public blockchains cannot be deleted. You acknowledge that any data written to a blockchain is permanent and public.

***

### 8. Disclosure of Personal Data to Third Parties

We do not sell your personal data. We may share personal data with the following categories of recipients, only as necessary:

* **Service Providers**: Cloud hosting (infrastructure providers), analytics (Google Analytics), email delivery, customer support tools. These providers process data on our behalf under written agreements that require appropriate data protection.
* **Affiliates**: Nestree group entities, for operational support under appropriate confidentiality and data protection agreements.
* **Legal and Regulatory Authorities**: Where required by law, court order, or legitimate government request.
* **Business Transfers**: In connection with a merger, acquisition, reorganization, or sale of assets, provided that the successor entity is bound by this Policy or an equivalent policy.
* **With Your Consent**: In any other case, with your explicit prior consent.

***

### 9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Service:

* **Strictly Necessary Cookies**: Required for authentication, session management, and security. Cannot be disabled.
* **Analytics Cookies**: Google Analytics, for aggregated usage statistics.
* **Preference Cookies**: Store your language and display preferences.

You can control cookies through your browser settings. Disabling strictly necessary cookies may impair the functionality of the Service.

***

### 10. International Data Transfers

The Service is operated from Singapore. Your personal data will be transferred to, stored in, and processed in Singapore, which may be outside your country of residence. When we transfer personal data from the EEA, UK, or Switzerland to Singapore or other jurisdictions, we rely on:

* The European Commission's adequacy decisions, where applicable;
* Standard Contractual Clauses (SCCs) approved by the European Commission;
* Other lawful transfer mechanisms.

You may request a copy of the applicable transfer safeguards by contacting us at [**social@nestree.io**](mailto:social@nestree.io).

***

### 11. Your Data Protection Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

* **Right of Access**: Request a copy of the personal data we hold about you.
* **Right to Rectification**: Request correction of inaccurate or incomplete personal data.
* **Right to Erasure ("Right to be Forgotten")**: Request deletion of your personal data, subject to legal retention requirements.
* **Right to Restriction of Processing**: Request that we limit how we process your personal data.
* **Right to Data Portability**: Receive your personal data in a structured, commonly used, machine-readable format.
* **Right to Object**: Object to processing based on legitimate interests or for direct marketing.
* **Right to Withdraw Consent**: Where processing is based on consent, withdraw it at any time (without affecting prior lawful processing).
* **Right to Lodge a Complaint**: File a complaint with your local data protection authority (e.g., the Personal Data Protection Commission of Singapore, or your EU data protection authority).

**Please note**: Due to the immutable nature of blockchain technology, we cannot delete data that has been recorded on a public blockchain. However, we can delete the association between your account and such blockchain data in our off-chain systems.

To exercise any of these rights, please contact [**social@nestree.io**](mailto:social@nestree.io) with the subject line corresponding to the right you wish to exercise (e.g., "Access Request," "Deletion Request"). We will respond within 30 days (or longer where permitted by law, in which case we will notify you).

***

### 12. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, disclosure, alteration, and destruction, including encryption in transit (TLS), access controls, and regular security reviews. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

***

### 13. Data Protection Contact

For all privacy-related inquiries, requests to exercise your rights, or complaints, please contact:

**Email**: <social@nestree.io> **Entity**: Codepp Pte. Ltd., Singapore

For EEA users, we have appointed an EU representative as required by Article 27 of the GDPR. Contact details available upon request to <social@nestree.io>.

***

### 14. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. Material changes will be notified through the Service or by email to the address associated with your account. Your continued use of the Service after changes become effective constitutes acceptance of the updated Policy.

***

### 15. Governing Law

This Privacy Policy is governed by the laws of the Republic of Singapore, without prejudice to mandatory data protection laws applicable to you based on your jurisdiction of residence.