PRIVACY POLICY

OF THE

BREAD.GG PLATFORM

version of 1st February 2025

Introduction

This Privacy Policy describes how BREAD Platform INC, a company established under the laws of Panama with its registered office in  Panama City, address: Bloc Office Hub, Fifth Floor, Santa Maria Business District, Panama City, Panamá, 801 - Panama (“BREAD”, “we”, “our” or “us”) collects and uses your personal data and cookies in connection with your use of the Platform and the Service.

This Privacy Policy consists of two parts:

  • Privacy Notice – which describes how we collect and use your personal data;
  • Cookie Notice – which describes how cookies and similar technologies are used.

We provide the Platform and the Services subject to the Terms. Please read the Terms before accessing or using the Services or the Platform.

Definitions

All terms not defined in this Privacy Policy shall have the meaning as defined in the Terms or in the GDPR. The following terms used in this Privacy Policy shall have the meaning set forth below:

  • Applicable Data Protection Law – any applicable laws, statutes, regulations, orders, regulatory requirements, bylaws, and other similar legal instruments in force from time to time relating to data protection, data security, privacy and/or the collection, use, disclosure and/or processing of personal data, including but not limited to the GDPR.
  • controller, processor, processing and other terms relating to personal data not defined here have the meaning as defined in Article 4 of the GDPR.
  • EEA – European Economic Area.
  • GDPR – General Data Protection Regulation 2016/679 of 27 April 2016.
  • ICT Systems – the ICT Systems as defined in the Terms.
  • personal data – information about identified or identifiable natural person as defined in Article 4(1) of the GDPR.
  • BREAD.GGa BREAD.GG project;
  • Platform – the Platform as defined in the Terms
  • Privacy Policy – this Privacy Policy.
  • Restricted Countries – Restricted Countries as defined in the Terms.
  • Restricted Individuals – Restricted Individuals as defined in the Terms
  • Services – the Service as defined in the Terms.
  • Terms – Terms of Service of the BREAD.GG Platform available at www.bread.gg.
  • User (“you”, “your” etc.) – the User as defined in the Terms.
  • Web3 Services – the Services that involve crypto-assets as defined in the Terms.

Changes

The current version of the Privacy Policy has been adopted and is effective as of 6 November 2024.

We may change the Privacy Policy from time to time. For example, we may do this when it is necessary due to changes in the Terms, changes in legal requirements or changes in the way we use your personal information. We may also amend the Privacy Policy to make it clearer, more accessible and easier for you to understand.

You should check the Privacy Policy before using the Platform and/or the Services. If we change the Privacy Policy, we will give you access to previous versions of the Privacy Policy.

  1. PRIVACY NOTICE

  1. Controller and contact details

We, BREAD, are the controller of your personal data to the extent this Privacy Policy applies. You can contact us by email at: contact@bread.gg.

Please note that by using crypto assets in connection with the Platform or the Services, you will be interacting with blockchain network(s). We are responsible for processing your personal data in connection with the Service. However, as the blockchain technology operates on a decentralized network, we don’t have any control over such networks.

  1. Children

The Platform and Services are restricted to persons who are at least 18 years of age. We do not knowingly collect personal data from people who are less than 18 years of age in connection with the Platform or the Services. If you – the User – are below 18 years old, you may not use or interact with the Platform or the Services.

  1. Sources of personal data

We collect your personal data from the following sources:

  1. You

We collect your personal data from you in connection with your use of the Platform or the Services. For example, we collect data when you provide us with your e-mail address when you create your Account.

  1. Automatic data collection

We collect your personal data from your devices or software in connection with your use of the Platform or the Services. For example, we may collect information about your device, its operating system or other software, hardware details, web browser settings and so on.

  1. Third parties

We collect your personal data from third parties in connection with your use of the Platform or the Services. For example, when you interact with our profile on social media platforms such as Twitter (X). We also collect information from our service providers in connection with tools such as Google Analytics or Hotjar solutions. Please consult the Cookie Notice for more information.

  1. Blockchain networks

We collect personal and/or anonymous data from blockchain networks in connection with providing the Services where it involves Web3 Services. Such information may include personal and/or anonymous data (please consult Section 1.4.7 for more details).

  1. Categories of personal data

We use your personal data only when it is lawful under the applicable privacy law and only to the extent it is necessary to achieve our purposes (please consult Section 1.4). We collect and use the following types of your personal data in connection with your use of the Platform and the Services.

  1. Account data

The account data includes data collected and used in connection with your Account, as well as other basic data, including your contact details. For example, this includes:

  • Account information
  • Account history
  • Names and contact details
  • Public address of the Wallet

  1. Customer feedback data

The customer feedback data includes data collected and used in connection with your participation in our surveys or questionnaires or your other requests, questions, and queries. For example, this includes:

  • Feedback on our Services
  • Names and contact details

  1. Customer interaction data

The customer interaction includes data collected and used in connection with your interactions or visits with our profiles or accounts on social media platforms or online communicators. For example, this includes:

  • Contents of your message to us
  • Names and contact details
  • Social media platform user data (including your nickname or avatar)

Operators of such platforms or communicators are independent data controllers. Your use of such platforms is subject to the privacy policies and terms and conditions of their providers. We encourage you to consult such documents before using such services. We are not responsible for the privacy policies and practices of such third parties.

  1. Customer support data

The customer support data includes data collected and used in connection with customer support provided by us to you. For example, this includes:

  • Call recordings
  • Information relating to compliments or complaints
  • Names and contact details
  • Records of meetings and decisions
  • Services user information (including user journeys and cookie tracking)

  1. KYC data

 The KYC data includes your personal data processed by us in connection with the KYC verification and the results of subsequent processing of such data. For example, this may include information whether you have passed the KYC verification, your status as a person from a Restricted Country, information whether you are listed on one of the sanction lists, our decisions as regards you in the context of the KYC verification and so on. This also includes personal data obtained by our KYC service providers or by us from relevant publicly accessible sources, such as public registers, sanction lists or lists of persons entrusted with prominent public functions (so-called “politically exposed persons”). Depending on a particular processing operation we may also use the following categories of data:

  • general data – such as full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship,
  • ID document data – such as document type, issuing country, number, expiry date, security features;
  • contact data – such as e-mail address, address (e.g. street, city, country, postcode);
  • biometric data – such as data obtained by extracting your facial features from uploaded or recorded facial images on government-issued identity documents submitted by you;
  • facial image data – such as photos or videos of your face;
  • Web3 data - such as information on transactions made by you with your Wallet connected to the Platform.

  1. Payment data

The payment data includes data collected and used in connection with your transactions regarding the Website and/or the Services. For example, this includes:

  • Your Custodial Wallet balance
  • Amounts of Crypto-Assets exchanged using the Services
  • Due BREAD Fees
  • Amounts of Crypto-Assets used in connection with staking and providing liquidity
  • Amounts of Crypto-Assets deposited and withdrawn to and from Your Custodial Wallet.

  1. Technical data

The technical data includes data collected and used in connection with the ICT Systems to provide Services. Most of this information is anonymous data. However, in some cases it may be used to identify you, for example in combination with other data. In such cases we treat it as personal data. For example, this includes:

  • IP addresses
  • Location data
  • User hardware and software data
  • Platform user information (including user journeys and cookie tracking)

  1. Tracking data

The tracking data includes data collected and used in connection with use of cookies and similar technologies, such as pixels, beacons, tags, device IDs, Local Shared Objects or tracking pixels. Please consult the Cookie Notice to learn more about cookies and similar technologies. For example, this includes:

  • Browsing history
  • Cookie identifiers
  • Fingerprinting data (including unique device identifiers and mouse events)
  • IP addresses
  • Location data
  • User hardware and software data
  • Platform user information (including user journeys and cookie tracking)

  1. Web3 data

The Web3 data includes anonymous data and, in some cases, your personal data that we receive in connection with your use of the Web3 Services, as well as our activity and the activity of third parties connected with rendering the Web3 Services. This includes publicly accessible on-chain information (which can be personal data) and limited off-chain information of technical nature (anonymous data, as a rule). This also includes Wallet public address which is a personal data when the Wallet can be linked to you (the User). In general, if Web3 data allows for your identification we treat it as personal data in compliance with the Applicable Data Protection Law. For example, this includes:

  • Public address of User’s Wallet

  1. Purposes and legal grounds of processing

We collect and process your personal data in connection with your use of the Platform and the Services. As a rule, we collect your personal data directly from you and from your devices. We process your personal data to the extent necessary to provide the Services, ensure smooth operation of the Platform or for other legitimate purposes. You can find the description of such purposes and legal grounds for processing in greater detail below.

  1. Analytics

We use your personal data for analytical and statistical purposes. Where required by law, we will only conduct analytical activities with your consent. Where we use cookies for analytical purposes, Section 1.5.5 below applies. The legal ground for such processing is:

  • our legitimate interest (Art. 6(1)(f) of the GDPR), which consists of conducting analyses of your activity, as well as of your preferences to improve functionalities and services provided by us.

  1. Business operations

We use your personal data for the technical and administration purposes in connection with the maintenance and development of our business. For example, this includes internal assessments, audits, products and services development or improvement and so on. The legal ground for processing your personal data is:

  • our legitimate interest (Art. 6(1)(f) of the GDPR), which consists of maintaining and developing our business operations and improving our products and services.

  1. Compliance

We use your personal data to ensure compliance with the applicable law. For example, this includes processing of your personal data to comply with consumer protection law or the GDPR. The legal ground for processing is:

  • the necessity of processing for compliance with appropriate legal obligation under applicable law to which we are subject (Art. 6(1)(c) of the GDPR).

  1. Contract performance

We use your personal data to perform contracts we have executed with you. For example, this includes contract subject to the Terms under which we provide the Services. Please consult the Terms for more detailed description of the Services. The legal ground for such processing is:

  • the necessity of processing for either taking steps at your request prior to entering into a contract and/or performance of a contract with you (Art. 6(1)(b) of the GDPR).

  1. Cookies

We use your personal data in connection with the use of cookies or similar technologies for purposes described in the Section 1.5. For example, we may use cookies for analytical and statistical purposes (Section 1.5.1). Please consult the Cookie Notice to learn more about cookies and similar technologies. The legal grounds for processing your personal data are (depending on the type of cookies):

  • your consent (Art. 6(1)(a) of the GDPR); or
  • the necessity of processing for performance of a contract with you (Art. 6(1)(b) of the GDPR).

  1. KYC verification

We may use your personal data in connection with the KYC verification. The legal grounds for processing your personal data are, depending on a particular processing operation:

  • necessity of processing for compliance with appropriate legal obligation under applicable statutory anti-money laundering and counter financing terrorism law to which we are subject (Article 6(1)(c) GDPR) - as regards compliance with the AML/CFT duties set out in the applicable law;
  • necessity of processing for the performance of a task carried out in the public interest (Article 6(1)(e) GDPR) – as regards compliance with the AML/CFT standards not set out in the applicable law;
  • necessity of processing for performance of a contract with you (Article 6(1)(b) GDPR) – as regards the automated decision-making systems;
  • your explicit consent as regards processing special categories of personal data, such as biometric data (Article 6(1)(a) and Article (2)(a) GDPR) – where applicable
  • your explicit consent as regards processing special categories of personal data, such as biometric data (Article 6(1)(a) and Article (2)(a) GDPR) – in other cases.

  1. Legal rights

We may use your personal data, if necessary, to establish and assert claims or to defend against claims.  The legal ground for such processing is:

  • our legitimate interest (Art. 6(1)(f) of the GDPR), which consists of the protection of our legal rights.

  1. Marketing

We use your personal data for communication and marketing purposes. For example, this includes providing you with our notifications, email or other messages containing commercial information about our brand, products, or services. This also includes processing your personal data for the purpose of promoting our brand, including informing you about activities, events and news concerning us when you interact with our social media profiles. Where required by law, we will be conducting direct marketing activities only with your consent. The legal ground of the processing is:

  • our legitimate interest (Art. 6(1)(f) of the GDPR), which consists of improving our services, communication with the Users, promotion, and marketing.

  1. Security

We use your personal data to ensure the security of the Platform and our ICT Systems and to manage them. For example, we record some of your personal data in system logs (special computer programs used for storing a chronological record containing information about events and actions related to the ICT Systems used for rendering the Services by us). The legal ground of the processing is:

  • our legitimate interest (Art. 6(1)(f) of the GDPR), which consists of our need to ensure security and safety of our ICT Systems used in connection with the Platform and the Services.

  1. Data storage

We store your personal data only as long as necessary for the purposes we collected it. After the end of the period of data storage, we permanently delete or anonymize your personal data.

The duration of storage depends on the purpose of processing. For example, we store your personal data for the period when we provide you the Services in accordance with the agreement we have entered with you subject to the Terms. We store personal data processed based on legitimate interest(s), our or those of a third party, until you lodge an effective objection to such processing. Similarly, when we process your personal data based on your consent, we store it until you withdraw your consent.

The duration of storage or use of your data may be extended in certain situations. For example, we may store your personal data after you terminate the agreement with us when required by law. We may also continue to store and use the same dataset if we use it for a different purpose and on a different legal basis, if admissible by law. For example, if you terminate the agreement with us, we may continue to use personal data provided by you in connection with your use of the Services when necessary to establish and assert possible claims or to defend against claims (if we have a legitimate interest to do so).

Please note that due to the nature of the blockchain technology it may be technically impossible, depending on a blockchain protocol, to delete any information recorded on-chain in a public blockchain network. We don't have any control over such networks due to the fact that the blockchain technology operates on a decentralized network. Such immutability of records may occur due to the nature of the blockchain technology.

  1. Data recipients

As a rule, we do not share your personal data unless it is necessary. For example, we may share your personal data for example in connection with the provision of the Services under the Terms. We may disclose your personal data to the following categories of recipients:

  • external developers or software solution providers;
  • KYC and CDD solutions providers, such as Sum and Substance, a limited liability company, with a registered office in London, England;
  • anti-fraud solutions providers, such as agencies engaged in identity verification, compliance data recording, credit agencies, fraud prevention or financial crime prevention;
  • marketing and advertising services providers;
  • analytical tools providers;
  • data storage providers;
  • professional advisors, such as lawyers, accountants, and tax advisors.

Please note that due to the nature of the blockchain technology your use of the blockchain networks in connection with certain Services, depending on the blockchain protocol, may result in recording of some of your personal data on-chain in a public blockchain network. This means that your personal data could be identified directly, when combined with other data, or when anonymous data is de-anonymized. As a result, third parties that have access to such network may potentially access your personal data.

  1. Data transfers

The level of protection for the personal data outside the European Economic Area (EEA) differs from that provided by the EU law. For this reason, we transfer your personal data outside the EEA only when necessary and with an adequate level of protection.

We secure the adequate level of protection primarily by cooperating with processors of the personal data in countries for which there has been a relevant European Commission decision finding an adequate level of protection for the personal data. Alternatively, we may use the standard contractual clauses issued by the European Commission. If you want to learn more about these safeguards, obtain a copy of them or learn where they have been made available, contact us (please consult Section 1.1 above).

  1. Requirement to provide personal data

In some cases, provision of your personal data is mandatory by law or necessary to carry out your request or to perform a contract we have with you. If you don’t provide us with your personal data in such situations, we may not be able to carry out your request, perform a contract with you (or enter into it) or comply with the law. In some cases, this may mean that we will terminate the contract or stop our engagement with you. For example, if you do not provide your personal data necessary for the complaint procedure, we may not be able to handle your complaint.

In other cases, provision of your personal data is voluntary. If you don’t provide us with your personal data in such situations, we may not be able to carry out your request or achieve our goal. For example, if you do not share your contact details with us, we may not be able to contact you.

  1. Your rights

Under the Applicable Data Protection Law, you have rights including:

  • Your right of access - You have the right to ask us for copies of your personal data.
  • Your right to rectification - You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete data you think is incomplete.
  • Your right to erasure (right to be forgotten)- You have the right to ask us to erase your personal data in certain circumstances.
  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal data in certain circumstances.
  • Your right to data portability - You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances. This right applies where we use your data based on your consent or a contract and if the processing of your data is carried out by automated means.
  • Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances. You can do this at any time. If you raise an objection, we will stop using your personal data where the basis for processing is our legitimate interest. In exceptional circumstances, we may continue to use your data despite your objection. This exception does not apply when you object to the processing of data for direct marketing purposes, i.e., if you object to it, we will stop processing your personal data on this basis.
  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent. You can do this at any time. If you withdraw consent, we will stop using your personal data where the basis for processing is consent. Withdrawal of consent does not affect the lawfulness of processing your data based on consent before withdrawal.
  • Your right to lodge a complaint - You can lodge a complaint with the supervisory authority dealing with the protection of personal data. You can lodge such complaint with your local data protection authority.

Please note that due to the nature of the blockchain technology it may be technically impossible, depending on a blockchain protocol, to delete or correct any information recorded on-chain in a public blockchain network. As the blockchain technology operates on a decentralized network, we don’t have any control over such networks.

You don’t usually need to pay a fee to exercise your rights. If you make a request, we have one calendar month to respond to you. To make a data protection rights request, contact us using our contact details (Section 1.1.)

     

  1. Automated decision-making

We may use automated decision-making. This means that certain decisions about you which may produce legal effects concerning you or similarly significantly impact you (i.e. determine if you can use our Services) will be made solely by technological means without human involvement. Apart from such fully automated decisions, we may also use semi-automated decisions (i.e. made by us on the basis of results of an automated data collection and analysis).

  1. How automated decisions are made?

The KYC verification involves collecting your personal data from you and other sources (consult Section 1.3 of the Privacy Policy for more details on sources of your data). For example, we or our service providers may:

  • make automated checks of your personal data against the information in multiple databases, including sanction lists or lists of persons entrusted with prominent public functions (so-called “politically exposed persons”) to verify your presence in such databases and the authenticity of uploaded documents;
  • use geo-blocking to ensure that the Users from Restricted Countries cannot access the Platform and/or the Services;
  • use fraud detection and prevention systems, including systems detecting suspicious or malicious activity;
  • use so-called wallet screening to ensure that Crypto-Assets in the User’s Wallet do not originate and/or are not related to any Restricted Person or any other suspicious activity, such as money-laundering or other financial crime.

The results of such verification are then automatically checked against preset thresholds, conditions or other reasoning mechanisms implemented in our ICT Systems by us or our service providers acting on our behalf. If the results of such checks do not meet such thresholds or other requirements, your KYC verification result will be negative. For example, if you are listed on an international sanction list, you will not pass the KYC verification with positive result.

  1. What are the consequences of automated decisions?

The results of the KYC verification determine whether you can access and use Platform and/or Services.

If the results are positive, you will be able to access and use our Platform and/or Services.

If the results are negative, depending on a particular system employed by us you will be either:

  • automatically blocked from accessing and using our Platform and/or Services (for example, when we detect that you are trying to circumvent our requirements on Restricted Countries or Restricted Individuals);
  • flagged for manual review by us; depending on the result of the manual review, you may or may not be able to access and use our Platform and/or Services. Such manual review does not constitute an automated decision-making as the decision is made by a human.

  1. What are the grounds of processing?

Our use of automated individual decision-making is necessary for entering into, or performance of, a contract between you (the Customer) as we require our Customers to comply with our KYC Policy and other AML/CFT standards. This means that use of such automated decision-making tools is a contractual requirement under the Terms in order for you to access and use our Website and/or Services.

  1. Your rights

To exercise your right(s) contact us (please consult Section 1.1).

You have the following rights connected with automated decision-making:

  • right to contest the automated decision(s);
  • right to express your point of view in connection with such automated decision(s);
  • right to obtain human intervention as regards the automated decision-making process.

These rights are limited to decisions based solely on automated processing. This means you are not entitled to execute these rights in connection with semi-automated decision-making or where decisions are made solely by humans. You may use your other rights under the GDPR listed in Section 1.10 in such case.

  1. COOKIE NOTICE

  1. Introduction

This Cookie Policy describes how BREAD.GG (“BREAD”, “we”, “our” or “us”) stores or accesses information on your terminal device in connection with your use of the Platform or the Services.

  1. What are cookies?

Cookies are small text files installed on your device that collect information which, generally, facilitates use of the Platform and the Services. For example, cookies may remember your language preferences or other settings of your Internet browser. In most cases information used in connection with cookies is personal data. In such cases, the Privacy Notice applies to such personal data.

We mainly use our own cookies. We also use third-party cookies, i.e. cookies from a domain other than the domain of the visited website, primarily for analytical activities. We may also use other technologies similar to cookies, for example HTML5 local storage, Local Shared Objects. Where we refer to cookies in this Cookie Notice, we also mean such technologies.

  1. What cookies are used?

The cookies are used only when it is admissible by law. The following types of cookies are used in connection with your use of the Platform and the Services.

  1. Necessary cookies

The necessary cookies are a type of cookies that are required by the Platform and the Services to function properly. For example, these types of cookies are installed to recall your login sessions and privacy settings. They are set by us. They are mandatory because they are necessary for the provision of the Platform and the Services.

  1. Functional cookies (optional)

The functional cookies are a type of cookies that are used to improve the functionality of the Platform. For example, such cookies may be installed to remember your language preferences. They may be set by us or by third-party providers engaged by us. They are optional, so we use them only with your consent.

  1. Analytical cookies (optional)

The analytical cookies are a type of cookies that enable collecting information such as number of visits and traffic on the Platform for statistical purposes. For example, these types of cookies may be installed to analyse how you navigate the Platform to improve the performance of the Platform. They may be set by us or by third-party providers engaged by us. They are optional, so we use them only with your consent.

  1. Marketing cookies (optional)

Marketing cookies (optional) - marketing cookies are cookies that enable the collection of information about users of the Platform for advertising purposes. For example, such cookies may be installed by our partners in order to better tailor the advertisements displayed to you on other websites. These may be controlled by us or by our partners. Marketing cookies are optional, so they are only used with your consent.

  1. Description of the cookies

Each cookie has a specific provider responsible for the cookie (e.g. us or a third party), a specific purpose of use, and a maximum functioning period. If the provider of a cookies is a third party, such third party has access to such cookies. The duration of the operation of cookies depends on their type and purpose. In general, there are two types of cookies: session cookies and persistent cookies. Session cookies expire at the end of a given session. Persistent cookies are stored on the device for a longer period. They do not expire after the end of a given session. The maximum period after which our cookies expire is 12 months.

The following cookies are used in connection with your use of the Platform or the Services:

NECESSARY COOKIES

Cookie name

Purpose

Provider

Duration

csrf token

Security

Internal (BREAD)

Session

referral_code

Track and attribute referrals

Internal (BREAD)

Indefinite

session

Maintenance of authenticated session

Internal (BREAD)

Session

FUNCTIONAL COOKIES

Cookie name

Purpose

Provider

Duration

N/A

N/A

N/A

N/A

ANALYTICAL COOKIES

Cookie name

Purpose

Provider

Duration

Posthog

Analytics & user experience

Posthog.com

365 days

MARKETING COOKIES

Cookie name

Purpose

Provider

Duration

N/A

N/A

N/A

N/A

  1. Access of third parties to the cookies

We do not allow third parties to access cookies for which we are responsible unless it is necessary. For example, we may allow such access when it is necessary to perform third-party analytics services. In addition, some of our service providers’ solutions involve storing or accessing information on your end device, including the use of cookies.

  1. Your cookie choices

There are several ways in which you can manage cookies.

  1. Your consent

Optional cookies, for example advertising cookies, are used only with your consent. You can withdraw your consent at any time. You can do this through your cookie settings (Section 2.6.2) or through your browser settings (Section 2.6.3).

  1. Cookie settings

You can manage your cookie settings using our cookie management panel (click here). You can access the cookie management panel from the Platform. To do so, click the "Cookie Settings" link located in the footer at the bottom of the Platform. You can also access the cookie management panel by clicking the corresponding button on the cookie banner that appears at the bottom of the screen during your first visit to the Platform.

  1. Web browser

You can also manage cookies through your web browser. For example, you can delete all or some cookies from your device or block them. Please note that deleting or blocking cookies may cause the Platform or the Services to not function properly or to stop functioning altogether.

To manage cookies through your web browser, refer to the instructions provided by your browser provider. For example, some of such instructions for the relevant web browsers can be found on the websites of their operators: Microsoft (Internet Explorer, Edge), Google (Chrome), Apple (Safari), Mozilla (Firefox), Opera (Opera).

  1. Your rights related to personal data

You have rights related to your personal data as set forth in the Privacy Notice (Section 1.10).