GDPR Compliance | Unipoly Chain

Introduction & Scope

This GDPR Compliance Policy applies to all users of the Unipoly Chain ecosystem, including but not limited to: the Unipoly Chain blockchain platform, UniTribe social platform, UniTube video platform, Kuki Games, UniHunt location-based gaming, Creator Studio (UCE), Gabby Birds, Digital Banking services, OCAP (On-Chain Agreement Protocol), and the Unipoly Wallet.

Unipoly Chain ("we", "us", "our") acts as the Data Controller for personal data collected through our websites and services. This policy describes how we collect, process, store, and protect your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation).

Data Controller: Unipoly Chain Ltd., registered in Dubai, United Arab Emirates. Contact: privacy@unpchain.com

Legal Basis for Processing

We process personal data only when we have a valid legal basis under GDPR Article 6. The legal bases we rely on include:

Consent (Art. 6(1)(a)): Where you have given clear, informed consent for a specific purpose — e.g., marketing emails, cookie tracking, analytics.
Contract Performance (Art. 6(1)(b)): Where processing is necessary to provide services you have requested — e.g., wallet creation, account management, OCAP agreement execution.
Legal Obligation (Art. 6(1)(c)): Where we must process data to comply with applicable laws — e.g., anti-money-laundering (AML) and know-your-customer (KYC) requirements.
Legitimate Interest (Art. 6(1)(f)): Where we have a legitimate business reason that does not override your rights — e.g., fraud prevention, platform security, service improvement.

Data We Collect

We may collect and process the following categories of personal data:

Category	Data Types	Purpose
Identity Data	Name, username, email address	Account creation & authentication
Contact Data	Email, phone number (optional)	Communication & support
Technical Data	IP address, browser type, device info, OS	Security, analytics & optimization
Usage Data	Pages visited, features used, session duration	Service improvement
Transaction Data	Wallet addresses, transaction hashes	Blockchain service execution
KYC Data	Government ID, proof of address (banking only)	Regulatory compliance
Cookie Data	Preferences, session tokens, analytics cookies	Website functionality & analytics

Special Note on Blockchain Data: Wallet addresses and on-chain transactions are publicly visible on the blockchain by design. This data is immutable and cannot be deleted from the blockchain. We do not link wallet addresses to personal identity unless required for KYC/AML compliance.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. We are committed to fulfilling requests within 30 days:

Right of Access (Art. 15): Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances.
Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling and direct marketing.
Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time for processing based on consent, without affecting prior processing legality.
Right to Lodge a Complaint: File a complaint with your local EU/EEA Data Protection Authority (DPA).

To exercise any of these rights, contact our Data Protection Officer at privacy@unpchain.com. Include your full name, account email, and the specific right you wish to exercise.

Cookies & Tracking

We use cookies and similar tracking technologies to operate our services, analyze traffic, and improve user experience. Cookies are categorized as follows:

Strictly Necessary Cookies: Essential for website functionality (e.g., session management, security tokens). These cannot be disabled.
Analytics Cookies: Help us understand how visitors interact with our website (e.g., page views, navigation patterns). Only activated with your consent.
Functional Cookies: Remember your preferences (e.g., language, theme settings). Activated with your consent.
Marketing Cookies: Used to deliver relevant advertisements. Only activated with your explicit consent.

You can manage your cookie preferences at any time through our cookie consent banner or by adjusting your browser settings. For more details, see our Privacy Policy.

Data Security Measures

We implement industry-standard technical and organizational measures to protect your personal data:

Encryption: All data in transit is encrypted using TLS 1.3. Sensitive data at rest is encrypted using AES-256.
Access Controls: Role-based access control (RBAC) ensures only authorized personnel can access personal data.
Infrastructure: Hosted on enterprise-grade cloud infrastructure with SOC 2 compliance, regular security audits, and DDoS protection.
Monitoring: 24/7 security monitoring, intrusion detection systems, and automated threat response.
Incident Response: Documented data breach notification procedures in compliance with GDPR Article 33 (72-hour notification requirement).

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account Data: Retained for the duration of your account plus 12 months after deletion request, unless legal obligations require longer retention.
Transaction Records: Retained for 5 years in accordance with financial regulatory requirements and AML/CFT obligations.
Analytics Data: Anonymized after 26 months from collection.
KYC/AML Data: Retained for 5—7 years as required by applicable financial regulations.
Support Tickets: Retained for 24 months after resolution.
Cookie Data: Session cookies expire when you close your browser. Persistent cookies expire after a maximum of 12 months.

International Data Transfers

Unipoly Chain operates globally. Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure adequate safeguards are in place:

Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with all non-EEA service providers.
Adequacy Decisions: Where applicable, we transfer data to countries with an EU adequacy decision.
Data Processing Agreements: All third-party processors are bound by GDPR-compliant processing agreements.

Third-Party Data Processors

We work with carefully selected third-party service providers who process personal data on our behalf. All processors are required to comply with GDPR and are bound by Data Processing Agreements (DPAs). Categories of processors include:

Cloud hosting providers — infrastructure and data storage.
Analytics services — anonymized usage analytics (only with your consent).
KYC/AML verification providers — identity verification for regulated services.
Email service providers — transactional and marketing emails (with consent).
Payment processors — fiat-to-crypto payment services.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

Children's Data Protection

Unipoly Chain services are not intended for individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from children.

If we discover that we have inadvertently collected data from a minor, we will promptly delete the data and terminate the associated account. If you believe a child has provided us with personal data, please contact us immediately at privacy@unpchain.com.

Blockchain-Specific GDPR Considerations

Due to the immutable nature of blockchain technology, certain data recorded on-chain cannot be modified or deleted. We address this through:

Minimization: We store the absolute minimum personal data on-chain. Sensitive personal data is stored off-chain in encrypted, deletable databases.
Pseudonymization: On-chain data uses wallet addresses (pseudonymous identifiers) rather than personal identity information.
Off-Chain Linking: Any link between wallet addresses and personal identity is stored off-chain and can be deleted upon request.
Smart Contract Design: OCAP smart contracts are designed to store agreement terms and evidence hashes on-chain, while personal data remains off-chain.

Right to Erasure & Blockchain: While on-chain data is immutable by design, we can delete all off-chain personal data and sever the link between your identity and your wallet address, effectively anonymizing your on-chain footprint.

Data Breach Notification

In the event of a personal data breach, we will:

Notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach (per GDPR Article 33).
Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (per GDPR Article 34).
Document the breach, its effects, and the remedial actions taken in our internal breach register.

Updates to This Policy

We may update this GDPR Compliance Policy from time to time to reflect changes in our data processing practices, legal requirements, or services offered. Any material changes will be communicated through:

A prominent notice on our website.
Email notification to registered users (for significant changes).
Updated revision date at the top of this page.

Continued use of our services after changes constitutes acceptance of the updated policy.

Contact & Data Protection Officer

For any GDPR-related inquiries, data subject access requests, or to exercise your rights, please contact us:

Data Protection Officer
Email: privacy@unpchain.com
Unipoly Chain Ltd., Dubai, United Arab Emirates

Visit unitribe.app for community support and inquiries.