Privacy Notice

The data controller for personal information collected through gxcoin.money is the GXC Protocol Foundation, a non-profit foundation established and registered in Zug, Switzerland. The Foundation is the single controller for all pre-registration and contact-form processing described in this notice. This is not a joint controllership arrangement.

For any question about how we handle your personal information, write to our privacy contact at [email protected]. Postal enquiries may be addressed to the Foundation at its registered office in Zug. The full postal address is provided on request.

GXC Protocol PTE LTD, a related operational entity incorporated in Singapore, does not receive any personal data submitted through pre-registration or the contact forms on this website. It is mentioned here for transparency and disambiguation only.

The Foundation has not appointed a statutory Data Protection Officer because its core activities do not require one under Article 37 GDPR. The privacy contact above is the single operational point of contact for all data-protection matters.

We collect only what is necessary for the specific interaction you initiate. The fields collected depend on the audience-specific form you submit.

In addition, for every submission, we automatically record the following for security, fraud prevention, and attribution purposes:

• IP address, for rate limiting and abuse detection.
• User-agent string, for bot detection.
• Submission timestamp, for audit and retention calculations.
• UTM source / referrer, for marketing attribution. Recorded only where you have given cookie or analytics consent.

We do not collect special-category data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, sexual orientation) through this website. Pre-registration does not require national identity documents, payment details, or government-issued numbers.

Personal data submitted through this website is processed for three distinct purposes. Each has its own legal basis, described in section 4.

• Pre-registration storage. We record your interest so that we can contact you when the protocol activates in your jurisdiction. This is a pre-contractual engagement: you have asked to be considered for future participation, and we keep your record to honour that request.
• Activation update emails. With your consent, we send periodic emails about activation milestones, jurisdiction roll-out, and participant readiness. You may unsubscribe from every email, and your withdrawal takes effect immediately.
• Institutional follow-up. For business, non-profit, and government submissions, a member of our stewardship team may contact you within the consent window you declared, to discuss your use case or respond to a procurement interest you have indicated. This is not bulk marketing. You may object to this follow-up at any time.

We rely on the following legal bases under the EU General Data Protection Regulation (GDPR):

• Consent, Art. 6(1)(a) GDPR, for all marketing communications and activation update emails. Consent is opt-in, granular, and freely withdrawable.
• Legitimate interest, Art. 6(1)(f) GDPR, for institutional follow-up within the consent window you declared. Our legitimate interest is to respond to an active enquiry you have initiated. We have performed a balancing test; it is documented and available on request.
• Legitimate interest, Art. 6(1)(f) GDPR, for recording IP addresses and user-agent strings for security, fraud prevention, and abuse detection. Our interest is maintaining the integrity of the service and of our participant register.

Where processing relies on consent, you have an unconditional right to withdraw it at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR).

Your personal data is accessible to authorised members of the stewardship team of GXC Protocol Foundation, and to a small set of named processors acting on our instructions under Article 28 GDPR.

• GXC Protocol Foundation (internal). Stewardship team members in Switzerland, on a need-to-know basis, bound by confidentiality.
• Hostinger International Ltd. (Germany). Primary database hosting. Your pre-registration record is stored on a PostgreSQL instance in a Hostinger data centre inside the European Union. Processor under Art. 28 GDPR.
• Google LLC (United States). Operational stakeholder access via Google Sheets. A mirrored view of pre-registration submissions is exported to a restricted-access Google Sheet so that operational team members can triage enquiries. Processor under Art. 28 GDPR. Google is certified under the EU-US Data Privacy Framework as of 10 July 2023.
• Resend, Inc. (United States, with EU region available). Transactional email delivery (double opt-in confirmations, activation update emails). Processor under Art. 28 GDPR. Transfers to Resend are governed by Standard Contractual Clauses (SCCs) under Commission Decision 2021/914, module 2 (controller to processor), pending verification of Resend's Data Privacy Framework certification status at the time of writing.

We do not sell personal data. We do not share it for cross-context behavioural advertising. We do not use your submission to build profiles for any third party.

In the rare event that a competent authority lawfully compels disclosure (for example, a court order), we will comply to the minimum extent required and, where permitted, notify the affected participant.

Your personal data is primarily stored on infrastructure located inside the European Union (Hostinger, Germany). Two of our processors, Google and Resend, are established in the United States and may process personal data there. These constitute transfers of personal data outside the European Economic Area and outside Switzerland.

We rely on the following transfer mechanisms:

• Google LLC: EU-US Data Privacy Framework adequacy decision of 10 July 2023. Google LLC is an active certified participant. The Swiss-US Data Privacy Framework provides an equivalent basis for transfers from Switzerland.
• Resend, Inc.: Standard Contractual Clauses (Commission Decision 2021/914, module 2), with supplementary technical and organisational measures including encryption in transit, encryption at rest, and access minimisation. DPF certification, if and when completed, will supersede SCCs as the transfer mechanism and this notice will be updated.

A Transfer Impact Assessment has been conducted for both processors in line with the Court of Justice ruling in Schrems II (C-311/18) and the European Data Protection Board's Recommendations 01/2020 on supplementary measures. The assessment examines US surveillance law, the redress mechanisms created by Executive Order 14086, and the technical and contractual safeguards that apply.

You may request a copy of the Standard Contractual Clauses, the Transfer Impact Assessment summary, or the list of supplementary measures, by writing to [email protected].

We keep personal data only as long as necessary for the purpose it was collected. Retention periods differ by audience because the follow-up timeline differs.

Retention is enforced by an automated background job. When the retention period ends, the record is hard-deleted from our PostgreSQL database, the corresponding row is removed from the operational Google Sheet, and the contact is purged from the Resend audience. Deletion is logged for accountability; the log records the deletion event but no longer contains the personal data itself.

You can shorten any of these periods by exercising your right to erasure (see section 8) at any time.

Under the GDPR and Swiss data-protection law, you hold the following rights in respect of your personal data. We will respond to every reasonable request within the time limits prescribed by law.

• Right of access, Art. 15 GDPR. You may request confirmation of whether we hold personal data about you, a copy of the data, and information about how we process it.
• Right to rectification, Art. 16 GDPR. You may request correction of inaccurate data and completion of incomplete data.
• Right to erasure, Art. 17 GDPR. Also known as the right to be forgotten. When you request erasure we perform a fan-out deletion across PostgreSQL, the operational Google Sheet, and the Resend contact list, in a single coordinated operation.
• Right to restriction of processing, Art. 18 GDPR. You may ask us to pause processing while a dispute, correction, or objection is resolved.
• Right to data portability, Art. 20 GDPR. For data you have provided to us, you may request an export in a structured, commonly used, machine-readable format. We provide JSON exports.
• Right to object, Art. 21 GDPR. You may object to processing based on legitimate interest, including institutional follow-up. For direct marketing, your objection is absolute and takes effect immediately.
• Right to withdraw consent, Art. 7(3) GDPR. Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint with a supervisory authority. If you are resident in Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC). If you are resident in the European Economic Area or the United Kingdom, you may complain to your local Data Protection Authority, or to the lead authority under the one-stop-shop mechanism where applicable.

Send an email to [email protected] from the address you used to pre-register, stating clearly which right you wish to exercise. A short sentence is enough; you do not need to cite articles or provide legal reasoning.

We respond within 30 days, in line with Art. 12(3) GDPR. Where a request is complex or where we have received a high volume of requests, we may extend this by a further two months and will inform you of the extension within the initial 30-day window.

We do not charge a fee for reasonable requests. If a request is manifestly unfounded or excessive, we may either charge a reasonable fee to cover our administrative costs or refuse to act on it, and we will always tell you which and explain why.

For identity verification, we normally rely on the email address on the account. In cases where the context requires stronger verification (for example, a disputed erasure request), we may ask for a minimum amount of additional confirmation.

Pre-registration does not involve automated decision-making or profiling within the meaning of Art. 22 GDPR. We do not rank, score, or filter submissions through any automated process that produces a legal or similarly significant effect. A human reviews every institutional enquiry.

The only automated processes applied to your submission are technical: duplicate detection against existing records, bot screening through Cloudflare Turnstile, and deliverability checks on the email address you provide. None of these produce decisions about you in the sense contemplated by Art. 22.

The pre-registration service is not directed at persons under the age of 16. If you are under 16, please do not submit personal data through this website.

Every pre-registration form contains an age-affirmation checkbox. Submission is blocked unless you confirm you are at least 16 years old. If we become aware that we have inadvertently collected personal data from a person under 16, we will delete the record without delay.

The protocol itself, when activated, will be available to adult participants only, as defined by the activation rules in your jurisdiction. Those rules are separate from this website and are published with the relevant protocol specifications.

We protect your personal data with a defence-in-depth combination of technical and organisational measures.

Technical measures.

• TLS encryption for all data in transit, enforced with HSTS.
• Encryption at rest for the PostgreSQL database.
• HMAC-signed confirmation tokens for double opt-in, with a single-use server-side burn on verification to prevent replay attacks.
• Per-IP and per-endpoint rate limiting to prevent enumeration and abuse of the submission endpoint.
• Cloudflare Turnstile for bot detection, selected because it does not track users across sites.
• Audit logging of administrative actions against the participant register.

Organisational measures.

• Access to participant data is restricted to named stewardship team members on a need-to-know basis.
• Confidentiality obligations are in every engagement with our processors.
• Incident response procedures are documented and rehearsed. Material incidents trigger notification consistent with Art. 33 and 34 GDPR.

No system is perfectly secure. If you become aware of a vulnerability in our handling of personal data, please report it confidentially to [email protected].

We may revise this notice to reflect changes in our processing activities, in the law, or in regulatory guidance. The effective date at the top records when the most recent version took effect.

For material changes, we will notify existing pre-registered participants by email at least 30 days before the new version takes effect. Minor clarifications, corrections of typographical errors, and updates to contact details may be made without prior notice.

Previous versions of this notice are retained on request. Write to [email protected] to obtain a copy of any prior version.