PRIVACY POLICY

Last Updated: 12 December 2025
Version: 1.4

1. GENERAL INFORMATION

1.1 Scope

This Privacy Policy explains how Tastenkunst GmbH ("we," "us," or "our") collects, uses, and protects personal data when you use:

The Eternl crypto wallet (Mobile App, Browser Extension, Web App).
The websites eternl.io, tastenkunst.com, and titanstaking.io.
Our Titan Staking pools.
Our social media profiles (X/Twitter, Telegram, Discord).
When you contact us via email or other channels for business or support inquiries.

1.2 Data Controller

The responsible party (Controller) for data processing under the General Data Protection Regulation (GDPR) is:

Tastenkunst GmbH
Hainstraße 11
04109 Leipzig
Germany
Email: info@tastenkunst.io

1.3 Core Privacy Principle (Self-Custody)

Eternl is a self-custody wallet.

We do not create user accounts.
We do not store your private keys or seed phrases.
We do not have access to your funds.

Most data generated by your use of the Software is stored locally on your device or on the respective blockchain network. We do not maintain a central database of user profiles.

2. DATA COLLECTION AND PROCESSING

2.1 Access to Terminal Equipment (TDDDG)

The Eternl Software stores data (e.g., encrypted private keys, settings, address books) locally in the storage of your end device (Local Storage, IndexedDB, Keychain). This storage is absolutely necessary for the provision of the telemedia service explicitly requested by you (the Wallet functionality).

Legal Basis: § 25 Para. 2 No. 2 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz). No consent (Cookie Banner) is required for this strictly necessary functional storage.

2.2 Infrastructure and Hosting

To provide our services, we use third-party infrastructure providers.

Hosting (Frontend/Backend): We use Salesforce (Heroku) and Dedicated Bare Metal Servers to host the Eternl frontend and backend services. Servers are located in Germany and the United States.
Content Delivery & Security (CDN): We use Cloudflare to optimize load times and protect our infrastructure against attacks (DDoS). Cloudflare acts as a reverse proxy; traffic passes through Cloudflare's network.

Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest). This processing is strictly necessary to maintain the availability, speed, and security of our services.

2.3 RPC Nodes and Wallet Interaction

To display your balance and broadcast transactions, the Software communicates with blockchain nodes.

Data Processed: Your IP address, metadata (User Agent, App Version), and public wallet address/transaction data.
Purpose: Reading blockchain state and executing commands.
Storage: We do not permanently store IP addresses linked to wallet addresses. Server logs used for technical debugging and security monitoring (e.g., DDoS prevention) are retained for a maximum of 14 days and then automatically deleted.

Legal Basis: Art. 6(1)(b) GDPR (Performance of Contract) and Art. 6(1)(f) GDPR (Legitimate Interest in network integrity).

2.4 Blockchain Data (Ledger Information)

Warning regarding Public Blockchains:
For most networks supported by the Software (e.g., Cardano), transactions you sign are broadcast to a public ledger.

Public Nature: Data written to these blockchains (wallet addresses, transaction amounts, metadata, NFTs) is public, immutable, and distributed globally.
No Deletion: Due to the nature of the blockchain, Tastenkunst cannot change or delete this data. The GDPR "Right to Erasure" does not apply to the immutable ledger as deletion is technically impossible (Art. 17(3)(b) GDPR).

Note regarding Privacy-Preserving Networks (e.g., Midnight):
If the Software supports privacy-focused partner chains (such as Midnight), different rules regarding visibility apply:

Selective Disclosure: Data on these networks may be encrypted by default. You retain control over who can view your transaction details via specific proofs or viewing keys.
Controller Access: Tastenkunst does not have access to your encrypted transaction data unless you explicitly choose to disclose it to us. However, the encrypted data remains immutably stored on the ledger.

2.5 Contact and Communication (Support & Business)

If you contact us via email, social platforms, or mail (whether for user support, business inquiries, job applications, or general contact):

Data: We process your contact details (e.g., email address, name), metadata of the communication, and the content of your message.
Purpose: To process your inquiry, provide support, or initiate/fulfill business relationships (B2B).
Retention: We retain this data until the request is resolved. However, commercial and business correspondence (e.g., emails regarding transactions, invoices, partnership agreements) is archived for 6 or 10 years in accordance with statutory retention periods (§ 257 HGB, § 147 AO).

Legal Basis:

User Support: Art. 6(1)(b) GDPR (Performance of Contract).
Business Inquiries: Art. 6(1)(b) GDPR (Pre-contractual measures) or Art. 6(1)(f) GDPR (Legitimate Interest in effective business communication).
Retention: Art. 6(1)(c) GDPR (Legal Obligation).

2.6 Push Notifications (planned for 2026)

If we introduce optional push notifications (e.g., transaction alerts), we will process a device token (e.g., an Apple Push Notification Service (APNs) token or Firebase Cloud Messaging (FCM) token) and the notification content needed to deliver the notification. The legal basis will generally be your consent (Art. 6(1)(a) GDPR) and, where applicable, § 25 TDDDG for storing/accessing information on your device. You can withdraw consent at any time in the app settings or in your device settings.

We will use push notification providers only as processors under Art. 28 GDPR and only to transmit the notification to your device.

2.7 Delegate Messaging (planned for 2026)

If we introduce an optional messaging system that allows DReps and stake pool operators (SPOs) to send messages to their delegates, we expect messages to be published on the Cardano blockchain as transaction metadata (i.e., public, immutable ledger data). In that case, Tastenkunst processes this data to display, filter, and search messages in the app and (where applicable) to route message-related requests through our backend.

Please note:

(a) Public and immutable: message content and associated addresses may be publicly visible on the blockchain and cannot be deleted from the ledger.
(b) Personal data: depending on context, public addresses and message content may still constitute personal data under GDPR (e.g., if linked to an identifiable person).
(c) Roles: The sender (DRep/SPO) is typically the controller for the decision to publish specific message content. Tastenkunst is a controller for the processing performed by the Software and our backend to retrieve, index, and present messages.

If we introduce additional off-chain features (e.g., message delivery preferences, opt-outs, or push alerts), we will update this Privacy Policy and, where required, request your consent.

3. THIRD-PARTY SERVICES AND INTEGRATIONS

3.1 On-Ramp/Off-Ramp Providers

Features linking to third parties (e.g., Transak, Guardarian, Mercuryo) involve a direct relationship between you and the provider. We do not receive sensitive financial data or KYC documents. We may view pseudonymized transaction summaries for commission purposes.

3.2 DEX Aggregators (MonsterSwap)

If you use the Swap feature, the app uses third-party DEX aggregators. Your device sends quote and transaction-build requests to our backend service, and our backend forwards requests to the integrated aggregator APIs. This means the aggregators generally see the IP address of our server (not your personal IP address).

Data Shared: Depending on the swap and the aggregator, we forward technical trade parameters (e.g., assets, amounts, slippage settings) and your public wallet address (required for transaction construction). The selected aggregator returns an unsigned transaction (or transaction data), which is relayed back to your device for your review and signature.

Roles: The third-party aggregators and underlying DEX protocols act as independent controllers for their own processing. Tastenkunst acts as a controller for the relay/selection processing performed by our backend (e.g., selecting the best quote and relaying the unsigned transaction).

3.3 Affiliate Links

Clicking affiliate links (e.g., Ledger, Trezor) redirects you to the vendor. We do not receive personal purchase details, only aggregated commission statistics.

3.4 Platform Providers and App Stores (Apple, Google, Microsoft, Browser Stores)

Where you obtain or use the Software via a platform provider (such as Apple App Store, Google Play, Microsoft Store, browser extension stores, or a mobile/desktop operating system), the platform provider may process certain information independently under its own privacy policy. Examples can include device identifiers, installation and update information, store diagnostics, and billing or subscription records for in-app purchases.

Tastenkunst does not control such processing by platform providers. Depending on the platform and your settings, Tastenkunst may receive limited information (for example, a purchase confirmation, refund status, or aggregated download metrics) to operate paid features and provide customer support.

You can consult the relevant platform provider’s privacy documentation and, where offered, adjust platform privacy/diagnostics settings; however, we cannot opt you out of processing that the platform provider performs as an independent controller.

4. TITAN STAKING

If you delegate to our TITAN stake pools, your stake address and delegation amount are publicly visible on the blockchain. We do not process this data off-chain to identify natural persons unless you voluntarily disclose your identity.

5. SOCIAL MEDIA PRESENCE

We maintain profiles on social media platforms such as X (Twitter), Discord, and Telegram to communicate with the community.

5.1 Independent Controllers

When you visit or interact with our social media profiles, the respective platform provider processes personal data under its own responsibility and according to its own privacy rules (independent controller). We have limited influence over the platform’s processing (e.g., tracking, analytics, or advertising).

5.2 Joint Controllership (only where applicable)

For certain platform features (for example, analytics/insights tools provided by the platform operator), the platform operator and we may be considered joint controllers within the meaning of Art. 26 GDPR for those specific processing operations. Where such joint controllership applies, the platform operator typically provides the primary information about data processing and offers the relevant rights mechanisms. In such cases, you may exercise your rights either with us or with the platform operator.

5.3 Data We Process

If you contact us via social media (e.g., direct message, mention), we process the content of your message and your publicly visible profile information to respond and for documentation purposes. The legal basis is Art. 6(1)(b) GDPR (pre-contractual/contractual communication) or Art. 6(1)(f) GDPR (legitimate interests in communication and support).

6. INTERNATIONAL TRANSFERS

Some of our providers (Heroku, Cloudflare) are US-based.

Data Privacy Framework: To the extent these providers are certified under the EU-US Data Privacy Framework (DPF), data transfers are based on the adequacy decision of the EU Commission.
Standard Contractual Clauses: Alternatively, we utilize Standard Contractual Clauses (SCCs) to ensure a level of data protection comparable to EU standards.

7. YOUR RIGHTS (GDPR & EU DATA ACT)

You have the following rights:

Access (Art. 15 GDPR): Request information about data we hold.
Correction (Art. 16 GDPR): Request correction of inaccurate data.
Deletion (Art. 17 GDPR): Request deletion (subject to blockchain immutability and statutory retention laws).
Data Portability (Art. 20 GDPR & EU Data Act): You have the right to receive data you provided to us. Under the EU Data Act, you also have the right to access and use data generated by your use of the product (Usage Data). As this data is stored locally on your device or publicly on the chain, you effectively possess this data at all times.
Objection (Art. 21 GDPR): You may object to processing based on "Legitimate Interest" (e.g., server logs).

To exercise these rights, please contact: info@tastenkunst.io

Right to Lodge a Complaint:
If you believe that our processing of your personal data violates data protection laws, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence. The supervisory authority responsible for us is:
Sächsischer Datenschutzbeauftragter (Saxon Data Protection Commissioner), Dresden, Germany.

8. NOTICE TO US RESIDENTS (CCPA/CPRA)

Although we are a German company, for users in the United States, the following applies:
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We collect data solely for the functionality of the Software (Business Purpose). You have the right to request access to or deletion of your specific personal information, subject to the technical limitations of the blockchain.

9. DATA SECURITY

We implement technical and organizational measures (TOMs), including:

Local encryption of private keys.
TLS/SSL encryption for data in transit.
Strict minimization of data collection ("Privacy by Design").

10. CHANGES TO THIS POLICY

We may update this Privacy Policy to reflect changes in our processing, the Software, or legal requirements. The current version will always be available on our website and, where appropriate, in the Software.

If we make material changes (e.g., introducing new categories of processing such as push notifications or messaging features), we will provide an appropriate notice before the changes take effect and, where required by law, obtain your consent.