Privacy Policy

1. Data Controller

2. Data We Collect

3. How We Use Your Data

• Account Management — Create and manage accounts, authenticate identity, provide support.
• Affiliate Program — Track referrals, calculate commissions and team bonuses, manage referral network, process payouts.
• Payment Processing — Process payments via Stripe and CoinPayments, execute payouts.
• IB Token Administration — Verify investor eligibility, process token purchases, deliver tokens to MetaMask wallets, maintain purchase records for regulatory compliance.
• Metaverse Mall — Manage Mall access, avatar display and customization, rental space management, chat services, analytics reporting.
• Biometric Data (Face Photo) — Exclusively for avatar face display within the IB Metaverse Mall, based on explicit user consent.
• Tax & Compliance — VAT validation, KYC, AML obligations, securities law compliance, regulatory requests.
• Security — Fraud detection, 2FA, account monitoring.
• Communication — Transactional emails including account verification, password reset, payout notifications, inactivity warnings, and invoice delivery on request. Depending on your email provider, transactional emails may occasionally be delivered to your spam or junk folder. If you do not receive an expected email within a few minutes, please check your spam or junk folder before contacting support.

4. Legal Basis for Processing

• Contract Performance (Art. 6(1)(b) GDPR) — Account management, orders, commissions, payouts, token delivery, Mall rental management.
• Legitimate Interest (Art. 6(1)(f) GDPR) — Security, fraud prevention, essential cookies, Mall moderation.
• Legal Obligation (Art. 6(1)(c) GDPR) — Tax records, AML, securities law compliance, regulatory requests.
• Consent (Art. 6(1)(a) GDPR) — Non-essential cookies, optional processing. Withdrawable at any time.
• Explicit Consent (Art. 9(2)(a) GDPR) — Face photo processing for avatar display (biometric data). Withdrawable at any time by deleting the photo from avatar settings.

5. Cookies & Tracking

We use cookies for platform operation including authentication, session management, and language preference. No analytics or marketing cookies currently used. See our Cookie Policy for full details.

6. Third-Party Services

7. Data Retention

• Active accounts — Duration of account relationship.
• Inactivity — Warning at 180 days. Deactivation at 210 days.
• Financial records — 7 years (BSA/tax compliance).
• IB Token records — 7 years (securities law compliance).
• Server logs — 90 days.
• KYC documents (ID, passport, driver’s license, selfie) — retained for 10 years after end of customer relationship or account deletion, as required by the U.S. Bank Secrecy Act (31 CFR 1010.430) and EU Anti-Money Laundering Directives (AMLD5/6). Upon account deletion, KYC files are immediately moved to a restricted, non-public archive, detached from your account identity, and automatically deleted after the retention period expires. Legal basis: GDPR Art. 6(1)(c) (legal obligation).
• Mall rental records — 7 years (tax/financial compliance).
• Chat messages — Public chat retained up to 90 days for moderation. Private messages retained for duration of user relationship, deleted upon account deletion.
• Face photo (biometric data) — Retained until user deletes it from avatar settings. Deleted within 30 days of deletion request. Immediately removed upon withdrawal of consent.
• Deleted accounts — Personal data removed/anonymized within 30 days except where retention required by law.

8. Your Rights

• Right of Access (Art. 15 GDPR) — Request a copy of data we hold.
• Right to Rectification (Art. 16 GDPR) — Request correction of inaccurate data.
• Right to Erasure & Account Self-Deletion (Art. 17 GDPR) — You may delete your account at any time through the account settings in your dashboard. Account deletion permanently removes or anonymizes your personal data in our active systems. However, under Art. 17(3)(b) GDPR the right to erasure does not apply where processing is necessary to comply with a legal obligation. In particular, your KYC documents (ID, passport, selfie) will be retained for 10 years after account deletion as required by the U.S. Bank Secrecy Act (31 CFR 1010.430) and EU Anti-Money Laundering Directives (AMLD5/6); during this period the files are held in a restricted, non-public archive and automatically deleted once the retention period ends. Tax-relevant records (orders, invoices, commissions) are retained in anonymized form for up to 10 years. Blockchain-recorded data (IB Token transactions) cannot be deleted due to the immutable nature of distributed ledgers; however, all off-chain linkage to your identity will be anonymized.
• Right to Restriction (Art. 18 GDPR) — Request restriction of processing.
• Right to Data Portability (Art. 20 GDPR) — Request data in structured format.
• Right to Object (Art. 21 GDPR) — Object to processing based on legitimate interests.
• Right to Withdraw Consent — For non-essential cookies and face photo processing: withdraw at any time without affecting prior processing.
• Automated Decision-Making (Art. 22 GDPR) — Our AML monitoring systems may flag transactions automatically. No solely automated decisions with legal effect are made without human review. You have the right to obtain human intervention, express your point of view, and contest any automated assessment.

9. Data Security

• Passwords stored as bcrypt hashes. Never plain text.
• 2FA via TOTP available and strongly recommended.
• TOTP secrets encrypted at rest. All data via HTTPS/TLS.
• Role-based access control (RBAC). JWT tokens for session management.
• Face photos stored with restricted access and not accessible to general staff.
• Regular security assessments conducted.
• Our information security practices are aligned with ISO 27001 standards, including risk assessment, access controls, incident response procedures, and continuous improvement of security measures.
• A Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR has been conducted for the processing of biometric data (face photos) within the IB Metaverse Mall.

10. International Data Transfers

InfinityBlockchain LLC is US-based. EU/EEA user data is transferred to and processed in the United States. We rely on the following transfer mechanisms to ensure adequate protection of personal data:

• EU-US Data Privacy Framework (DPF) — Where applicable, we rely on the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework as recognized adequacy mechanisms for transatlantic data transfers. We monitor the status of these frameworks and will implement supplementary measures if required by regulatory developments.
• Standard Contractual Clauses (SCCs) — As adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, applied to transfers between the Company and its EU/EEA-based service providers. SCCs serve as our primary safeguard for international transfers where the DPF does not apply.
• Contractual Necessity — Where transfers are necessary for the performance of a contract between you and InfinityBlockchain LLC (Art. 49(1)(b) GDPR), such as account creation, payment processing, and service delivery.
• Explicit Consent — Where you have explicitly consented to the transfer (Art. 49(1)(a) GDPR), such as face photo processing for the Metaverse Mall.

Our third-party processors (Stripe, CoinPayments) maintain their own data protection frameworks and certifications, including PCI DSS compliance for payment data. We conduct transfer impact assessments where required and implement supplementary technical and organizational measures to protect your data during international transfers.

11. Children’s Privacy

The Platform and Metaverse Mall are not directed at individuals under 18. We do not knowingly collect data from minors. Accounts of minors will be terminated and data deleted promptly.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information:

• Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete — You may request deletion of your personal information, subject to certain legal exceptions (e.g., compliance with legal obligations, completing transactions).
• Right to Correct — You may request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing — We do not sell your personal information as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising. If this practice changes, we will provide a “Do Not Sell or Share My Personal Information” link.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights.

13. UK Data Protection (UK GDPR)

If you are located in the United Kingdom, your personal data is also protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Your rights under UK law mirror those under EU GDPR (see Section 8), including:

• Right of access, rectification, erasure, and data portability
• Right to object to processing and right to restrict processing
• Right to withdraw consent at any time
• Right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk

14. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Regulatory Notification — Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR and UK GDPR. For US residents, notification will be made without unreasonable delay in accordance with applicable state breach notification laws, including Cal. Civ. Code § 1798.82 (California), N.Y. Gen. Bus. Law § 899-aa (New York), and Wyo. Stat. § 40-12-502 (Wyoming).
• User Notification — Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay via email and/or platform notification, describing the nature of the breach, the data concerned, and recommended protective measures.
• Documentation — All breaches are documented in an internal breach register, including facts, effects, and remedial actions taken, in accordance with Art. 33(5) GDPR.

15. Marketing Communications & CAN-SPAM

We comply with the CAN-SPAM Act (15 U.S.C. § 7701 et seq.) and applicable international email marketing regulations:

• All marketing emails include a clear and conspicuous unsubscribe mechanism. Opt-out requests are honored within 10 business days.
• Marketing emails are clearly identified as advertisements and include the Company’s valid physical postal address.
• We do not use deceptive subject lines or false header information.
• EU/EEA & UK Users: Marketing communications are sent only with prior explicit consent (opt-in) in accordance with Art. 7 GDPR and the ePrivacy Directive 2002/58/EC (as amended by 2009/136/EC).

16. Changes to This Policy

Updates will be posted with a revised effective date. Material changes communicated via email or platform notification. Continued use constitutes acceptance.

17. Contact & Complaints