Responsible for the editing and processing of this website
Subsquid Labs GmbH
c/o Wadsack Zug AG
Bahnhofstrasse 7
6300 Zug
Switzerland
Version 1.0
Last update: 19.06.2023
This Privacy Policy describes how Subsquid Labs GmbH (also “Subsquid”, “we”, “our” or “us”) collects, protects, and processes your personal data. This Privacy Policy is not necessarily a comprehensive description of our data processing. It is possible that other privacy policies, terms and conditions, forms or other notices may apply to specific circumstances. We use the word “data” here interchangeably with “personal data”.
If you provide information to us about any person other than yourself, you must ensure that the data is accurate and that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it.
This Privacy Policy is aligned with the EU General Data Protection Regulation (“GDPR”), the Swiss Data Protection Act (“DPA”) and the revised Swiss Data Protection Act (“revDPA”). However, the application of these laws depends on each individual case.
The responsible person for processing your data under this Privacy Policy (“Controller”) is: Subsquid Labs GmbH, c/o Wadsack Zug AG, Bahnhofstrasse 7, 6300 Zug, Switzerland, unless we tell you otherwise in an individual case. You may contact us regarding data protection matters and to exercise your rights at: dataprotection@subsquid.io.
Our Data Protection Representative in the European Union (EU) according to art. 27 GDPR is: Oliver Fohrmann, Karl-Marx-Allee 63, 10234 Berlin, Germany.
The processing of personal data is limited to the data required for the functioning of our websites or apps and for providing content, products, and services. We process personal data based on agreed purposes or legal grounds. We only collect necessary personal data for implementing and processing our tasks and services, or if you provide the data voluntarily. The specific data we process about you depends on the reason and purpose of the processing.
We process personal data obtained from our clients, business partners, and individuals with whom we have a business relationship. We also collect personal data from users while operating our websites, apps and other applications.
The categories of data you provided us directly and the categories of data we receive about you from third parties include, but are not limited to:
Technical data: IP address; information about the operating system of your terminal device; cookies; name and URL of any visited page; amount of data transferred; date and time of access; websites that are accessed via our website; websites from which any access takes place; type of browser; name of your internet provider; logs etc.
Registration data: contact details when you subscribe to our newsletter etc.
User account data: username; real name; bio; (avatar) photo; contact details; blockchain address; wallet type; user-ID etc.
Communication data: data provided via contact form, email, telephone, chat, by letter or any other means of communication; data collected for identification purposes etc.)
Master data / data for the performance of our contractual and other business relationships or for marketing and promotional purposes: name; address; email address; telephone number; gender; date of birth; nationality; data about related persons; websites; other contact details; role and function; payment information; customer history; phots and videos; copies of ID cards; details of your relationship with us; official documents; powers of attorney; signature authorizations; declarations of consent and opt-out information; blockchain address and transaction information etc.
Contract data: information about the conclusion of the contract; information about the contract itself; information about the performance and administration of the contracts; information about deficiencies, complaints and changes of a contract; customer satisfaction information that we may collect through surveys; financial data etc.
Behavioural and preference data: information about user behaviour on our websites and apps; information about user engagement with our products and services; information about your response to electronic communications; information about your location; information about your interaction with our social media profiles (Twitter, Telegram, Discord, LinkedIn, Medium, YouTube) etc.
Other data: data received in connection with administrative or court proceedings; information about compliance with legal requirements such as those relating to fraud prevention and the combating of money laundering and terrorist financing; information from banks, sales and other contractual partners of us about your use or provision of services; information from the media and the Internet about the use or provision of services by you; information from the media and the internet about you etc.
By using our blockchain-based services you acknowledge that your non-custodial/third-party wallet address and related transactions are stored on the blockchain and neither we, nor any third party, has any power to modify or delete such data published by its users to the blockchain. The details of your transactions are public information and stored on such blockchains in association with your non-custodial/third-party wallet address. Your username is publicly identified with your wallet address on our apps. If your account is ever deleted, then any transaction history on our apps will display “anonymous” instead of your username. You hereby release and indemnify us of any data privacy liability associated with data that you published to the blockchain by using our services.
The main use of the collected data is to conclude and process contracts with clients and business partners, especially related to the services and products offered on our websites and apps. We also process data to fulfil our legal obligations, both domestically and internationally.
In addition, in accordance with applicable law and where appropriate, we may process personal data, including that of third parties, for the following purposes, which are considered to be in our legitimate interest or in the legitimate interest of third parties:
- providing and developing our products, services and websites, apps and other platforms, on which we are active;
- ensuring our operation, including our IT, our websites, apps and other platforms;
- communication with you, in particular, when you contact us in order to respond to your queries or when you exercise your rights;
- advertisement and marketing, provided that you have not objected to the use of your data for this purpose (if you are part of our customer base and you receive our advertisement, you may object at any time and we will place you on a blacklist against further advertising mailings);
- relationship management (we may use a customer relationship management system (“CRM”) to store and process your data as described);
- market and opinion research, media surveillance; asserting legal claims and defense in legal disputes and official proceedings;
- prevention and investigation of criminal offences and other misconduct (e.g. conducting internal investigations, data analysis to combat fraud);
- as part of our risk management and corporate government in order to protect us, including our IT infrastructure, from criminal or abusive activity.
Where we asked for your consent (e.g. for receiving newsletters), we process your data based on such consent. You may withdraw your consent at any time with effect for the future by providing us written notice (email sufficient). Withdrawal of your consent does not affect the lawfulness of the processing that we have carried out prior to your withdrawal, nor does it affect the processing of your data based on other processing grounds.
Where we did not ask for your consent, we process your data on other legal grounds, such as a contractual obligation, a legal obligation, a vital interest of the data subject or of another natural person, to perform a public task or a legitimate interest, which includes compliance with applicable law and the marketing of our products and services, the interest in better understanding our markets and in managing and further developing our company, including its operations, safely and efficiently.
Newsletter
If you subscribe to one of our newsletters offered, you may cancel the subscription at any time by using the option to unsubscribe contained in the newsletter.
In connection with our newsletter and based on your consent, we use the following marketing tool to collect your information when you sign up for our newsletter or other updates, and to ensure that you only receive newsletters and updates that meet your actual or perceived interests:
Mailchimp
Inuit Inc. (based in the USA) is our provider of “Mailchimp” and acts as our processor. Information on the data protection of Mailchimp can be found here https://www.intuit.com/privacy/statement/.
Cookies
We use cookies on our websites and apps that allow us to identify your browser or device and may allow certain third parties to do the same. Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our websites and or install our apps.
Some cookies are necessary for the functioning of our websites and apps or for certain features. These cookies exist temporarily only (“session cookies”) and are deleted after you visit our website or use our apps. Other cookies are necessary to save user configurations and other information beyond a session (“permanent cookies”). Despite what was previously mentioned, you have the option to adjust your browser settings to reject cookies, save them only for a single session, or delete them before their usual expiration. By default, most browsers are set to accept cookies.
We use permanent cookies to store user preferences (e.g. automated login etc), to understand how you use our services and content. Some cookies are sent to you from us and others are sent to you by business partners with whom we work. If you choose to block cookies, you may not be able to use certain features (such as language settings etc.).
By using our websites and apps and agreeing to receive newsletters and other marketing emails, you consent to our use of such techniques. However, depending on the purpose of these cookies, we may ask for your explicit consent before doing so. You can access your current settings by clicking on the “Change Your Cookies”-button below and/or at our websites or apps and you can withdraw your consent under the same link at any time.
Change Cookie Settings
Tracking tools
We use tracking tools to ensure a tailored design and the continuous optimization of our websites, apps, services, and products. We also use the following tracking tools to statistically record the use of our website as well as the engagement with our products and evaluate it for the purpose of optimizing the content we show you:
Hotjar
Hotjar Ltd. (based in Malta) is our provider of “Hotjar” and acts as our processor. Hotjar uses cookies to track the behaviour of visitors to our website (duration, frequency of pages viewed, geographic origin of access, etc.) and provides us with heat maps, session recordings and survey feedback on the use of our website on this basis. All data collected for this purpose is anonymised and does not contain any personally identifiable information. Information on the data protection of Hotjar can be found here https://www.hotjar.com/legal/policies/privacy/.
Amplitude
Amplitude Inc. (based in the USA) is our provider of “Amplitude” and acts as our processor. Amplitude uses cookies to track the behaviour of visitors to our website and our apps (duration, frequency of pages viewed, geographic origin of access, etc.) as well as the engagement of the users with our products and compiles reports for us on this basis. All data collected for this purpose is anonymised and does not contain any personally identifiable information. Information on the data protection of Amplitude can be found here https://amplitude.com/privacy.
Google Analytics
Google Ireland (based in Ireland) is our provider of “Google Analytics” and acts as our processor. Google Ireland relies on Google LLC (based in the USA) as a processor for its services (both “Google”). Google uses cookies to track the behaviour of visitors to our website (duration, frequency of pages viewed, geographic origin of access, etc.) and compiles reports for us on the use of our website on this basis. We have configured the service so that the IP addresses of visitors are shortened by Google in Europe before being forwarded to the US and thus cannot be traced. We have turned off the "Data Forwarding" and "Signals" settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google can draw conclusions about the identity of visitors from this data for its own purposes, create personal profiles and link this data to the Google accounts of these persons. If you consent to the use of Google Analytics, you explicitly agree to such processing, which also includes the transfer of personal data (in particular usage data for the website and app, device information and individual IDs) to the USA and other countries not offering adequate data protection from a Swiss/EU perspective. Information on the data protection of Google Analytics can be found here https://support.google.com/analytics/answer/6004245 and if you have a Google account, you can find further details on processing by Google here https://policies.google.com/privacy?hl=en.
Payment tools
We use online payment services to collect payments from our users for our services and products.
Stripe
Stripe Inc. (based in the USA) is our provider of “Stripe” and acts as our processor. Stripe provides a platform for online payments and financial services. Information on the data protection of Stripe can be found here https://stripe.com/en-ch/privacy.
Social plug-ins
Our websites and apps use social plug-ins to social media platforms and websites such as Twitter, Telegram, Discord, LinkedIn, GitHub, YouTube and Medium. This is visible to you (usually through the respective icons). When you visit our websites and apps, the social plug-ins are deactivated by default. If you click on the respective social plug-ins, you establish a direct connection to the server of the respective platform/website, that means, a transfer of data only takes place after your consent.
The operators of the respective social media platforms and websites may record that you are on our website and where on our website you are exactly and may use this information for their own purposes. This processing of your personal data lays in the responsibility of the respective operator and is carried out in accordance with their data protection regulations. We do not receive any information about you from the respective operator. For further information on the purpose and scope of data collection and processing by the social media platforms and websites, please review their privacy notices, where you will also receive further information about your rights and about setting options for protecting your privacy.
Social sign-in buttons
Our websites and apps offer easy sign-in option via social sign-in buttons (GitHub and Google sign-in). These functions enable you to log in via your social network login. When you visit our apps, the social sign-in plugins are deactivated by default. If you want to use the social sign-in function, you have to click on the respective social sign-in button to establish a direct connection to the server of the respective social media platform, that means, a transfer of data only takes place after your consent.
The social media platform stores the data collected about you as usage profiles and uses them for purposes of advertising, market research and/or demand-oriented design of its platform. This processing of your personal data lays in the responsibility of the respective operator and is carried out in accordance with their data protection regulations. We do not receive any information about you from the respective operator. For further information on the purpose and scope of data collection and processing by the social media platform, please review the privacy notices of these social media platforms, where you will also receive further information about your rights and about setting options for protecting your privacy.
Certain recipients may be located in Switzerland, but they may be located in any country in the world. In particular, you should expect your data to be transferred to other countries in Europe and the USA where our service providers (such as Inuit Inc., Hotjar Ltd., Amplitude Inc., Google Ireland) are located. Our servers are located in Germany (providers: Google Cloud EMEA Limited and Hetzner Online GmbH), which provides adequate protection under art. 16 para. 1 revDPA.
As we have explained in Section 8, we disclose data to other parties, not all of them are located in Switzerland. Your data may be processed in the European Economic Area (EEA) and in exceptional circumstances also in countries outside the EEA and around the world, which includes countries that do not provide the same level of data protection as Switzerland or the EEA and are not recognized as providing an adequate level of data protection. We only transfer data to these countries when it is necessary for the performance of a contract or for the exercise or defence of legal claims, or if such transfer is based on your explicit consent or subject to safeguards that assure the protection of your data, such as the European Commission approved standard contractual clauses.
We will only process and retain your data for as long as is necessary to fulfil our contractual obligations and to comply with legal requirements or for other purposes for which the data is being processed, i.e. for the duration of the entire business relationship (from its commencement, during its performance and until its termination) and beyond that period in accordance with legal retention and documentation obligations. Personal data may be retained for as long as claims may be asserted against us, or if we are otherwise legally obliged to do so, or if legitimate business interests require further retention (e.g. for evidence and documentation purposes). At the end of the applicable retention period, we will securely destroy your information in accordance with applicable laws and regulations. Generally, shorter retention periods of no more than twelve months apply to operational data (e.g. system logs).
We take appropriate organisational and technical security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. However, we and your personal data can still become victims of cyber-attacks, cybercrime, brute force, hacker attacks and further fraudulent and malicious activity including but not limited to viruses, forgeries, malfunctions and interruptions which is out of our control and responsibility. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
As part of our business relationship, it is necessary for you to provide us with any personal data required to establish and fulfil the contractual obligations. Generally, there is no legal obligation to provide us with this data. However, without such information, we may not be able to enter into or proceed with the contract, whether it is with you or the entity/person you represent. Additionally, certain information needs to be disclosed in order to enable data traffic on the website, such as an IP address.
You have various rights in relation with our processing of your personal data, depending on the applicable data protection law: right of access, right to rectification, right to erasure, right to restriction, right to data portability, right to withdraw consent, complaints and the right to object.
Please be aware that we reserve the right to enforce statutory restrictions as required, for example if we are obliged to retain or process certain data, have an overriding interest (insofar as we may invoke such interests) or need the data for asserting claims. If exercising certain rights would entail expenses for you, we will provide advance notification. We have already mentioned the option to withdraw consent in Section 6 above. It is important to note that exercising these rights could potentially conflict with your contractual obligations and result in consequences such as early contract termination or associated costs. If this situation arises, we will inform you beforehand, unless it has already been agreed upon in the contract.
If you like to exercise the above-mentioned rights, please contact us at dataprotection@subsquid.io or the contact details provided under Section 2 unless otherwise specified or agreed. Please note that we need to identify you to prevent misuse, e.g. by means of a copy of your ID card or passport, unless identification is possible otherwise.
Furthermore, every data subject has the option to assert its in a court of law or file a complaint with the appropriate data protection authority. In Switzerland, the relevant data protection authority is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
Due to continuous development of our website/apps and the contents thereof, changes in law or regulatory requirements, we might need to change this Privacy Policy from time to time without prior notice. The current version of our Privacy Policy can be found on our website and shall apply.