Privacy Policy - Data Protection and User Rights

Comprehensive privacy policy detailing how CDAO Platform collects, uses, protects, and manages user personal data

Privacy Policy - Data Protection and User Rights

Last Updated: January 1, 2024

This Privacy Policy describes how CDAO Platform ("we", "us", or "our") collects, uses, and protects your personal information when you use our investment platform services. We are committed to protecting your privacy and complying with applicable data protection laws.

πŸ“‹ Privacy Policy Summary

  • βœ… Data Minimization: We collect only information necessary for our services
  • βœ… Purpose Limitation: Data used only for disclosed purposes
  • βœ… Retention Limits: Data kept only as long as necessary
  • βœ… Security Measures: Industry-standard protection measures
  • βœ… User Rights: Full respect for your privacy rights

1. Information We Collect

1.1 Personal Information

πŸ‘€ Categories of Personal Data

Identity and Contact Information:
  • Full name, date of birth, and government-issued identification
  • Email address, telephone number, and mailing address
  • Profile photograph and other identifying information
  • Emergency contact information
Financial and Investment Information:
  • Bank account details and payment information
  • Cryptocurrency wallet addresses and transaction history
  • Investment history, portfolio data, and risk tolerance
  • Net worth, income, and accredited investor documentation
  • Tax identification numbers and tax-related documents
Professional Information:
  • Employment details, job title, and employer information
  • Professional certifications and licenses
  • Business relationships and affiliations
  • Investment experience and expertise

1.2 Technical Information

πŸ’» Automatically Collected Data

Device and Connection Information:
  • IP address, browser type and version, and device identifiers
  • Operating system, screen resolution, and device settings
  • Network connection type and internet service provider
  • Geolocation data (with your consent where required)
Usage and Analytics Data:
  • Pages visited, time spent on pages, and navigation patterns
  • Search queries, feature usage, and interaction data
  • Error logs, performance data, and technical diagnostics
  • Referral sources and marketing campaign interactions
Communication Records:
  • Customer support interactions and correspondence
  • Survey responses and feedback submissions
  • Event participation and webinar attendance
  • Social media interactions and public communications

2. How We Use Your Information

2.1 Primary Purposes

🎯 Service Provision

Investment Platform Services:
  • Processing investment applications and transactions
  • Verifying accredited investor status and KYC compliance
  • Managing investment portfolios and providing account access
  • Facilitating communications between investors and issuers
  • Providing investment reporting and tax documentation
Legal and Regulatory Compliance:
  • Meeting Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements
  • Complying with securities regulations and reporting obligations
  • Maintaining required records for regulatory examinations
  • Responding to legal requests and government inquiries
  • Conducting risk assessments and due diligence

2.2 Secondary Purposes

πŸ“ˆ Platform Improvement

Service Enhancement:
  • Analyzing usage patterns to improve user experience
  • Developing new features and functionality
  • Personalizing content and investment recommendations
  • Conducting research and analytics for product development
  • Testing and optimizing platform performance
Communications and Marketing:
  • Sending service-related notifications and updates
  • Providing educational content and investment insights
  • Inviting participation in webinars and events
  • Delivering personalized marketing communications (with consent)
  • Conducting customer satisfaction surveys
Security and Fraud Prevention:
  • Monitoring for suspicious activity and potential fraud
  • Implementing security measures and access controls
  • Investigating and responding to security incidents
  • Maintaining audit trails and compliance records
  • Protecting against unauthorized access and data breaches

3. Legal Basis for Processing

3.1 GDPR Legal Bases (EU/UK Users)

βš–οΈ Lawful Basis for Data Processing

Processing PurposeLegal BasisDescription
KYC/AML VerificationLegal ObligationRequired by financial services regulations
Investment ProcessingContract PerformanceNecessary to provide investment services
Security and Fraud PreventionLegitimate InterestProtecting users and platform security
Marketing CommunicationsConsentWith your explicit opt-in consent
Platform AnalyticsLegitimate InterestImproving user experience and services

3.2 US Legal Framework

πŸ‡ΊπŸ‡Έ US Privacy Laws

We comply with applicable US federal and state privacy laws:

  • California Consumer Privacy Act (CCPA): Rights for California residents
  • Virginia Consumer Data Protection Act (VCDPA): Rights for Virginia residents
  • Gramm-Leach-Bliley Act: Financial privacy protections
  • Electronic Communications Privacy Act: Communications privacy
  • Children's Online Privacy Protection Act (COPPA): Protection for minors

4. Information Sharing and Disclosure

4.1 Service Providers

🀝 Third-Party Service Providers

We share personal information with trusted service providers who assist in our operations:

Identity Verification and Compliance:
  • KYC verification services (Jumio, Onfido, or similar)
  • Background check providers
  • Accredited investor verification services
  • AML monitoring and screening services
Technology and Infrastructure:
  • Cloud hosting providers (AWS, Google Cloud, or similar)
  • Data analytics and monitoring services
  • Customer support platforms
  • Email and communication service providers
  • Security and fraud prevention services
Financial Services:
  • Payment processors and banking partners
  • Cryptocurrency exchange and wallet services
  • Tax reporting and compliance services
  • Audit and accounting firms

4.2 Legal and Regulatory Disclosures

πŸ›οΈ Required Disclosures

We may disclose personal information when required by law:

  • Government Agencies: SEC, FINRA, IRS, and other regulatory bodies
  • Law Enforcement: Valid subpoenas, court orders, and legal processes
  • Legal Proceedings: Discovery requests and litigation support
  • Regulatory Examinations: Compliance examinations and investigations
  • National Security: Legitimate national security requests
  • Anti-Money Laundering: Suspicious Activity Reports (SARs) and similar

4.3 Business Transfers

🏒 Corporate Transactions

In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the new entity, subject to the same privacy protections outlined in this policy.

5. Data Security

5.1 Technical Safeguards

πŸ”’ Security Measures

Data Encryption:
  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • End-to-end encryption for sensitive communications
  • Encrypted database storage and backups
Access Controls:
  • Role-based access control (RBAC) systems
  • Multi-factor authentication for all employee access
  • Regular access reviews and privilege management
  • Principle of least privilege enforcement
Infrastructure Security:
  • SOC 2 Type II compliant cloud infrastructure
  • 24/7 security monitoring and incident response
  • Regular vulnerability assessments and penetration testing
  • Secure development lifecycle and code reviews

5.2 Organizational Safeguards

πŸ‘₯ Human Security

Employee Practices:
  • Background checks for all employees with data access
  • Mandatory security awareness training and certification
  • Confidentiality agreements and privacy commitments
  • Regular training updates on privacy and security practices
Policies and Procedures:
  • Comprehensive data protection and privacy policies
  • Incident response and breach notification procedures
  • Data retention and disposal policies
  • Third-party risk management and due diligence

6. Data Retention

6.1 Retention Periods

πŸ“… How Long We Keep Your Data

Data CategoryRetention PeriodLegal Basis
KYC Documentation7 years from account closureRegulatory requirement
Investment Records7 years from final transactionTax and regulatory compliance
Communication Records3 years from last interactionCustomer service quality
Usage Analytics2 years from collectionPlatform improvement
Marketing DataUntil consent withdrawn + 6 monthsMarketing effectiveness

6.2 Data Deletion

πŸ—‘οΈ Secure Data Disposal

When data is no longer needed, we:

  • Use cryptographic erasure to render encrypted data unreadable
  • Perform multi-pass overwriting for data stored on physical media
  • Ensure all copies and backups are included in deletion processes
  • Obtain certificates of destruction for physical media disposal
  • Maintain audit logs of all data deletion activities
  • Notify third-party processors to delete data from their systems

7. Your Privacy Rights

7.1 Universal Rights

πŸ‘€ Rights Available to All Users

Regardless of your location, you have the right to:

  • Access: Request information about the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete personal data
  • Communication Preferences: Opt-out of marketing communications at any time
  • Account Closure: Close your account and request data deletion (subject to legal requirements)
  • Support: Contact our privacy team with questions or concerns

7.2 Enhanced Rights (EU/UK/California)

🌟 Additional Privacy Rights

Users in EU/UK and California have additional rights:

GDPR Rights (EU/UK):
  • Right to Erasure: Request deletion of personal data in certain circumstances
  • Right to Restrict Processing: Request limitations on data processing
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making: Protection from solely automated decisions
CCPA Rights (California):
  • Right to Know: Detailed information about data collection and sharing
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the sale of personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices
  • Right to Correct: Request correction of inaccurate personal information

8. Children's Privacy

8.1 Age Requirements

πŸ‘Ά Protection of Minors

Our services are not intended for children:

  • Users must be at least 18 years old to use our investment platform
  • We do not knowingly collect personal information from children under 13
  • If we discover we have collected information from a child, we will delete it immediately
  • Parents who believe their child has provided information should contact us immediately
  • Our investment services require legal capacity to enter into binding contracts

9. International Transfers

9.1 Cross-Border Data Transfers

🌍 Global Data Processing

Your personal information may be processed in countries other than your own:

Transfer Safeguards:
  • Adequacy Decisions: Transfers to countries deemed adequate by regulators
  • Standard Contractual Clauses: EU-approved transfer mechanisms
  • Binding Corporate Rules: Internal privacy standards for multinational companies
  • Certification Programs: Privacy Shield successors and similar frameworks
  • Explicit Consent: Your specific consent for certain transfers
Primary Processing Locations:
  • United States: Primary data processing and platform hosting
  • European Union: EU user data processing and support
  • Other Countries: Limited processing by specific service providers

10. Cookies and Tracking

10.1 Cookie Policy

πŸͺ Cookie Usage

We use cookies and similar technologies for various purposes:

Essential Cookies (Always Active):
  • Authentication and session management
  • Security and fraud prevention
  • Basic site functionality and navigation
  • Legal compliance and regulatory requirements
Optional Cookies (Require Consent):
  • Functional: Remember preferences and settings
  • Analytics: Understand site usage and performance
  • Marketing: Show relevant advertisements and measure effectiveness
  • Social Media: Enable social sharing and integration features
Cookie Management:
  • Use our cookie preference center to manage settings
  • Configure browser settings to block or delete cookies
  • Note that disabling essential cookies may affect site functionality

11. Privacy Policy Changes

11.1 Updates and Modifications

πŸ“ Policy Updates

How we handle changes to this privacy policy:

  • Notification: We will notify you of material changes via email or platform notice
  • Advance Notice: Significant changes will be announced at least 30 days in advance
  • Consent: Material changes may require your renewed consent
  • Version History: We maintain a history of policy versions
  • Effective Date: Changes become effective on the date specified in the updated policy

12. Contact Information

12.1 Privacy Contacts

πŸ“ž Get in Touch

Contact us about privacy matters:

Primary Contacts:
[Country]
Response Times:
  • General Inquiries: 5 business days
  • Privacy Rights Requests: 30 days (45 days for complex requests)
  • Urgent Security Matters: 24-48 hours

12.2 Regulatory Authorities

πŸ›οΈ Supervisory Authorities

You have the right to lodge complaints with relevant data protection authorities:

European Union:
  • Your local Data Protection Authority
  • European Data Protection Board (EDPB)
United Kingdom:
United States:
  • California: California Attorney General's Office
  • Federal: Federal Trade Commission (FTC)
  • Other States: Relevant state attorney general offices

πŸ“œ Legal Document

This Privacy Policy constitutes a legally binding agreement between you and CDAO Platform. By using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with these terms, please do not use our services.

Last Updated: January 1, 2024