GDPR-Compliant Privacy Policy

A GDPR (General Data Protection Regulation) compliant Privacy Policy needs to be very detailed, transparent, and empower users with control over their personal data.

1. Information about the Data Controller

• Full name and contact details of MP (on behalf of Soromm.xyz) – this is the primary person/entity responsible for personal data.
• Registered address, phone number, and email contact for data protection inquiries: development@soromm.xyz.
• If applicable, contact details of your EU Representative (if Soromm.xyz is not established in the EU but processes data of EU citizens).
• If applicable, contact details of your Data Protection Officer (DPO) – mandatory if you process large-scale data, sensitive data, or are a public authority.

2. Types of Personal Data Collected

List in detail and specifically the types of personal data Soromm.xyz collects from users, including automatically collected data.

• Information provided by you or third-party authentication providers:
  • Through Google/Apple Login: When you choose to log in using your Google or Apple account, we receive certain information from these providers, such as your Name (if provided by Google/Apple and consented by you), Email address, and a unique identifier associated with your Google/Apple account. We do not receive your Google/Apple password.
  • Directly from you (if applicable): While our primary login is via Google/Apple, any other information you might voluntarily provide through forms (e.g., support inquiries, feedback).
• Account Information: Unique user ID linked to your Google/Apple login. (Note: We do not store traditional passwords if login is solely via Google/Apple).
• Interaction/Behavioral Data:
  • Browsing history on Soromm.xyz (pages viewed, time spent on pages, features accessed).
  • Interactions with specific features (dashboard metrics viewed, signals accessed, degen list interactions, profile settings changes).
  • Search history within the application.
  • Comments, feedback, support messages.
  • Through Firebase Analytics: Data on how you interact with our website and mobile application, including app opens, session duration, in-app purchases (if applicable), and usage patterns.
• Technical Data:
  • IP address (automatically collected when accessing the website/app).
  • Cookie IDs and other online identifiers.
  • Device information (type of device, operating system, browser type, screen resolution, unique device identifiers).
  • Server logs, error information, access times.
  • Through Firebase Crashlytics & Performance Monitoring: Crash reports, performance data (e.g., app startup time, network request latency), and related device information.
• Location Data: If collected (e.g., approximate location derived from IP address for analytics purposes; explicit consent required for precise location tracking, which we generally do not collect).
• Exchange/Wallet Connection Information (in the future): If connection is allowed, clearly state what type of data will be accessed (read-only balances, transaction history, etc.) and for what specific purposes. Note: This data can be highly sensitive and must be handled with the highest level of security.

3. Purpose of Processing and Legal Basis

For each type of data collected, you must clearly state the purpose of use and the valid legal basis under GDPR.

• To provide Soromm.xyz services:
  • Purpose: To enable users to access the dashboard, signals, degen, and manage their profile.
  • Legal Basis: Performance of a contract (Article 6(1)(b) GDPR) with the user.
• To improve and personalize user experience:
  • Purpose: Analyzing user behavior to optimize interface, features, and suggest relevant content.
  • Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) of Soromm.xyz in improving its services, or consent (Article 6(1)(a) GDPR) if personalization goes beyond the user's reasonable expectations.
• To send notifications and newsletters:
  • Purpose: Sending updates about the product, hot crypto market news, periodic newsletters.
  • Legal Basis: Consent (Article 6(1)(a) GDPR) of the user (requires clear opt-in/opt-out mechanisms).
• To ensure security and prevent fraud:
  • Purpose: Monitoring activity to detect and prevent unauthorized actions, protecting the system.
  • Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) of Soromm.xyz and users in maintaining security.
• To comply with legal obligations:
  • Purpose: Processing data as required by law (e.g., requests from government authorities).
  • Legal Basis: Legal obligation (Article 6(1)(c) GDPR).

4. Recipients of Personal Data

• Data Processors: Third-party service providers who process data on your behalf (e.g., cloud hosting providers, web analytics tools like Google Analytics/Firebase, email service providers, CRM).
  You must ensure that these processors also comply with GDPR and have Data Processing Agreements (DPAs) in place with them.
• Other Third Parties: Advertising partners (if applicable), social media platforms (if direct sharing features exist), government authorities (if there is a valid legal request).
• No Sale of Information: Clearly state that Soromm.xyz does not sell users' personal data.

5. International Data Transfers

• The country or region where the data is transferred.
  Note: As our team operates from Singapore, Hong Kong, and Vietnam, personal data may be processed and accessed from these locations. We ensure that appropriate safeguards are in place for any such transfers, including reliance on Standard Contractual Clauses (SCCs) or other approved mechanisms to protect your data in accordance with GDPR standards.
• The legal basis for such transfer (e.g., Adequacy Decision, Standard Contractual Clauses, Binding Corporate Rules, or explicit user consent).

6. Data Retention

• Account data: Stored until the user deletes their account.
  Deletion Policy: When you request deletion of your account, your data will be retained for a grace period of up to 30 days before permanent deletion. This period allows for data recovery in case of accidental deletion or to fulfill any outstanding legal obligations.
• Analytics data: Stored for up to 3 years for long-term trend analysis and service improvement.
• Transaction data (if applicable in the future): Stored as required by AML (Anti-Money Laundering) or tax regulations.

7. Data Subject Rights

This is a critically important section of GDPR. You must list and explain in detail the rights users have regarding their data, and how they can exercise these rights:

• Right to be Informed: The right to know how their data is being processed (via this policy).
• Right of Access: The right to request a copy of their personal data.
• Right to Rectification: The right to request correction of inaccurate data.
• Right to Erasure / "Right to be Forgotten": The right to request deletion of personal data in certain circumstances (e.g., data no longer necessary for original purpose, or consent is withdrawn).
• Right to Restriction of Processing: The right to request limitation on how you use their data.
• Right to Data Portability: The right to receive their data in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller.
• Right to Object: The right to object to the processing of data for specific reasons (e.g., direct marketing, processing based on legitimate interests).
• Rights in relation to automated decision making and profiling: The right not to be subject to a decision based solely on automated processing if that decision produces legal effects or similarly significant effects concerning them (e.g., automated denial of service).

You must provide a specific email address or contact form for users to submit requests to exercise these rights.

8. Right to Lodge a Complaint with a Supervisory Authority

Users have the right to lodge a complaint with a National Data Protection Supervisory Authority if they believe their rights have been violated. You should provide contact information for the relevant Supervisory Authority for your operations (e.g., the competent authority in your country or the data subject's country).

9. Cookies and Tracking Technologies

• Explanation of Cookies: What cookies are, types of cookies used (essential, functional, analytical, advertising cookies).
• Purpose of Use: State the purpose of each cookie type (e.g., maintaining login sessions, analyzing traffic, displaying personalized ads).
• Third Parties: List third parties that place cookies on your website/app (e.g., Google Analytics, Google Ads, Firebase Analytics, etc.).
• Consent Mechanism: Clearly state that you will use a GDPR-compliant Cookie Consent Banner/Pop-up that allows users to actively choose which types of cookies they wish to accept or reject before any non-essential cookies are placed.
• How to Manage: Instruct users on how to manage or withdraw their cookie consent through browser settings or in-app settings.

10. Security Measures

• Encryption of data in transit and at rest.
• Strict access controls.
• Use of firewalls and intrusion detection systems.
• Employee training on data security.
• Conducting Data Protection Impact Assessments (DPIAs) when necessary.

11. Changes to this Privacy Policy

• State Soromm.xyz's right to update or modify this policy.
• How users will be informed of significant changes (e.g., posting the new version on the website/app, notification via email).

12. Contact Us

Provide specific contact information for users to ask questions or exercise their rights regarding the privacy policy.

Important Advice:

• Data Accuracy (User-Provided Information): We rely on the accuracy of the information provided by our users. While we strive to maintain accurate records, we do not have the inherent power to verify the accuracy of all user-provided data. Users are responsible for ensuring the accuracy and completeness of the personal data they provide to Soromm.xyz.
• Consult a GDPR specialist lawyer: GDPR compliance is complex and requires a deep understanding of your data processing activities. A lawyer specializing in data protection or technology law will help you draft a comprehensive privacy policy that is legally sound, appropriate for Soromm.xyz's specific operations, and compliant with current legal regulations.
• Implement technical measures: The privacy policy is only one part. You need to ensure your technical processes and systems also comply with GDPR principles (e.g., privacy by design, privacy by default).
• Conduct Data Protection Impact Assessments (DPIAs): For high-risk data processing activities (e.g., processing sensitive data, using new technologies for behavioral tracking), you may need to conduct a DPIA.