Privacy Policy

Effective Date: January 1, 2025 Last Updated: February 1, 2026 Version: 1.1 (Comprehensive)

Quick Links​

• What Data We Collect
• How We Use Your Data
• Who We Share Data With
• Your Privacy Rights
• How to Exercise Your Rights
• Data Security
• How Long We Keep Your Data
• International Data Transfers
• Contact Us

About This Privacy Policy​

Welcome to Fololo Iris. We take your privacy seriously.

This Privacy Policy explains how Fololo Iris Ltd ("we", "us", "our") collects, uses, and protects your personal data when you use our wallet control attestation service.

Who This Policy Applies To:

• Cryptocurrency Exchanges (Our Customers): Companies that register for Fololo Iris accounts to verify wallet ownership
• Wallet Owners (End Users): Individuals whose wallet ownership is verified through our platform
• Auditors: Individuals authorized by exchanges to review verification evidence

What We Do: Fololo Iris is a wallet control attestation platform that helps cryptocurrency exchanges verify wallet ownership through cryptographic signature verification. We generate tamper-proof evidence of wallet control for compliance, audit, and risk management purposes.

Our Commitment: We comply with the EU General Data Protection Regulation (GDPR) and UK GDPR to protect your privacy rights. This policy is designed to be transparent, concise, and easy to understand.

Questions? Contact our Data Protection Officer at privacy@fololo.io

1. What Data We Collect​

We collect only the data necessary to provide our wallet control attestation service. Here's what we collect, organized by category:

1.1 Exchange Account Information (For Our Customers)​

When a cryptocurrency exchange registers for a Fololo Iris account, we collect:

We Do NOT Collect:

• ❌ Payment card details (we use third-party payment processors if applicable)
• ❌ Social Security Numbers or Tax IDs
• ❌ Personal financial information beyond subscription tier

1.2 User Credentials & Authentication​

To secure your account and verify your identity, we collect:

We Do NOT Collect:

• ❌ Browser fingerprints beyond standard User-Agent
• ❌ Precise geolocation (only country-level via IP address)
• ❌ Social media profile data

1.3 API Keys & Integration Credentials​

For API integrations with your systems, we collect:

We Do NOT Collect:

• ❌ Your internal system credentials
• ❌ Your customers' payment information
• ❌ Your database access credentials

1.4 Wallet Verification Data​

This is the core data we process to verify wallet ownership:

Why Long Retention for Successful Verifications?

• Legal Compliance: eIDAS Regulation (EU 910/2014) requires multi-year retention for electronic signature evidence (we retain at least 5 years)
• Financial Audit: Anti-Money Laundering regulations require 5 years of customer due diligence records
• Legal Defense: Verification evidence may be needed to defend against fraud claims or regulatory inquiries

Important Notes:

• ✅ Wallet addresses are pseudonymous (public blockchain data, not directly identifying)
• ✅ We do NOT collect private keys (never share your private keys with anyone)
• ✅ We do NOT track your cryptocurrency transactions beyond the verification signature
• ✅ Failed signature attempts are not stored as verification results; operational logs retain failure context for 180 days in production (90 days non-prod)

1.5 Evidence Documents (PDFs)​

For compliance and audit purposes, we generate evidence PDFs containing:

Storage:

• Evidence PDFs are stored in Azure Blob Storage (EU West region) with AES-256 encryption at rest
• Survives account deletion: Evidence PDFs retained for at least 5 years even if you delete your account (legal obligation)

1.6 Application Logs & Monitoring​

To maintain service quality and security, we collect:

Privacy Protections:

• ✅ All logs sanitized via LogSanitizer (emails redacted, passwords never logged)
• ✅ UUIDs only (no direct personal identifiers in operational logs)
• ✅ Separate compliance audit logs (retained at least 5 years) vs. operational logs (180 days in production, 90 days in non-production)

We Use: Microsoft Azure Application Insights for monitoring (see Section 8: International Data Transfers)

1.7 Cookies & Tracking Technologies​

Session Cookies (Essential): We use session cookies to keep you logged in and maintain your session state. These are strictly necessary for the service to function.

We Do NOT Use:

• ❌ Advertising cookies
• ❌ Social media tracking pixels
• ❌ Third-party analytics cookies (Google Analytics, Facebook Pixel, etc.)
• ❌ Cross-site tracking

Your Cookie Choices:

• Essential cookies cannot be disabled (service won't work)
• You can clear cookies in your browser settings (will log you out)

1.8 Data We Do NOT Collect​

To be transparent, here's what we explicitly do NOT collect:

• ❌ Private Keys or Seed Phrases (never share these with anyone!)
• ❌ Cryptocurrency Transaction History (we don't track your trading activity)
• ❌ Payment Card Details (handled by third-party processors)
• ❌ Special Category Data (race, religion, health, biometric data, political opinions)
• ❌ Precise Geolocation (only country-level IP geolocation for security)
• ❌ Social Media Profiles (no social login, no tracking pixels)
• ❌ Children's Data (service is B2B only, 18+ users)

2. How We Use Your Data​

We use your data only for the purposes disclosed below. We will never sell your data to third parties.

2.1 Service Delivery (Contract Basis)​

Purpose: Provide wallet control attestation services to cryptocurrency exchanges

Activities:

• ✅ Process wallet ownership challenges (signature verification)
• ✅ Generate evidence PDFs for audit compliance
• ✅ Manage exchange accounts (registration, login, subscription)
• ✅ Deliver API integrations (API keys, webhooks)
• ✅ Send transactional emails (password resets, verification notifications)

Legal Basis: Contract (GDPR Article 6(1)(b)) - necessary to perform our service agreement with you

2.2 Security & Fraud Prevention (Legitimate Interest)​

Purpose: Protect our platform and users from abuse, fraud, and security threats

Activities:

• ✅ Monitor login attempts (detect brute force attacks)
• ✅ Track API usage (rate limiting, abuse detection)
• ✅ Log security events (unauthorized access attempts, suspicious activity)
• ✅ IP-based geolocation (detect account takeover from unusual locations)
• ✅ Session management (expire abandoned sessions, revoke compromised tokens)

Legal Basis: Legitimate Interest (GDPR Article 6(1)(f)) - we have a legitimate interest in protecting our service and users

Balancing Test:

• Our Interest: Prevent fraud, protect user accounts, maintain service availability
• Your Interest: Expect secure service, protection from unauthorized access
• Impact on You: Minimal (security logging is standard practice, logs are pseudonymized)
• Mitigation: Logs sanitized (no PII), retained for up to 180 days in production and 90 days in non-production environments (not indefinite)

Your Rights: You can object to this processing (see Section 4.5: Right to Object)

2.3 Compliance & Legal Obligations (Legal Obligation)​

Purpose: Comply with legal requirements and respond to lawful requests

Activities:

• ✅ Retain evidence PDFs for at least 5 years (eIDAS Regulation, financial audit laws)
• ✅ Retain compliance audit logs for at least 5 years (GDPR accountability, SOC 2 compliance)
• ✅ Respond to Data Subject Access Requests (GDPR Articles 15-22)
• ✅ Notify authorities of data breaches (GDPR Article 33 - 72-hour deadline)
• ✅ Cooperate with law enforcement (where legally required)

Legal Basis: Legal Obligation (GDPR Article 6(1)(c)) - processing necessary to comply with legal requirements

Applicable Laws:

• GDPR: Accountability principle (Article 5(2)), data subject rights (Articles 15-22)
• eIDAS Regulation (EU 910/2014): Electronic signature evidence retention (5 years minimum)
• UK Companies Act 2006: Financial records retention (6 years)
• Anti-Money Laundering Directive (AMLD5): Customer due diligence records (5 years)

2.4 Service Improvement (Legitimate Interest)​

Purpose: Improve product features, performance, and user experience

Activities:

• ✅ Analyze API usage patterns (optimize endpoint performance)
• ✅ Monitor error rates (fix bugs, improve reliability)
• ✅ Review feature adoption (prioritize development roadmap)
• ✅ Capacity planning (scale infrastructure to meet demand)

Legal Basis: Legitimate Interest (GDPR Article 6(1)(f))

Balancing Test:

• Our Interest: Build better products, reduce costs, improve user experience
• Your Interest: Benefit from improved features and reliability
• Impact on You: Minimal (aggregated/pseudonymized data only, no profiling)
• Mitigation: No individual profiling, no automated decision-making, data minimization

Your Rights: You can object to this processing (see Section 4.5: Right to Object)

2.5 What We Do NOT Do With Your Data​

To be clear, we never use your data for:

• ❌ Selling Data to Third Parties (we never sell personal data)
• ❌ Targeted Advertising (no ad targeting, no behavioral profiling)
• ❌ Automated Decision-Making (no AI/ML profiling affecting your rights)
• ❌ Cross-Selling (no marketing to wallet owners, B2B only)
• ❌ Social Media Tracking (no Facebook Pixel, Google remarketing, etc.)
• ❌ Cryptocurrency Trading (we don't trade or speculate with verification data)

3. Who We Share Data With​

We share your data with the following categories of recipients:

3.1 Sub-Processors (Service Providers)​

We use trusted third-party vendors to help deliver our service. All sub-processors are bound by Data Processing Agreements (DPAs) with EU Standard Contractual Clauses (SCCs) for international transfers.

Current Sub-Processors:

Sub-Processor Changes:

• We'll notify you 30 days before adding new sub-processors
• You have the right to object to new sub-processors (see Section 4.5)
• Current sub-processors are listed above; detailed assessments are available on request via privacy@fololo.io

Data Processing Agreements: All sub-processors sign DPAs that require:

• ✅ Process data only on our instructions
• ✅ Implement appropriate security measures (encryption, access controls)
• ✅ Notify us of data breaches within 24 hours
• ✅ Assist with data subject rights requests (access, erasure, etc.)
• ✅ Delete data when service ends

3.2 Law Enforcement & Regulatory Authorities​

We may disclose data to authorities where legally required:

When We Disclose:

• ✅ Court Orders: Valid subpoenas, search warrants (we verify legal validity)
• ✅ Regulatory Investigations: ICO (UK data protection authority), financial regulators
• ✅ National Security: FISA warrants (USA), national security letters (we challenge where legally permitted)
• ✅ Legal Defense: Establish, exercise, or defend legal claims

Legal Basis: Legal Obligation (GDPR Article 6(1)(c)) or Legal Claims (GDPR Article 17(3)(e))

Your Protections:

• ✅ We verify legal validity before disclosing data
• ✅ We challenge overly broad or legally unjustified requests
• ✅ We notify you of disclosure (unless legally prohibited by gag order)
• ✅ We limit disclosure to minimum necessary data

Transparency:

• We will publish an annual transparency report on government requests (if legally permitted)

3.3 Auditors (Your Authorized Users)​

If you (as an exchange) grant auditor access to specific verification records:

Data Shared with Auditors:

• ✅ Verification evidence PDFs (wallet address, signature, timestamp)
• ✅ Verification metadata (status, blockchain network, challenge ID)

Access Controls:

• ✅ Time-limited auditor tokens (24-hour expiry)
• ✅ Scoped access (auditors see only records you authorize)
• ✅ Audit logs (we track all auditor access)

Legal Basis: Contract (you instruct us to grant auditor access)

3.4 Business Transfers (Mergers, Acquisitions)​

If Fololo Iris is acquired or merges with another company:

Your Protections:

• ✅ Acquiring company must honor this Privacy Policy (or obtain your consent for changes)
• ✅ We'll notify you 30 days before ownership change
• ✅ You can delete your account before transfer (see Section 5.2: Right to Erasure)

Legal Basis: Legitimate Interest (business continuity) + Legal Obligation (data protection by design)

3.5 Who We Do NOT Share Data With​

We never share your data with:

• ❌ Advertisers or Marketing Companies (no data sales)
• ❌ Data Brokers (no selling of email lists, wallet addresses, etc.)
• ❌ Social Media Platforms (no Facebook, Twitter, LinkedIn data sharing)
• ❌ Cryptocurrency Exchanges (we don't share your verification data with other exchanges)
• ❌ Insurance Companies or Credit Bureaus

4. Your Privacy Rights​

Under GDPR and UK GDPR, you have the following rights:

4.1 Right to Be Informed (Transparency)​

What It Means: You have the right to clear information about how we use your data.

How We Comply:

• ✅ This Privacy Policy (plain language, comprehensive)
• ✅ Data collection disclosures (at point of collection)
• ✅ Privacy notices (during account registration, API key creation)

4.2 Right of Access (Article 15)​

What It Means: You can request a copy of all personal data we hold about you.

What You'll Receive:

• ✅ Copy of your data (JSON or CSV format)
• ✅ Data categories (account info, verification records, logs)
• ✅ Purposes of processing (contract, legitimate interest, etc.)
• ✅ Recipients (sub-processors, auditors if applicable)
• ✅ Retention periods (5 years minimum for evidence, 180 days prod / 90 days non-prod for operational logs, etc.)
• ✅ Your rights (erasure, rectification, objection, etc.)

How to Request: See Section 5.1: How to Exercise Your Rights

Response Time: 30 days (free of charge for first request)

4.3 Right to Rectification (Article 16)​

What It Means: You can correct inaccurate or incomplete personal data.

Examples:

• ✅ Update company name (if changed)
• ✅ Correct email address (if typo)
• ✅ Update billing address

How to Request: See Section 5.1

Response Time: 30 days

Note: Verification records (wallet addresses, signatures) cannot be rectified (cryptographic integrity). If verification data is incorrect, you can:

• Request deletion (Article 17)
• Create new verification with correct data

4.4 Right to Erasure (Article 17) - "Right to Be Forgotten"​

What It Means: You can request deletion of your personal data.

When Erasure Applies:

• ✅ Data no longer necessary for original purpose
• ✅ You withdraw consent (if processing was based on consent)
• ✅ You object to processing (and we have no overriding legitimate grounds)
• ✅ Data processed unlawfully

When We Can Refuse Erasure:

Account Deletion Process:

1. Request Deletion: Email privacy@fololo.io or use Customer Portal
2. 90-Day Grace Period: Account marked for deletion, but recoverable
3. Recovery Option: Log in anytime during 90 days to cancel deletion
4. Final Deletion: After 90 days, account anonymized (email → deleted-{uuid}@anonymized.local)

What Gets Deleted:

• ✅ Account credentials (email, password, API keys)
• ✅ Webhook configurations
• ✅ Operational logs (after 180-day production retention / 90-day non-production retention)

What Gets Retained (Anonymized):

• ⚠️ Evidence PDFs (5 years minimum, legal obligation)
• ⚠️ Compliance audit logs (5 years minimum, pseudonymized: deleted-{uuid}@anonymized.local)
• ⚠️ Financial records (6 years, UK Companies Act 2006)

How to Request: See Section 5.2: How to Exercise Your Right to Erasure

4.5 Right to Object (Article 21)​

What It Means: You can object to processing based on legitimate interest.

What You Can Object To:

• ✅ Security logging (fraud detection, abuse monitoring)
• ✅ Service improvement analytics (feature adoption, performance optimization)
• ✅ New sub-processor additions (30-day objection period)

What You Cannot Object To:

• ❌ Processing necessary for contract performance (wallet control attestation, evidence generation)
• ❌ Processing required by legal obligation (audit logs, evidence retention)

Effect of Objection:

• ✅ We must stop processing unless we can demonstrate compelling legitimate grounds that override your rights
• ✅ If objection sustained, we'll delete or anonymize data within 30 days

How to Request: See Section 5.1

4.6 Right to Restrict Processing (Article 18)​

What It Means: You can request temporary suspension of processing while we investigate your request.

When Restriction Applies:

• ✅ You contest data accuracy (we restrict while verifying accuracy)
• ✅ Processing is unlawful, but you prefer restriction over deletion
• ✅ We no longer need data, but you need it for legal claims
• ✅ You objected to processing (we restrict while verifying our legitimate grounds)

Effect of Restriction:

• ✅ Data stored but not processed (except with your consent or for legal claims)
• ✅ Restriction flag added to your account (visible in Customer Portal)
• ✅ We notify you before lifting restriction

How to Request: See Section 5.1

4.7 Right to Data Portability (Article 20)​

What It Means: You can receive your data in a machine-readable format and transmit it to another service.

What You'll Receive:

• ✅ JSON or CSV export of your data
• ✅ All data provided by you (account info, API keys metadata)
• ✅ All data generated by your use of service (verification records, logs)

Exclusions:

• ❌ Data inferred by us (e.g., security risk scores) - not "provided by you"
• ❌ Sub-processor data (e.g., SendGrid delivery logs) - held by third party

How to Request: See Section 5.1

Response Time: 30 days (free of charge)

4.8 Rights Related to Automated Decision-Making (Article 22)​

What It Means: You have the right not to be subject to decisions based solely on automated processing that significantly affects you.

Fololo Iris Position:

• ✅ We do NOT use automated decision-making that affects your rights
• ✅ No AI/ML profiling for account suspensions, pricing, or access restrictions
• ✅ All significant decisions (account approval, suspension) involve human review

5. How to Exercise Your Rights​

5.1 General Data Subject Access Requests (DSAR)​

To exercise any privacy right (access, rectification, objection, restriction, portability):

Email: privacy@fololo.io

Subject Line: "Data Subject Access Request - [Your Right]"

Example Subject Lines:

• "Data Subject Access Request - Right of Access"
• "Data Subject Access Request - Right to Rectification"
• "Data Subject Access Request - Right to Object"

Required Information:

1. Your Email Address (registered with Fololo Iris)
2. Company Name (if applicable)
3. Description of Request (what data you want, what right you're exercising)
4. Proof of Identity (see Identity Verification below)

Identity Verification: To protect your data, we verify your identity using one of these methods:

Response Time:

• ✅ Acknowledgment: Within 48 hours (we confirm receipt)
• ✅ Fulfillment: Within 30 days (GDPR deadline)
• ⏳ Extension: Up to 60 additional days for complex requests (we'll notify you if extension needed)

Cost:

• ✅ Free for first request per year
• ⚠️ Reasonable fee for manifestly unfounded or excessive requests (we'll notify you before charging)

5.2 Right to Erasure (Account Deletion)​

Customer Portal (Recommended):

1. Log in to portal.fololo.io
2. Navigate to: Settings → Account → Delete Account
3. Read grace period warning (90-day recovery period)
4. Confirm deletion

Email:

• Send email to privacy@fololo.io with subject: "Account Deletion Request"
• Include: Company name, registered email address
• We'll confirm deletion initiation within 48 hours

What Happens Next:

1. Day 0: Account status changed to "Deleted", login still works (recovery option)
2. Day 30: Reminder email ("Account will be deleted in 60 days")
3. Day 60: Reminder email ("Account will be deleted in 30 days")
4. Day 80: Final warning email ("FINAL NOTICE: 10 days remaining")
5. Day 90: Account anonymized (email → deleted-{uuid}@anonymized.local, API keys deleted, webhooks deleted)

Recovery:

• Log in anytime during 90-day grace period
• Click "Cancel Deletion" banner in Customer Portal
• Account immediately restored to Active status

5.3 Complaints to Supervisory Authorities​

If you're unhappy with our response to your privacy request, you have the right to lodge a complaint with a data protection authority:

United Kingdom (ICO):

• Website: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

European Union:

• Find your local data protection authority: https://edpb.europa.eu/about-edpb/board/members_en

What to Include in Complaint:

• Description of your privacy concern
• How you contacted us (date, email, response received)
• Why you're unsatisfied with our response
• What outcome you're seeking

6. Data Security​

We take data security seriously. Here's how we protect your data:

6.1 Technical Safeguards​

Encryption:

• ✅ In Transit: TLS 1.3 for all API calls, web traffic, database connections
• ✅ At Rest: AES-256 encryption for databases, blob storage, backups
• ✅ Field-Level Encryption: AES-256-GCM for sensitive PII (email, contact details)

Authentication:

• ✅ Password Hashing: BCrypt (cost 12) - never stored in plaintext
• ✅ API Key Hashing: BCrypt (cost 12) - only prefixes visible in UI
• ✅ Multi-Factor Authentication (MFA): TOTP-based (Google Authenticator, Authy)
• ✅ Session Management: 24-hour max session lifetime, automatic expiration

Access Controls:

• ✅ Role-Based Access Control (RBAC): Principle of least privilege
• ✅ Tenant Isolation: Row-level security (tenant A cannot access tenant B data)
• ✅ Auditor Tokens: Time-limited (24-hour expiry), scoped access only

Infrastructure Security:

• ✅ Azure Container Apps: Isolated compute environments, no shared tenancy
• ✅ Network Security: Private endpoints, no public database access
• ✅ DDoS Protection: Azure DDoS Protection Standard
• ✅ Web Application Firewall (WAF): Azure Front Door (planned)

6.2 Organizational Safeguards​

Security Policies:

• ✅ Access Control Policy: Least privilege, MFA required for production access
• ✅ Incident Response Plan: 24-hour breach detection, 72-hour ICO notification
• ✅ Data Retention Policy: Automated deletion jobs, 90-day grace period
• ✅ Sub-Processor Due Diligence: SOC 2, ISO 27001 certifications required

Employee Training:

• ✅ Security Awareness: Annual training on GDPR, phishing, data protection
• ✅ Background Checks: For employees with production data access (planned)
• ✅ Confidentiality Agreements: All employees sign NDAs

Monitoring & Auditing:

• ✅ Application Insights: Real-time monitoring, anomaly detection
• ✅ Audit Logs: 5 years minimum retention, tamper-evident (append-only)
• ✅ Security Alerts: Failed login spikes, API abuse, data export anomalies
• ✅ Quarterly Reviews: DPO reviews access logs, sub-processor compliance

6.3 SOC 2 Type II Compliance (In Progress)​

We are working toward SOC 2 Type II certification (target: Q3 2026).

SOC 2 Trust Service Criteria:

• CC6.1 (Logical Access): MFA, RBAC, least privilege
• CC7.2 (System Operations): Monitoring, logging, incident response
• CC9.1 (Confidentiality): Encryption, data minimization, access controls

6.4 Data Breach Notification​

If We Experience a Data Breach:

Within 24 Hours:

• ✅ Contain breach (revoke compromised credentials, isolate affected systems)
• ✅ Preserve evidence (forensic logs, attack vectors)

Within 72 Hours:

• ✅ Notify ICO (GDPR Article 33 requirement)
• ✅ Notify Affected Tenants (GDPR Article 34 requirement)

Email Notification Template (to affected tenants):

Subject: URGENT: Data Breach Notification

Dear [CompanyName],

We are writing to inform you of a data breach that may have affected your account.

**What Happened:**
[Brief description of breach: unauthorized access, hacking, insider threat, etc.]

**Data Affected:**
[Data categories: email addresses, verification records, API keys, etc.]

**What We're Doing:**
- Contained breach on [date]
- Notified ICO on [date]
- Implemented additional safeguards: [description]

**What You Should Do:**
- Reset your password immediately: https://portal.fololo.io/reset-password
- Review recent verification activity for suspicious activity
- Enable Multi-Factor Authentication (MFA) if not already enabled
- Rotate API keys: https://portal.fololo.io/api-keys

**Questions?**
Contact our Data Protection Officer: privacy@fololo.io

We sincerely apologize for this incident and are committed to protecting your data.

7. How Long We Keep Your Data​

Retention Periods by Data Category:

Why Long Retention for Some Data?

Detailed retention schedules: Available on request via privacy@fololo.io

8. International Data Transfers​

We transfer personal data to the United States only for the services below. Most processing remains in the EU. All transfers are protected by EU Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIA).

8.1 SendGrid (Twilio) - Email Delivery​

Country: United States Data Transferred: Email addresses, transactional email content Safeguards: EU SCCs 2021 (Module 2), encryption in transit (TLS 1.3), 30-day retention Risk Level: LOW-MEDIUM (mitigated by data minimization and short retention)

8.2 Microsoft Azure - Application Insights​

Country: EU (West Europe) Data Transferred: Pseudonymized logs (UUIDs only), performance metrics Safeguards: EU data residency (EU West region), Microsoft DPA, log sanitization; SCCs apply if support access is required Risk Level: VERY LOW (no direct PII, EU storage, pseudonymization)

8.3 Transfer Impact Assessment (TIA) Summary​

We have assessed the risks of transferring data to the USA, considering:

• ✅ US Surveillance Laws: FISA 702, CLOUD Act, EO 12333
• ✅ Supplementary Safeguards: Encryption, data minimization, contractual restrictions
• ✅ Overall Risk: LOW-MEDIUM (acceptable with current safeguards)

Transfer impact assessment details: Available on request via privacy@fololo.io

8.4 EU/UK Representative​

Do we have an EU representative?

• ❌ Not currently required (Article 27(2)(a) exception applies)
• Rationale: Low-volume processing, low risk, no special categories of data

Re-assessment Trigger:

• If EU-based tenants exceed 500, we will appoint an EU representative

8.5 Your Rights for International Transfers​

• ✅ Copy of SCCs: Request a copy at privacy@fololo.io
• ✅ Object to Transfers: You can object to new sub-processors (30-day notice period)
• ✅ Complaint to ICO: If you believe transfers violate GDPR

9. Contact Us​

9.1 Data Protection Officer (DPO)​

Email: privacy@fololo.io Response Time: Within 48 hours (business days)

Responsibilities:

• Data Subject Access Requests (DSAR)
• Privacy complaints and inquiries
• Sub-processor management
• Supervisory authority liaison

9.2 General Support​

Customer Portal: https://portal.fololo.io API Documentation: https://iris.fololo.io/docs/api-reference Security Issues: security@fololo.io (vulnerability reports)

9.3 Company Information​

Legal Entity: Fololo Iris Ltd Registration: United Kingdom (Private Company) Registered Office: Registered office details are available on request via privacy@fololo.io ICO Registration Number: Registration in progress; identifier will be published once assigned

10. Changes to This Privacy Policy​

How We Update This Policy:

• ✅ Material Changes: We'll email you 30 days before changes take effect
• ✅ Version History: Maintained at bottom of this document
• ✅ Effective Date: Updated at top of document

Recent Changes:

• Version 1.1 (February 1, 2026): URL updates, retention clarifications, and publication metadata refresh
• Version 1.0 (December 26, 2024): Initial comprehensive privacy policy (replaces interim privacy notice)

Your Rights:

• If you disagree with changes, you can delete your account (see Section 5.2)
• Continued use of service after 30-day notice period = acceptance of changes

11. Special Notes​

11.1 Children's Privacy​

We do NOT knowingly collect data from children.

• ✅ Service is B2B only (cryptocurrency exchanges, 18+ users)
• ✅ Age restriction: Must be 18+ to create account
• ✅ If we discover a child's data was collected, we'll delete it immediately

11.2 Do Not Track (DNT)​

We do NOT track users across websites.

• ✅ No third-party advertising cookies
• ✅ No cross-site tracking
• ✅ DNT signals respected (no tracking to disable)

11.3 California Privacy Rights (CCPA)​

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know:

• Categories of personal information collected (see Section 1)
• Categories of sources (you, blockchain data, logs)
• Business purposes (see Section 2)

Right to Delete:

• Same as GDPR Right to Erasure (see Section 4.4)

Right to Opt-Out of Sale:

• ✅ We do NOT sell personal information (no opt-out needed)

Non-Discrimination:

• ✅ We will not discriminate against you for exercising CCPA rights

How to Exercise CCPA Rights:

• Email privacy@fololo.io (same process as GDPR requests)

11.4 Third-Party Links​

Our service may contain links to third-party websites (e.g., blockchain explorers, sub-processor privacy policies).

We are NOT responsible for:

• ❌ Third-party privacy practices
• ❌ Third-party data collection
• ❌ Third-party security measures

We recommend:

• ✅ Review third-party privacy policies before providing data
• ✅ Exercise caution when clicking external links

Document Version History​

Accessibility​

This privacy policy is available in:

• ✅ Web Format: https://iris.fololo.io/docs/privacy-policy (HTML, screen reader compatible)
• ✅ PDF Format: Available on request (email privacy@fololo.io)
• ✅ Plain Language Summary: In development; available on request in the meantime (email privacy@fololo.io)

Accessibility Features:

• WCAG 2.1 AA compliant (published to docs site)
• Screen reader compatible
• Printable format
• Clear headings and table of contents

Publication Record​

Document Status: ✅ Published Published URL: https://iris.fololo.io/docs/privacy-policy Publication Date: February 11, 2026

END OF PRIVACY POLICY

Questions? Contact us at privacy@fololo.io - we're here to help.