Everdust OÜ (“the Company”)

Privacy Policy

Effective date: 17.04.2024

Introduction

This Privacy Policy sets out the conditions of how we collect, use, store, transfer, and protect Personal Data when you access the Website and enter into the Token Purchase Agreement to purchase the right to a certain number of DUST Tokens, subject to a relevant Sale Round and individually determined conditions (hereinafter referred to as the “Token Purchase Agreement”).

For the purposes of this Privacy Policy, “we”, “us”, and “our” refer to Everdust OÜ, company number 16927064, having its registered address at Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, as the Controller of your Personal Data, and "you", “User”, "your" refer to you as to a Data Subject.

You agree that by accessing the Website and entering into the Token Purchase Agreement that you have read, understood, and agreed to be bound by this Privacy Policy.

If you disagree with this Privacy Policy, you are expressly PROHIBITED from accessing the Website and entering into the Token Purchase Agreement.

The headings within this Privacy Policy facilitate comprehension of each section's content and do not alter its substantive meaning. Instances where terms like "including" or "such as" are provided do not limit an exhaustive listing of all possible inclusions.

1. Terminology

Consent. Any freely given, specific, informed and unambiguous expression of the Data Subject's will to process personal data concerning him or her.

Controller. The natural or legal person (and others) who determines the purposes and means of Processing. For the purposes of this Privacy Policy, we are the Controller.

Cookie Policy. The agreement between you and us that describes how we use and process Cookies, available at: Cookie Policy.

Data Protection Authority. The public organisation or governmental body that protects the Data Subjects from unlawful Processing.

Data Subject. The natural person whose Personal Data is processed.

Legal Grounds for Processing. The legally defined grounds for which the Processing of Personal Data is permitted.

Personal Data. Any information relating to an identified or identifiable natural person.

Personal Data Breach: A security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

Processing. Any action or set of actions with Personal Data.

Processor. The natural or legal person who processes personal data on behalf of the Controller.

Profiling. Any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

Third-Party. Any person, except the Data Subject, us, and the Data Protection Authority, to whom the Personal Data is transferred.

Website. The website that is owned by us and is located at https://dust.space/.

2. Data Subject’s Rights

Right to access Personal Data. You can receive information regarding specific Personal Data we have collected about you as follows:

• Purpose of Processing;
• Categories of Personal Data concerned;
• Recipients of categories of recipients to whom the Personal Data has been, or will be, disclosed;
• The envisaged period for which the Personal Data will be stored or the criteria used to determine that period;
• The existence of the right to rectification, erasure, or restriction of Processing Personal Data concerning you or to object to such Processing;
• The right to lodge a complaint with a supervisory authority;
• Where Personal Data is not collected from you, any available information as to the source;
• The existence of any automated decision-making, including profiling as well as the significance and envisaged consequences of such Processing for you;
• Where Personal Data is transferred outside of the EEA (which consists of EU member states and Iceland, Lichtenstein, and Norway), you have the right to be informed of the appropriate safeguards in place and to request a copy of them.

Right to rectification of Personal Data. You can correct your Personal Data if it has been changed or incorrectly collected.

Right to erase (delete) Personal Data. If permissible under applicable law, we will stop processing your Personal Data and delete applicable personal data from information systems. We will notify you of our actions in response to this request.

Right to restrict the Processing of your Personal Data. If permissible under applicable law, you can temporarily restrict the Processing of Personal Data.

Right to Personal Data portability. You may receive Personal Data in a human and machine-readable format for transmission to another Controller.

Right to object. You may object to Personal Data Processing if we:

• Process Personal Data for direct marketing purposes, including profiling related to direct marketing.
• Process Personal Data that we consider necessary for our or a Third Party’s legitimate interest.

Right to reject automated individual decision-making (profiling). You shall have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects.

Right to withdraw consent. You can withdraw your consent on Personal Data Processing if we use this ground for Processing.

Right to opt-out from Marketing/Send Out. You can withdraw your consent on Personal Data Processing for marketing and send-out purposes.

Right to ask a question and/or make a claim on data Processing. You can ask us any question regarding Personal Data Processing or privacy legislation.

3. Principles Of Data Processing

We process Personal Data according to the following principles:

Lawfulness, Fairness, and Transparency. Personal Data must be processed lawfully, fairly, and transparently.

Purpose Limitation. Personal Data must be collected for specified, explicit, and legitimate purposes and not further processed in an incompatible manner.

Data Minimization. Personal Data must be adequate, relevant, and limited to the purposes for which it is processed.

Accuracy. Personal Data must be accurate and, where necessary, kept up to date.

Storage Limitation. Personal Data should be stored only for the duration necessary to fulfil the purposes for which it was collected.

Integrity and Confidentiality. Personal Data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful Processing and accidental loss, destruction, or damage.

4. Data Subject’s Rights Enforcement

Data Subject Request Form. You can enforce his rights using the following web form.

Verification Methods. The specific verification methods we use include:

• Request for information;
• Email verification.

Failed Verification. If you fail verification or we have reasonable personality doubts, we shall provide a response stating that we have doubts, explaining why we have these doubts, and explaining why, in this case, we cannot respond.

Successful Verification. We respond to the request if you successfully pass the data verification.

Inquiry in general. We provide a response to the information requested by you, depending on the type of inquiry.

5. Personal Data

Website Visit. When you visit the Website, you give us the Personal Data under the following conditions:

• Personal Data. This includes the version of a web browser, IP address, time zone, cookie information, what pages you view, search terms, and how you interact with the Website.
• Purpose of collection. To load the Website accurately, perform analytics on the Website usage, and optimise our Website.
• Source of collection. Collected automatically when you access our Website.
• Legal ground. Legitimate interest.
• Terms. We retain this Personal Data throughout your engagement with the Website and for a period of one year following the cessation of your engagement unless extended retention is necessitated by our legal obligations.

Registration. When you register the account on the Website, you give the Personal Data under the following conditions:

• Personal Data. Email, password, residence country
• Purpose of collection. To optimise the Website and enter into the Token Purchase Agreement.
• Source of collection. Collected from you.
• Legal Ground. Consent.
• Terms. We retain this Personal Data for the duration of the your account activity and for five years thereafter unless extended retention is required to fulfil our legal obligations.

The Token Purchase Agreement. To enter into the Token Purchase Agreement, you give the Personal Data under the following conditions:

• Personal Data collected. digital wallet public key, selfie, official ID information and documents, address confirmation information and documents.
• Purpose of collection. To enter into the Token Purchase Agreement.
• Source of collection. Collected from you.
• Legal ground. Performance of the Contract.
• Terms. We retain this Personal Data for five years after the termination of the Token Purchase Agreement unless extended retention is mandated by our legal obligations.

Customer Support Information. When you contact our customer support, you give us the Personal Data under the following conditions:

• Personal Data collected. The specific data retained may vary on a case-by-case basis but may encompass details such as name, email address, account information, digital wallet public key, ID and payment information.
• Purpose of collection. To provide information about the Website and the Token Purchase Agreement.
• Source of collection. Collected from you.
• Legal ground. Consent.
• Terms. We retain this Personal Data for five years unless extended retention is required to fulfil our legal obligations.

Other Conditions. These are other conditions apply to your Personal Data:

• Data source. We process Personal Data received from you.
• Profiling. We don’t use Profiling on you.
• Selling Personal Data. We will not sell your Personal Data without your consent.
• Account. You can delete your account via the deactivation page. Deleting the account results in the removal of all Personal Data unless its retention is required for a longer duration in accordance with our legal obligations.
• Transmission in general. We can transmit your Personal Data to Third Parties before or while performing the Token Purchase Agreement and according to law, court, or governmental body decision.
• Transmission in specific situations. We have the right to transfer your Personal Data by default to countries recognised by the EU Commission as providing adequate protection, generally or partially, in specific industries.
• Cookies. We use cookies in accordance with the Cookie Policy.

6. How We Share Your Personal Data

Third-Party Service Providers. We share the Personal Data we collect from or about you with Third Parties as described below.

• Google. To determine how many people visit our Website, better understand the areas of most significant interest to our visitors, and improve the overall experience, we reserve the right to have relationships with web analytics companies that compile this information for us. We engage Google Inc. to provide analytics services. For further information, consult the privacy policy http://www.google.com/intl/en/privacy.html.
• Amazon. We engage Amazon Web Services Inc. to perform reliable computing services, in particular Amazon Web Services. Please review the respective privacy policy at https://aws.amazon.com/privacy/?nc1=h_ls.
• PandaDoc. We engage PandaDoc, Inc. to perform electronic signature services to enable you to sign the Token Purchase Agreement. For further information, consult the privacy policy https://www.pandadoc.com/privacy-notice/.
• SumSub. We engage Sum and Substance Ltd. to conduct eligibility verification before you enter into the Token Purchase Agreement. For further information, consult the privacy policy https://sumsub.com/privacy-notice-service/.
• Synaps. We may also engage Synaps SAS to conduct eligibility verification before you enter into the Token Purchase Agreement. For further information, consult the privacy policy https://synaps.io/privacy-policy.
• Chainalysis. We engage Chainalysis Inc. to monitor and verify payment transactions for operational safety and regulatory compliance. For further information, consult the privacy policy at https://www.chainalysis.com/privacy-policy/.

Sale, Assignment, or Change of Control. We may change our ownership or corporate organisation while operating the Website or performing the Token Purchase Agreement. We may transfer some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets, or any line of business, change in ownership control, or financing transaction. Under such circumstances, we will request the acquiring party to follow the practices described in this Privacy Policy for previously collected information. Nevertheless, we cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat information about you in the same way as described in this Privacy Policy.

Law Enforcement, Legal Process, and Emergency Situations. We may also use or disclose the information we collect from or about you if required to do so by law or on the good-faith belief that such action is necessary to (a) conform to applicable law or comply with legal process; (b) protect and defend our rights or property, the Website, or our Users; (c) respond to a Third Party that alleges that you have infringed their intellectual property rights; or (d) act to protect the personal safety of us, Users of the Website, or the public.

7. How We Protect Personal Data

We maintain administrative, technical, and physical safeguards and measures designed to protect the Personal Data we have about you against accidental, unlawful, or unauthorised destruction, loss, alteration, access, disclosure, or use. This includes, but is not limited to, encrypted storage, role-based access, and secure document transmission protocols.

We have put in place procedures to deal with any suspected Personal Data Breach and will notify you and the Data Protection Authority of a breach where we are legally required to do so.

8. Data Breach Notification

Notifying the Data Protection Authority. We shall notify the respective Data Protection Authority within 72 hours after we become aware of the Data Breach and report the following information:

• The nature of the Data Breach.
• The responsible person's name and contact details from which more information can be obtained.
• The possible consequences of the Data Breach.
• The measures taken or proposed by us to address the Data Breach.

Notifying You. If a Data Breach may lead to a violation of your rights and freedoms or has a high risk of this, we shall immediately inform you of the fact of the Data Breach and report the following information:

• The nature of the Data Breach in clear and straightforward language.
• The responsible person's name and contact details from which more information can be obtained.
• The possible consequences of breaching the security of Personal Data.
• The measures taken or proposed by us to address the Data Breach.
• Useful tips and know-how to help you reduce the risks of a Data Breach.

Exemptions. We do not have to send the notification to you if any of the following conditions are met:

• We have implemented appropriate technical and organisational protection measures, and those measures were applied to the Personal Data affected by the Data Breach, in particular, those that leave the Personal Data inaccessible to any person who is not authorised to access it, such as encryption;
• We have taken subsequent measures that ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise; or
• It would involve a disproportionate effort to communicate with every Data Subject concerned. In such a case, there shall instead be public communication or similar measures whereby the Data Subjects are informed in an equally effective manner.

If we apply one of the exemptions, we must document the circumstances, reason for not informing, and actions taken to meet one of the exemptions.

Additional information can be found in our Data Breach Policy

9. Miscellaneous

Effective Date. This version of the Privacy Policy is valid from the Effective Date.

Changes. We may make changes from time to time without your consent. The new version of this Privacy Policy will be valid from the time of the changes noted at the beginning of this Privacy Policy.

Governing Law and Dispute Resolution. This Privacy Policy is governed by and construed in accordance with the laws of Estonia. All disputes or claims about this Privacy Policy must be resolved within 30 business days by amicable negotiations. Should attempts at amicable negotiation fail to resolve a dispute, the competent courts of Estonia, in accordance with Estonian law, shall be entrusted with its resolution.

Language. This Privacy Policy is available in English. If there are any differences between the English and any other translated versions, the English version shall prevail.

10. Questions And Concerns

If you have any questions about privacy and our Privacy Policy, please contact us through our support at support@dust.space.

You can make inquiries or complaints to Third Parties via any available means of contact on their websites. The timing and procedure for responding depend on their internal policies.

You can ask the Data Protection Authority any question about your personal data or complain through the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en. The timing and procedure for responding depend on the internal policies of the Data Protection Authority.