DATA PROTECTION AND PRIVACY POLICY OF THE XAI FOUNDATION

 

Last updated : 12 April 2024

 

This Data Protection and Privacy Policy ("Privacy Policy") describes the policies we have implemented or will implement to collect, use, protect, and disclose any personal information or data we receive or collect when providing our services to you, including through the website (https://xai.games), the Gitbook (https://xai-foundation.gitbook.io), any subdomains of those websites, and our Services.

 

For the purposes of this Policy, "we", "us" or "our" means the Xai Foundation (the “Foundation”), a Cayman Islands foundation company, and our personnel, affiliates and related companies. "You” and “your” refers to you as the user of the Services. Capitalized terms have the meanings provided in the Definitions section of this Policy, elsewhere in this Policy, or in the Terms of Use. Please read the Terms of Use alongside this Privacy Policy.

 

Please read this Policy carefully. By using, accessing, connecting to, or downloading any of the Services, you agree and consent to the collection, use, protection, and disclosure of your information as described in this Policy. If you do not agree to this Policy, please do not use, access, connect to, or download any of the Services.

 1. INTRODUCTION

 

1.1 This Privacy Policy describes the Foundation’s collection and use of Personal Data; the circumstances under which the Foundation may share Personal Data; certain principles, rights, protections, and obligations with respect to Data Subjects; and the Foundation's safeguards to protect Personal Data.

 

1.2 This Privacy Policy takes into account the requirements of the Cayman Islands Data Protection Act 2021 ("DPA") and general Privacy Principles. In addition, individuals located in the European Union ("EU") and the United Kingdom ("UK") may also have rights under the EU General Data Protection Regulation 2016/679 and the UK General Data Protection Regulation (collectively the "GDPR"). Appendix 1 outlines the details of these additional rights.

 

2. DEFINITIONS

 

2.1Controller” means a natural or legal person, public authority, agency, or other body that, independently or jointly with others, determines the purpose and means of Processing Personal Data, as defined in Data Protection Laws. Controller shall refer to the Foundation, and with regard to certain Processes, the Foundation may act as joint Controller with a third-party.

 

2.2Data Protection Laws” refer to applicable privacy legislation, regulations, or codes issued by data protection regulators.

 

2.3Data Subject” means a natural person who can be identified, directly or indirectly, by reference to their Personal Data.

 

2.4 "Personal Data" as used in this Privacy Policy means information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable, and includes anything defined as personal information, personal data under the GDPR, personally identifiable information or similar terms under applicable law.

 

2.5Processing,” (or to “Process”) means obtaining, recording or holding Personal Data, or carrying out any operation or set of operations on Personal Data, including – organising, adapting or altering the personal data; retrieving, consulting or using the Personal Data; disclosing the Personal Data by transmission, dissemination or otherwise making it available; or aligning, combining, blocking, erasing or destroying the Personal Data.

 

2.6Processor” means a natural or legal person that Processes Personal Data on behalf of a Controller, including any third-party service providers, applications, or agencies, but, for the avoidance of doubt, does not include an employee of the Controller. A Processors’ activities are limited to the more “technical” aspects of a Process and do not include the exercise of professional judgment or significant decision-making in relation to Personal Data.

 

3. DATA PROTECTION PRINCIPLES

 

3.1 We are committed to processing data in accordance with its responsibilities under the Data Protection Laws, and in particular with the following principles:

 

(a) fair, lawful and transparent processing;

 

(b) collection for a specified, explicit and legitimate purposes and no further processing in a manner that is incompatible with the specified purposes;

 

(c) limitation to what is adequate, relevant and necessary in relation to the purposes for which the Personal Data are processed;

 

(d) keep Personal Data accurate and up to date;

 

(e) keep Personal Data only for as long as is necessary or legally required;

 

(f) process Personal Data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures;

 

(g) erocess Personal Data in accordance with the rights of the Data Subject; and

 

(h) ensure an adequate level of data protection when transferring Personal Data.

 

4. HOW WE COLLECT AND PROCESS PERSONAL DATA

 

4.1 We may collect and process Personal Data in a variety of ways when you access, use, connect to, or interact with the Services, including:

 

(a) When you voluntarily provide information to us on our website, or through our Services, or participate in any of our functions, events or activities online or in person;

 

(b) When you indirectly provide information to us while interacting with our Services, such as in online enquiries or

 

(c) When a third party service provider or data process collections Personal Information from you on our behalf, such as details of your sue of our website from cookie providers and marketing providers.

 

(d) When information is available from publicly available sources, such as information from social media accounts and providers, as may be relevant to your interactions with us.

 

5. PERSONAL DATA

 

5.1 The types of Personal Data we collect about you may include:

 

(a) your name;

 

(b) your contact details, including email address and name;

 

(c) your login-details with respect to any websites and applications;

 

(d) your social media handle;

 

(e) your Digital Wallet address, and public blockchain data;

 

(f) your credit card or payment details (through our third party payment processor);

 

(g) your preferences and/or opinions;

 

(h) information you provide to us through customer surveys;

 

(i) details of products and services we have provided to you and/or that you have enquired about, and our response to you, including any support requests and any bug reports;

 

(j) where you play games integrated with the Xai Network, your age and game progression data, such as your game saves and your achievements in the games;

 

(k) where you connect or use a digital wallet in conjunction with the Xai Network's products and services, the assets held in that wallet;

 

(l) your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour, your IP address, and demographic information;

 

(m) your connections with others whose personal information we may collect or hold;

 

(n) information about your access and use of our Services, including through the use of Internet cookies, your communications with our Services, the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider;

 

(o) additional personal information that you provide to us, directly or indirectly, by submitting forms or through your use of our Services, associated applications, associated social media platforms and/or accounts from which you permit us to collect information;

 

(p) publicly available information from social media accounts, posts and profiles, where relevant to your interactions with us, or to our business or relationship with you;

 

(q) device information, such as mobile device type, mobile number, unauthorised third party applications (which allows us to identify whether our users are gaining an unfair advantage or cheating when using our games), and device specifications; and

 

(r) any other personal information requested by us and/or provided by you or a third party.

 

5.2 We may collect these types of personal information directly from you or from third parties. We may aggregate Personal Data for reporting, statistical and analysis purposes, and for business, product and service improvement purposes. This allows us to better inform ourselves and anticipate our users' preferences and requirements, and to monitor and improve the effectiveness of our business, products and services. We may also de-identify information for inclusion in such aggregated databases or reports.

 

6. COLLECTION AND USE OF PERSONAL DATA

 

6.1 We may collect, hold, use and disclose personal information for the following purposes:

 

(a) account creation and management;

 

(b) to enable you to access and use our Services, associated applications and associated social media platforms, and to personalise and customise your experiences using our Services;

 

(c) to enable you to perform transactions on the Services;

 

(d) where you are playing games connected to the Xai Network, to enable you to communicate with other Services users;

 

(e) to compare information for accuracy and verification purposes, including (where relevant to our Services) verifying your identity based on information you have provided to us;

 

(f) to contact and communicate with you about our Services;

 

(g) for analytics, market research and business development, including to operate and improve our Services, associated applications and associated social media platforms;

 

(h) to run promotions, competitions and/or offer additional benefits to you, and to measure the effectiveness of those activities;

 

(i) for advertising and marketing, including to send you promotional information about our products and services and information about third parties and their products and services related to the Xai network that we consider may be of interest to you;

 

(j) for internal record keeping, administrative purposes, invoicing and billing purposes;

 

(k) to carry out appropriate administration in relation to our investors and to communicate with regulators;

 

(l) to investigate, review, mitigate risks associated with, and inform you or appropriate authorities of, any data or other security breach involving your personal information;

 

(m) to comply with our legal obligations and resolve any disputes that we may have;

 

(n) to identify, prevent and respond to fraud and abuse, and otherwise protect our users, our property and our rights;

 

(o) if otherwise notified to you at the time of collection, or in accordance with any agreement you enter into with us.

 

7. LEGAL BASIS FOR PROCESSING PERSONAL DATA

 

7.1 We consider it necessary to collect and use your Personal Data for the purposes described, and we do so on the following legal bases:

 

(a) Consent: You as a Data Subject have agreed and consented to the Processing of your Personal Data for specified purposes.

 

(b) Contractual Necessity: Processing is necessary for the performance of a contract to which you as a Data Subject is party or for the Foundation or its service providers to responsibly enter into a contract.

 

(c) Compliance with Legal Obligations: Processing is necessary for compliance with a legal obligation to which the Foundation is subject.

 

(d) Vital Interests: Processing is necessary in order to protect the vital interests of you as a Data Subject or of another natural person.

 

(e) Public or Legitimate Interests: Processing is necessary for the performance of a task carried out in the public interest or is necessary for legitimate interests pursued by the Foundation or a third party, except where such interests are outweighed by your countervailing interests or fundamental rights and freedoms as a Data Subject and require protection of your Personal Data from Processing.

 

7.2 The Processing of Personal Data may be permissible under multiple of the above categories.

 

8. CHILDRENS’ PRIVACY AND DATA PROTECTION

 

8.1 Children under the age of eighteen (18) are not permitted to use the Services, and we do not seek or knowingly collect any Personal Data about children under eighteen (18) years of age. If we become aware that we have unknowingly collected information about any child under eighteen (18) years of age, we will make commercially reasonable efforts to delete such Personal Data and other information.

 

8.2 If you are the parent or guardian of a child under eighteen (18) years of age who has provided us with their Personal Data or other information, you may contact us to request that it be deleted.

 

9. YOUR RIGHTS AS A DATA SUBJECT

 

9.1 By notice in writing to the Controller, you may be entitled to receive, in an intelligible form, the Personal Data we hold about you; the legal basis for collecting that Personal Data; and any information available to us as to the source of that Personal Data, provided that the Personal Data can be disclosed without disclosing Personal Data of another Data Subject. We may require further information from you in order to be satisfied as to your identity, or in order to locate the information sought, and we are not obliged to provide you with Personal Data unless you satisfy our requirements. We will endeavour to respond to a request for Personal Data within 30 days.

 

9.2 By notice in writing to the Controller, you may be entitled to require us to cease processing, or not to begin processing, or to cease processing for a specified or purpose, or in a specified manner, your Personal Data. We shall comply with your request unless the Processing is necessary for the performance of a contract to which you are a party; the processing is necessary for compliance with any obligation to which you are subject; the processing is necessary in order to protect your vital interests; or the processing is necessary in such other circumstance as may be prescribed by regulations.

 

9.3 By notice in writing to the Controller, you may be entitled to correct any error or omission in your Personal Data in the possession of or under the control of the Foundation. As far as is practicable, we shall comply with your request, inform you of the correction and inform third parties to whom the data has been disclosed. We will make a reasonable effort to verify that your Personal Data Processed by or on behalf of the Foundation is accurate and complete. Personal Data is generally obtained directly from you as the Data Subject.

 

9.4 In the case of a known data breach involving any loss, misuse, or alteration of your Personal Data that is likely to result in a material risk to your rights and freedoms, and unless Data Protection Laws require otherwise, the Foundation will use reasonable endeavours to notify you and applicable supervisory or data protection authorities within five days barring exigent circumstances.

 

9.5 Further rights may apply to you under Data Protection Laws applicable in your jurisdiction.

10. DISCLOSURE OF PERSONAL INFORMATION TO THIRD PARTIES

 

10.1 The Foundation may transfer or provide access to your Personal Data, for legitimate purposes, to service providers across jurisdictions (including jurisdictions other than the jurisdictions applicable to you as a Data Subject) and entities in accordance with this Policy, data protection agreements, and intercompany agreements, all of which are intended to be aligned with Data Protection Laws applicable to you as a Data Subject. Without limitation, we may disclose personal information to:

 

(a) third party service providers for the purpose of enabling them to provide their services to us, including (without limitation) IT service providers, data storage, web-hosting and server providers, maintenance or problem-solving providers, marketing or advertising providers, professional advisors and payment systems operators;

 

(b) third parties who integrate our Services into their own products and services, and who may in doing so use your personal information for their own purposes independently of Immutable in circumstances where we are not responsible for the independent use of your personal information by those third parties;

 

(c) our employees, contractors and/or related entities (this includes sharing personal information between companies within our group for use and disclosure as described in this Privacy Policy in relation to any Services they may provide to you);

 

(d) government agencies or identity verification service providers, who in turn may access third party databases, document issuers, official record holders, DVS and other sources in order to perform identity verification services;

 

(e) merchants and the recipients of digital assets to identify you as the sender of the assets and to a party who sends you digital assets in connection with a transfer to you of digital assets;

 

(f) our existing or potential agents or business partners;

 

(g) sponsors or promoters of any promotions or competition we run;

 

(h) anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;

 

(i) debt collection agencies, courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you;

 

(j) courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;

 

(k) third parties that collect and process data to provide services to us, such as Google Analytics (see the "Cookies" section below for more information about Google's use of such data) or other relevant businesses; and

 

(l) any other third parties as required or permitted by law, such as where we receive a subpoena.

 

10.2 The Foundation does not allow Processors to Process your Personal Data for their own purposes and only permits them to Process your Personal Data for specified purposes and in accordance with the Foundation's instructions. However, the Foundation may share your Personal Data with third parties to Process on their own behalf. Such third parties would be considered joint Controllers of such Personal Data. Although joint Controllers have shared discretion over the purposes of Processing, all such Controllers should Process such shared Personal Data in accordance with Data Protection Laws applicable to you as a Data Subject. We shall provide you the names of the third parties Processing your Personal Data upon written request. We invite you to review the privacy policies of those third parties.

 

11. NOTE ON DATA TRANSFERS TO THE USA

 

11.1 Some of the third parties mentioned in this Privacy Policy are or may be based in the USA. There are or may be surveillance measures in place in the USA by US authorities, which allow the storage of all Personal Data of all persons whose data has been transferred to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criteria that would make it possible to limit the access of the US authorities to the data and their subsequent use to very specific, strictly limited purposes.

 

11.2 In the USA, Data Subjects may not have legal remedies that allow them to obtain access to the data concerning them and to obtain their correction or deletion. Similarly, there may be no effective judicial legal protection against general access rights of US authorities. Insofar as third-party recipients of Personal Data are based in the USA, the Foundation will use reasonable endeavours to ensure that your Personal Data is appropriately protected through contractual arrangements, but we make no guarantee.

 

12. SECURITY MEASURES TAKEN TO PROTECT PERSONAL DATA

 

12.1 The Foundation has implemented appropriate elements of privacy by design in conjunction with technical and physical safeguards to protect the security of Personal Data from unauthorized or unlawful Processing. The Foundation uses a number of systems and applications to protect Personal Data at all times.

 

12.2 In assessing the appropriate level of security as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, the Foundation assesses the risks presented by the Processing of Personal Data. Such risks may include, but are not limited to, any accidental, unlawful, or unauthorized destruction, loss, disclosure, alteration, or access to Personal Data Processed by or on behalf of the Foundation, or other factors that may impact Data Subject rights and freedoms. The Foundation shall make reasonable attempts to ensure that any risks presented by the Processing of Personal Data are sufficiently mitigated by technological and/or organizational controls, including limited access of Personal Data utilizing access controls and password protections.

 

13. THIRD PARTY WEBSITES AND SOCIAL MEDIA

 

13.1 Our websites may contain content and links to third-party websites and online platforms that are not owned, operated, or controlled by the Foundation, such as Twitter (X), Discord, or Medium, operated by third parties (collectively, “Social Media”). The Foundation is not responsible for the privacy practices of or the content displayed on such third-party websites and Social Media. If you follow links to sites not affiliated with or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee and are not responsible for the privacy or security of these sites, including the accuracy, completeness, or reliability of information found on these sites.

 

13.2 When engaging with the Foundation’s content on or through Social Media, on a third-party website, plug-in, or application, the Foundation may Process Personal Data associated with your account.

 

13.3 When you open a link to X or other Social Media used by the Foundation, a direct connection may be established between your browser and the server of the Social Media. This provides the Social Media with the information that you have visited our Website with your IP Address and accessed the link. If you access a link to a network while logged into your account on the network concerned, the content of our website may be linked to your profile on the network (i.e., the network may link your visit to our website directly to your user account). If you want to prevent this, you should log out before clicking on the relevant links. In any case, an association takes place when you log in to the relevant network after clicking on the link. If you click on one of these links, you thereby give your consent to the subsequent data Processing.

 

13.4 Certain transactions conducted via our Services will require you to connect a compatible third-party digital Wallet to the Services. By using such Wallet to conduct such transactions via the Services, you agree that your interactions with such third-party Wallets are governed by the privacy policy for the applicable Wallet, and you agree that you are using the Wallet in accordance with the terms and conditions of the applicable third-party provider of such Wallet. Wallets are not maintained or supported by, or associated or affiliated with, the Organization. We expressly disclaim any and all liability for actions arising from your use of third-party Wallets, including but without limitation, actions relating to the use and/or disclosure of personal information by such third-party Wallets.

 

14. WHEN VISITING OUR WEBSITES

 

14.1 When you visit our websites, our servers temporarily save each access in a log file. The following data may be collected without your intervention and stored by the Foundation until deletion, as is necessary in compliance with applicable laws: the IP address of the requesting computer; the name of your internet access provider (usually your internet access provider); the date and time of access; the name and URL of the retrieved file; the page and address of the website from which you were redirected to the website and, if applicable, the search term used; the country from which the website is accessed; the operating system of your computer and the browser you are using (provider, version and language); and the transmission protocol used.

 

14.2 The collection and processing of this data is carried out for the purpose of enabling the use of the website (connection establishment), to permanently guarantee system security and stability and to enable the optimization of our internet offer as well as for internal statistical purposes. Our legitimate interest in data processing lies in the purposes described above.

 

14.3 Only in the event of an attack on the network infrastructure or a suspicion of other unauthorized or abusive website use will the IP address be evaluated for the purpose of clarification and defence and, if necessary, used in the context of criminal proceedings to identify and take civil or criminal action against the users concerned. Our legitimate interest in data processing lies in the purposes described above.

 

15. COOKIES

 

15.1 When you browse, access and use our website, we may make use of the standard practice of placing tiny data files called cookies, flash cookies, pixel tags, or other tracking tools (herein, "Cookies") on your computer or other devices used to visit the website. Cookies are small bits of information that are automatically stored on the web browser of your device that can be retrieved by us. Further information can be found on https://allaboutcookies.org/.

 

15.2 The type of information we collect includes, but is not limited to, uniquely identifying visitor information and information related to your usage preferences. We use these technologies to help us recognise you as a user, collect information about your use of the website to better customise our services and content for you, and collect information about your computer or other access devices to ensure that your account security has not been compromised by detecting irregular or suspicious account activities. By using the Platform, you agree and understand that we may collect and/or transmit any data collected to our third party service providers, such as analytics providers, which may also make use of such technologies described above. If you block or delete cookies, we may not be able to provide you with all of the services on the website.

 

16. TRACKING TOOLS

 

16.1 We use various web analytics services to monitor activity on our websites, including but not limited to Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland or Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351. Google Analytics uses methods that enable an analysis of the use of the website, such as cookies. These generate information about your use of the website, such as:

 

(a) Navigation path that a visitor follows on the website;

 

(b) How long you spend on the website and subpages;

 

(c) The subpage from which you leave the website;

 

(d) The country, region or city from where you access the website;

 

(e) End device (type, version, color depth, resolution, width and height of the browser window);

 

(f) Returning or new visitor;

 

(g) Browser provider/version;

 

(h) The operating system used;

 

(i) The referrer URL (previously visited website);

 

(j) Host name of the accessing computer (IP address); or

 

(k) Time of the server request.

 

16.2 According to Google, this information is transmitted to servers in the U.S. and is stored there. However, according to Google, in the process, the IP Address is shortened by activating IP anonymization on the website before transmission within the EU. The anonymized IP Address transmitted by your browser as part of Google Analytics will not be merged with other Google data, according to Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the U.S. and shortened there. In these cases, we will use reasonable efforts to seek to ensure that Google implements a sufficient level of data protection by means of contractual representations and assurances, in particular by agreeing to the standard contractual clauses and additional measures in applicable jurisdictions.

 

16.3 This information may be used to evaluate the use of the website, to compile reports on website activities and to provide other services associated with website and internet use for the purposes of market research and demand-oriented design of the website. We may transfer this information to third parties where required to do so by law, or where such third parties process the information on our behalf. However, under no circumstances will an IP address be associated with other data relating to the user.

 

16.4 The legal basis for processing data for the above purposes is your consent, which you give us by accepting the Terms of Use of the website. You can revoke your consent at any time by contacting us.

 

17. REVIEW AND CHANGES TO THIS PRIVACY POLICY

 

17.1 The Foundation reviews this Policy at least annually and may update it, from time to time, to reflect changes in applicable Data Protection Laws and/or in the Foundation’s privacy or data-protection practices or security measures. If we make material changes to the Policy, we will update the “Last Revised” date at the top of this Policy, use reasonable efforts to notify you (such as by posting notice of such changes on the Services or by other means consistent with applicable law), and take additional steps as required by applicable law.

 

17.2 If you do not agree to any updates to this Policy, please do not access or continue to use the Services. The use of the Foundation’s website or our Services after any updates constitutes an acknowledgement of having read and understood the Policy.

 

18. IF YOU CONTACT US

 

18.1 You have the possibility to contact the Foundation, including via email and Social Media.

 

18.2 You are responsible for the messages and/or transmitted content that you send to the Foundation. The Foundation recommends that you do not send any confidential data. Personal Data is only collected if you provide it to the Foundation voluntarily. Therefore, you yourself are responsible for what data you transmit to the Foundation. In order to be able to answer your questions, the Foundation may ask you to provide additional information. The Foundation only collects Personal Data from you if this is necessary to answer your questions or to provide the services you have requested.

 

18.3 When processing your enquiries, the Foundation has a legitimate interest in data processing. You can object to this data processing at any time by contacting us.

 

19. CONTACT

 

19.1 Should you have any questions about our privacy or data-protection practices, your Personal Data, or this Policy, please contact us at [email protected]

 

19.2 If you have an unresolved privacy or data use concern that we have not satisfactorily addressed, please contact the data protection regulator in your jurisdiction.