Colabonate Privacy Policy
Effective Date: October 16, 2025 Version: 1.0
This Privacy Policy describes how Colabonate, operating as a Decentralized Autonomous Organization (DAO) via the Colabonate Codex Governance System (Codex), handles your personal data. Based on the principles of Sovereign Identity (SI) and Minimal Data by Design, our goal is to ensure maximum transparency and user control within a decentralized environment.
1. Effective Date & Overview
| Plain Definition |
Legal Basis |
Technical Implementation |
| This policy enters into force on the date specified above and serves to protect the personal data of our users within the Colabonate ecosystem. Unlike centralized systems, data processing primarily occurs through cryptographic protocols and decentralized computing units. |
Art. 12, 13, 14, 25 GDPR (Duty to inform and Data Protection by Design), Swiss FADP. |
Colabonate Core Entities: Codex (DAO) as the governance structure and the Sovereign Identity Framework (SI) as the decentralized identity layer. |
2. Scope
| Plain Definition |
Legal Basis |
Technical Implementation |
| This policy applies to all interactions, services, web interfaces, and decentralized modules (Canisters/Smart Contracts) within the Colabonate network. |
Art. 4 Para. 1 and 2 GDPR – refers to all processing of personal data. |
The policy specifically covers: the Colabonate Wallet, the Codex-based Smart Contracts, the Audio/Video/Chat System, the Ticket System, and the Proximity Proof Mechanism. |
3. Acceptance & Consent
| Plain Definition |
Legal Basis |
Technical Implementation |
| Use of the Colabonate platform and its modules implies acceptance of this policy. As no central registration is required, consent is given by cryptographically signing user actions. |
Art. 6 Para. 1 lit. a and Art. 7 GDPR (Requirements for consent). |
Consent to specific data processing operations is provided through digital signatures, generated via the SI Identity Layer (Wallet). Executing Proximity Proofs serves as a contextual consent mechanism for verifying presence, not central identification. |
4. Collection of Data
| Plain Definition |
Legal Basis |
Technical Implementation |
| Colabonate adheres to the principle of minimal data collection. Personal data is only collected with the user’s explicit cryptographically signed consent, or where strictly necessary to perform core decentralized functions. |
Art. 5 Para. 1 lit. c GDPR (Data Minimisation). |
We collect and process the following types of metadata: Identity Proofs (cryptographic hashes, Public Keys of the SI Framework), Proximity Proof Metadata (timestamp, geographical proximity, never exact coordinates), Communication Data (End-to-End encrypted Nostr Events without content storage), Wallet & Payment Metadata (Hash references from Bitcoin Lightning Network transactions), Governance Data (Pseudonymous DAO Votes). |
5. Use of Data
| Plain Definition |
Legal Basis |
Technical Implementation |
| Processed data is used exclusively for the functionality, security, and governance of the decentralized network. |
Art. 6 Para. 1 lit. b and f GDPR (Contract performance and legitimate interest: network security and functionality). |
Use for: Verification of SI Identities (Zero-Knowledge hash matches), Interaction within the Codex System (Transparent logging of governance actions), Processing Peer-to-Peer Payments (Routing via LN without storage of sensitive payment info by Colabonate), Ensuring Communication Integrity (Authentication of Nostr events), DAO Governance Audits (Traceability of voting processes). |
6. Cookies & Local Storage Policy
| Plain Definition |
Legal Basis |
Technical Implementation |
| This policy differentiates between: 1) local, user-controlled storage for managing Sovereign Identity (SI) and 2) traditional cookies required for the functionality of centralized components (Website, Forum). We do not use third-party cookies for tracking purposes. |
Section 25 TTDSG (Consent regulation for cookies), Art. 6 Para. 1 lit. f GDPR (Legitimate interest in functional cookies). |
SI Context Cache: Local storage for managing SI keys and context. Functional Cookies (Centralized Services): When commenting, you may opt-in to save your name, email, and website in cookies (validity: 1 year). On login, temporary cookies are set to save your login information (validity: 2 days, “Remember Me”: 2 weeks) and screen options. A cookie identifying an edited article (validity: 1 day, no personal data) is set upon editing. |
7. Integration of External Technologies
| Plain Definition |
Legal Basis |
Technical Implementation |
| The Colabonate ecosystem integrates various decentralized networks for computation, communication, and transaction handling. |
Art. 28 GDPR (Data processor), where the decentralized nature of these protocols redefines the role of the “processor”. |
Internet Computer (ICP): Storage and computation of smart contracts (Canisters). User data is persisted here only in encrypted or hashed form. Nostr: Event-based peer-to-peer communication. Colabonate stores no central communication logs, only metadata for event routing. Bitcoin Lightning Network (LN): Transaction data is pseudonymous and is not linked with Colabonate SI identity data to maximize financial privacy. |
8. Third-Party Disclosure & Data Sovereignty
| Plain Definition |
Legal Basis |
Technical Implementation |
| Colabonate fundamentally does not disclose personal data to third parties, as the architecture is designed for data sovereignty. The user is the primary sovereign of their data. |
Art. 20 GDPR (Right to data portability), Art. 5 Para. 2 GDPR (Accountability). |
Disclosure is only possible if: legally required (while adhering to all cryptographic guarantees), legitimized by DAO Governance (transparent consensus process in the Codex), or explicitly signed by the user (via the SI Consent Layer for interaction with external services). |
9. International Data Transfers
| Plain Definition |
Legal Basis |
Technical Implementation |
| Due to the decentralized Canister and Nostr relay infrastructure, processing naturally occurs across global jurisdictions. Compliance with GDPR and Swiss FADP is ensured through technical mechanisms, regardless of physical location. |
Art. 44 ff GDPR (Guarantees for third country transfers). |
Every persistent data record is protected by strong cryptographic hashes. The architecture replaces trusted third parties with trustworthy cryptographic proofs, representing an internationally recognized standard of protection. |
10. Data Storage & Retention
| Plain Definition |
Legal Basis |
Technical Implementation |
| We store data based on the “Minimal Data by Design” principle and retain decentralized cryptographic data (hashes, proofs) only as long as necessary for Codex governance consensus or service functionality. Different retention periods apply to hybrid services. |
Art. 5 Para. 1 lit. e GDPR (Storage limitation), Art. 6 Para. 1 lit. f (Legitimate interest in comment history). |
Decentralized Data (SI, Codex): We store practically exclusively encrypted hashes or Zero-Knowledge Proofs. Automatic deletion/fragmentation occurs once a governance audit is complete or the verification hash is no longer needed. Hybrid Data (Comments, Forum): If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve follow-up comments automatically. For registered forum users, personal profile data is stored until the user requests deletion. |
11. User Rights
| Plain Definition |
Legal Basis |
Technical Implementation |
| Users have comprehensive rights according to GDPR (access, rectification, erasure, restriction, data portability) and FADP. The implementation of these rights differs depending on the use of the decentralized SI framework or hybrid services. |
Art. 15-22 GDPR (Rights of the data subject). |
Decentralized Services (SI/Codex): Through the Self-managed Identity Layer (Wallet interface), the user has the technical tools to: erase data (by destroying associated keys) and transfer data. Anonymous or pseudonymous use of the modules is possible without mandatory central account creation. Hybrid Services (Forum/Comments): Users with a central account or commenters can request an exported file of the personal data we hold (right of access) and the erasure of all stored personal data (right to erasure), unless Colabonate is obligated to retain this data for administrative, legal, or security purposes. |
12. Automated Decisions & Profiling
| Plain Definition |
Legal Basis |
Technical Implementation |
| Colabonate does not conduct centralized user profiling. Decisions affecting user experience (e.g., participation in governance) are based on transparent, algorithmic rules of the Codex. |
Art. 22 GDPR (Automated individual decision-making). |
Reputation Scores and Governance Weightings are calculated exclusively contextually and decentrally via DAO Mechanisms (Smart Contracts). The algorithm is transparently documented in the Codex, ensuring no black-box decisions are made. |
13. Data Security
| Plain Definition |
Legal Basis |
Technical Implementation |
| Our security strategy is based on cryptographic integrity and decentralization to protect data from unauthorized access, loss, or destruction. |
Art. 32 GDPR (Security of processing). |
End-to-End Encryption (E2EE) across all communication channels (Nostr, Audio/Video). Multi-layer Hash Verification by the Codex to secure the authenticity of processed data. Zero-Knowledge Proofs are used for identity confirmation, eliminating the need to disclose identity details. Audit Trails can optionally be stored on ICP On-Chain Anchors to allow for immutable verification. |
14. Children’s Privacy
| Plain Definition |
Legal Basis |
Technical Implementation |
| Colabonate is exclusively for adults. Use of the platform by persons under 18 years of age is prohibited. |
Art. 8 Para. 1 GDPR (Conditions applicable to child’s consent). |
Wallet creation requires confirmation of legal age. If Colabonate becomes aware of use by minors, it reserves the right to suspend the corresponding pseudonymous SI hashes in accordance with Codex rules. |
15. Policy Updates & Governance
| Plain Definition |
Legal Basis |
Technical Implementation |
| Changes to this Privacy Policy may only be made through a consensus process by the Colabonate DAO. Transparency and immutability of every revision are guaranteed. |
Art. 5 Para. 1 lit. a and Para. 2 GDPR (Transparency and accountability). |
Policy changes are submitted as a proposal in the Codex Governance System and approved by vote. Every approved version receives a version number and a cryptographic Hash Identifier (CID), guaranteeing the policy’s immutability and verifiable via IPFS/ICP. |
| Plain Definition |
Legal Basis |
Technical Implementation |
| Since no central “Controller” exists, inquiries are primarily addressed through digital and decentralized channels. |
Art. 37 ff GDPR (Data Protection Officer, contact point). |
Data processing inquiries can be submitted via the Colabonate Ticket System, which forwards them pseudonymously to the responsible Governance Nodes. Legal inquiries or formal notices should be addressed to the official address of the DAO Legal Node, as documented in the Colabonate Codex’s current legal notice. |
17. Hybrid Services: Presentation Website, Newsletter & Forum
| Plain Definition |
Legal Basis |
Technical Implementation |
| This section describes data processing that occurs outside the decentralized SI/Codex architecture on centrally operated components (e.g., the presentation website, the forum, or the newsletter tool). In these cases, the Colabonate DAO, through its Legal Node, acts as the data controller in the traditional sense. |
Art. 6 Para. 1 lit. a, b, f GDPR. |
Processing occurs in traditional server environments under separate security measures. |
| Plain Definition |
Legal Basis |
Technical Implementation |
| When visitors leave comments on our site, we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. We use an anonymized hash created from your email address for the Gravatar service to see if you are using it. After approval of your comment, your Gravatar profile picture is visible to the public in the context of your comment. |
Art. 6 Para. 1 lit. a (Consent upon submission), Art. 6 Para. 1 lit. f (Legitimate interest: spam protection and comment functionality). |
Gravatar: Transmission of an anonymized SHA-256 hash of your email address to Automattic Inc. Spam Detection: Use of an automated spam detection service to check visitor comments. |
| Plain Definition |
Legal Basis |
Technical Implementation |
| If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS). Visitors to the website can download and extract any location data from these images. |
Art. 5 Para. 1 lit. a (Transparency obligation). |
Centrally hosted media may contain location data if not removed by the user before upload. Colabonate does not actively store this data but assumes no responsibility for publicly accessible metadata in uploaded files. |
17.3 Embedded Content
| Plain Definition |
Legal Basis |
Technical Implementation |
| Articles on this site may include embedded content (e.g., videos, images, articles, etc.) from other websites. Embedded content behaves in the exact same way as if the visitor has visited the other website. These external websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction if you have an account and are logged in to that website. |
Art. 6 Para. 1 lit. a (Your interaction with such content is considered consent), Art. 6 Para. 1 lit. f (Legitimate interest: delivery of third-party content). |
Colabonate has no control over the data processing practices of external service providers for embedded content. Please refer to the respective privacy policies of these providers (e.g., YouTube, Vimeo). |
17.4 Forum Registration and Administrators
| Plain Definition |
Legal Basis |
Technical Implementation |
| For users who register on our website (if any), we store the personal information they provide in their user profile (username, email, password hash). |
Art. 6 Para. 1 lit. b (Contract for forum use). |
All registered users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information. |
17.5 Password Reset
| Plain Definition |
Legal Basis |
Technical Implementation |
| If you request a password reset, your IP address will be included in the reset email. |
Art. 6 Para. 1 lit. f (Legitimate interest: ensuring security and preventing misuse in password resets). |
The storage of the IP address serves as a necessary security audit trail. |
17.6 Data Transmission
| Plain Definition |
Legal Basis |
Technical Implementation |
| Visitor comments are checked through an automated spam detection service, involving the transmission of comment content and metadata. |
Art. 28 GDPR (Processor), Art. 6 Para. 1 lit. f (Legitimate interest: network protection). |
Comment data is transmitted to the relevant spam detection service. |
