• “World App Data” means all personal data collected and processed through your use of the World App, as defined further in Section 5 below, except any personal data related to your use of the Worldcoin protocol or the Worldcoin tokens (such as your wallet address and the transactional data, which we do not control).
• Credential Verification Data refers to the data processed when verifying a credential to add it to your self-custodial World ID. This means e.g. reading the NFC chip of your passport to securely store your passport’s information on your device. This data is under your control and after verifying the validity of your credential, TFH stores an anonymized fragment of a hash value of a unique cryptographic signature of your credential (e.g. passport) to ensure that each credential can only be added to a World ID once.
• “Business data” means all personal data collected and processed through other means by our company when communicating or any other way working or interacting with us via email, video conferencing or our websites. For data processing in the context of the Orb App please refer to the Orb App Privacy Notice linked in the Orb App. For data processing in the context of dedicated data collection and testing please refer to the respective Collection and Testing Privacy Notice linked in your test app. For processing in the context of our website please refer to our Cookie Policy linked on our website.

• Our commitment to protecting your privacy and data
• Information we collect and why
• How we use the data we collect
• Where we process your data
• When we share your data
• How your data is recorded on public blockchain
• How we use cookies
• How long we keep your data
• How this Privacy Notice differs for children and teens
• The statutory rights you have
• How to contact us about this Privacy Notice

• Phone number. You may choose to enter your phone number to associate it with your account. With your permission, other users may be able to find your account through your phone number. We may require a phone number when you submit a data subject request. The legal basis for processing this data is performance of the Service under the User Terms.
• Username. You may link a username to your wallet address and change the username at any time.
• Date of Birth. You may disclose your date of birth to ensure compliance with age restriction requirements. We will never store your data of birth but only a checksum of that data and whether you are over 18 years of age or not.
• Feedback and correspondence from you. These include any emails, chat messages, or other communications that you send us via email or third-party social media websites. This may include processing email addresses or social media profile names if you seek to communicate with us through such means. We may use a third-party service provider to facilitate surveys about your use of our Services. The legal basis for processing this data is performance of the Service under the User Terms.
• Address book contacts. You may provide the App with access to your address book to enable the feature that makes it easy for you to find and interact with other users who may be in your address book. The legal basis for processing this data is the legitimate interest of the subject to be found within the App and the interest of the sharing user to find her contacts in the App.

• Location information. You may decide to enable a location-based service (such as a feature allowing you to find an Orb Operator near you). Only with your specific consent, we may then collect information about your location through GPS to enable the location based service to show you an Orb near you. You can change your permissions any time in your device's settings. If you are not based in South Korea we may also store your approximate location disassociated from your World App account. We use this data to improve our services particularly but not limited to the selection of Orb locations.
• P2P Marketplace. If you use the P2P Marketplace Services (where available) that allow you to purchase digital tokens from other users, then we may collect additional information such as your wallet address, your contact information (i.e. your phone number), and your account number associated with the transaction (such as your M-PESA number). We log the transaction data as part of providing the P2P Marketplace Services. We may also collect additional information to comply with applicable KYC requirements.
• Device metadata. If you are using the App we are collecting metadata from your device to ensure that the App is functioning properly and that you are not infringing our Terms and Conditions. This includes collecting device identifiers and IP addresses.
• Device World ID data. We also process your device metadata to calculate a unique device fingerprint. The hash of this fingerprint serves as the signal that proves the uniqueness for your with a device World ID.

• First and last name. We may process your first and last name to pursue the legitimate interest of maintaining and administering a business relationship with you.
• Email address. You may also provide your email to subscribe to our mailing list to stay up-to-date with the Worldcoin project. We may require your email when you submit a data subject request. We may process your email address to pursue the legitimate interest of maintaining and administering a business relationship with you.
• Phone number. We may process your phone number to pursue the legitimate interest of maintaining and administering a business relationship with you.
• Enterprise Data. If you have a business relationship with us (such as if you are an Orb Operator or a supplier), then we may require information such as names, mailing address, email, phone number, wallet address, and other documentation (such as your government ID) as part of furthering that business relationship and to satisfy our know-your-customers obligations. We may use third-party services, such as Onfido, to help us collect and review the information and documentation above to satisfy the know-your-customers obligations.
• Application data. If you want to work for us you have to send us your application that includes your cover letter and CV as well as the personal information you wish to disclose.

• Blockchain Data. We may analyze public blockchain data to ensure parties utilizing our Services are not engaged in illegal or prohibited activity under the User Terms, and to analyze transaction trends for research and development purposes.
• Identity Verification Services. We may obtain information from third-party services using your data to verify your identity if required by law (such as applicable know-your-customer requirements). To clarify, we do not use your biometric data when we verify your identity as required by law.
• Talent data bases. We may collect data from various sources to make job offers to talented individuals.

• Online Identifiers: Geo-location and tracking details (see above), computer or mobile phone operating system, web browser name and version, and IP addresses. In very limited cases these data are also fed into our fraud and illicit financial flow detection. They also serve to provide a stable and fraud-free experience of our software.
• Usage Data: Authentication data, security questions, and other data collected via cookies and similar technologies.
• Cookies: small data files stored on your hard drive or in-device memory that help us improve our Services and your experience, see which areas and features of our Services are popular, and count visits. For the legal basis processing those data please refer to our Cookie Policy where we explain the different kinds of cookies we are using.

• Transaction data
• Click-stream data
• Performance metrics
• Fraud indicators (although personal data is used for this purpose, too)

• To provide and maintain our products and services under the User Terms. These services include:
  • The App where users can manage their World ID and digital tokens as well as learn about cryptocurrency in general and the Worldcoin project in specific;
  • The Operator App where Orb Operators can manage and oversee their Orbs under management and their statistics;
  • The P2P Marketplace where we connect users with agents (does not apply to users who are established or resident in Germany or have their habitual residence or registered office in Germany);
• To improve and develop our products and services, including to debug and repair errors in our Services.
• To conduct data science research.
• To analyze your use of our Services to provide better support.
• To enable you to publish information on a blockchain to prove your uniqueness.
• To use your wallet address to send you digital tokens we support.
• To comply with applicable law such as anti-money-laundering law and sanctions. This entails:
  • Using your IP address to block individuals whose country does not allow them to access the Services;
  • To answer data subject requests under the applicable data protection laws like requests for access or deletion;
  • Monitor potentially illicit financial flows e.g. from blacklisted wallets; and
• To comply with applicable law such as regulations against illegal content.
• To handle your customer service requests, complaints and inquiries.
• To resolve disputes, troubleshooting issues, and enforcing our agreements with you, including this Privacy Notice and the User Terms.
• To contact you regarding updates to the Services.

• We check the validity of your credential (in the case of passports this works through your country's root certificate).
• We authenticate you as the rightful holder of the credential (for passports this works locally on your device though a photo of your face (selfie) that is never stored).
• We encrypt, sign and store your credential’s data in a secure environment on your device.
  • We never have access to the personal information contained on your credential.
  • You can then later selectively share this information with relying parties through the protections of the World ID protocol (e.g. you can prove that you are at least 18 years old without revealing your exact age or who you are).
• For passports, TFH only maintains an anonymized shard of a hash value of a unique cryptographic signature of your passport to ensure that each passport can only be verified once.

• While we do what we can to ensure that our subcontractors are contractually obligated to adequately protect your data, these subcontractors may not be subject to the data privacy law of your country. If the subcontractors were to illegally process your data without authorization, then it may be difficult to assert your privacy rights against that subcontractor. We mitigate this risk as we close strict data processing agreements with our subcontractors that oblige them to protect the data at a GDPR level and fulfill subjects’ requests.
• It’s possible that the data privacy law in your country is inconsistent with the data privacy laws in the U.S. or in the E.U. We always try to adhere to the highest standard of data protection we are subject to.
• It may be possible that your data will be subject to governmental access of officials and authorities. In those cases we have committed ourselves to challenge any invalid, overbroad, or unlawful governmental request to access in court. We further use advanced encryption to hinder unauthorized access.

• Share it in a reasonably secure way;
• Take steps to ensure that it is handled in a manner that is consistent with our commitment to your privacy; and
• Prohibit other companies from using it for their own purposes.

• With Worldcoin Foundation: we may act as Worldcoin Foundation processors for collecting personal data on behalf of Worldcoin (please check Worldcoin’s privacy notice for further information).
• Within our organization: We only disclose data to our team members who require access in order to perform their tasks and duties. We only disclose as much data as is needed to perform specific tasks and duties and have a system of strict access control.
• With vendors and service providers outside of our organization: We only disclose data to service providers whose services we rely on in order to process the data and provide our Services to you. We only disclose data with identity verification vendors if required by Law (i.e., know-your-customer requirements).
• The categories of such service providers are:
• Cloud service providers (all data types)
• SaaS providers; we use SaaS products in the following categories:
  • Database and infrastructure management
  • Data security
  • Recruiting
  • Communication
  • Surveys
  • KYC/KYB i.e. checking official documents
  • Data subject request management
  • Technical support
  • User support
• External experts
  • Specialist software developers
  • Legal specialists
  • Tax advisors
• Banks
• Labeling service providers (only under special safeguards)
• Background check services for applicants and Orb Operators
• With law enforcement, officials, or other third parties: We may disclose your data in order to comply with applicable laws and respond to mandatory legal demands. We will carefully consider each request to determine whether the request complies with the law and, where appropriate, we may challenge invalid, overbroad, or unlawful requests. We may share personal data with police and other government authorities where we reasonably believe it to be necessary to comply with law, regulation or other legal process or obligation.
• We may share your personal information if we believe that your actions are inconsistent with our User Terms, if we believe that you have violated the law, or if we believe it is necessary to protect our rights, property, and safety, our users, the public, or others.
• We may share your personal information with our lawyers and other professional advisors where necessary to obtain advice or otherwise protect and manage our business interests.
• We may share your personal information in connection with, or during negotiations concerning, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
• Data, including your personal information, may be shared between and among our current and future parents, affiliates, and subsidiaries and other companies under common control and ownership.
• We may share your personal information with your consent or at your direction.

• You have the right to obtain from us at any time upon request information about the personal data we process concerning you. You have the right to receive from us the personal data concerning you.
• You have the right to demand that we immediately correct the personal data concerning you if it is incorrect.
• You have the right to demand that we delete the personal data concerning you. These prerequisites provide in particular for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, provided the requirements for deletion under the applicable laws are given (e.g. several jurisdiction’s laws oblige us to retain transaction information for a certain time period)
• You have the right to freely withdraw your consent to any data processing based on consent or to object to the data processing if it is not based on consent.

• You have the right to obtain from us at any time upon request information about the personal data we process concerning you within the scope of Art. 15 GDPR.
• You have the right to demand that we immediately correct the personal data concerning you if it is incorrect.
• You have the right, under the conditions described in Art. 17 GDPR, to demand that we delete the personal data concerning you. These prerequisites provide in particular for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the Member State to which we are subject.
• You have the right to demand that we restrict processing in accordance with Art. 18 GDPR.
• You have the right to receive from us the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Art. 20 GDPR.
• You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out, inter alia, on the basis of Article 6 (1) sentence 1 lit. f GDPR, in accordance with Article 21 GDPR.
• You have the right to contact the competent supervisory authority in the event of complaints about the data processing carried out by the controller. The responsible supervisory authority is: the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutz).
• If the processing of personal data is based on your consent, you are entitled under Art. 7 GDPR to revoke your consent to the use of your personal data at any time with effect for the future, whereby the revocation is just as easy to declare as the consent itself. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

• When transferring data to a country that does not have an adequacy decision, we utilize the EU Standard Contractual Clauses. We are currently only transferring personal data to the USA.
• If the processing of personal data is based on your consent, you are entitled under Art. 7 GDPR to revoke your consent to the use of your personal data at any time with effect for the future, whereby the revocation is just as easy to declare as the consent itself. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected. Please also note that processing that is not based on consent is not affected by withdrawing the consent.

ADDENDUM G - BRAZIL

G.1 Applicable legislation, Controller and Operator

If you reside in Brazil, if your personal data was collected in Brazil, or if you use our Services in Brazil, the applicable legislation is the Law No. 13,709/2018 (General Data Protection Law, or “LGPD”).

G.2 Right to object

You have the right to object to the use of your personal data for purposes that do not depend on consent if the purpose is inconsistent with the LGPD. If your objection is upheld, we will no longer use your personal information to develop and improve the features and experiences of our Services.

Note that if you do not provide or do not allow the collection or processing of certain personal data, it may affect the quality of your experience, we may not be able to fulfill the objectives of our Services, or we may not be able to provide certain Services to you.

In some cases, your data is anonymized, meaning it no longer identifies you. You cannot object to the use of anonymized data because it does not allow for your identification, as provided for in the LGPD. We use this anonymized data to improve our products and services.

G.3 The statutory rights under LGPD

According to the LGPD, you have the right to confirm the existence of processing, access, rectification, or request the portability of data processed. Moreover, you can request information of public and private entities with which we jointly use your personal data. You can also request information regarding the possibility of not giving consent and the negative consequences, and request the deletion of data processed with consent. You can choose the deletion of your information in the World App in the Settings menu.

Under certain circumstances, you have the right to object to or restrict how we process your personal data, or to withdraw your consent, which we rely on to process the information you provide.

You can exercise your rights under the LGPD by submitting a request to our DPO using the contact details in section H.4 below or through our online request portal. If you feel that your rights have not been adequately addressed, you can file a complaint with the Autoridade Nacional de Proteção de Dados Pessoais (ANPD) by completing the form available at this link: https://www.gov.br/anpd/pt-br/canais_atendimento/cidadao-titular-de-dados.

G.4 International Transfer of Your Personal Data

If the LGPD applies to you, and we have collected your personal data, we may also transfer it outside of the country. However, we will always ensure that your personal data is only transferred to foreign countries or international organizations that provide a level of protection adequate to that provided for in the LGPD, as recognized in adequacy decisions issued by the ANPD. In the absence of an adequacy decision, we will continue to follow a standard of protection that is at least equivalent to that provided for in the LGPD using Standard Contractual Clauses established in the ANPD's regulations or when we obtain your specific and highlighted consent for the international transfer.