Privacy Policy

1. Privacy at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can personally identify you.

Data Collection on this Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the imprint of this website.

How do we collect your data?

Your data is collected in part by you providing it to us. This may include data that you enter into a contact form, for example. Other data is collected automatically or with your consent when you visit the website through our IT systems.

2. Hosting

This website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Server location: Germany (EU).

The hosting provider collects the following data in log files:
- IP address
- Date and time of request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred
- Website from which the request originates
- Browser and browser version
- Operating system and its interface

3. General Information and Mandatory Disclosures

Data Protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy.

Name and Address of the Controller

OneFamily.uno
Sole proprietorship
Florin Tudose
Am Hochgericht 1
96050 Bamberg
Germany
VAT ID: DE298621889
E-Mail: Show email

Data Protection Officer

Florin Tudose
E-Mail: Show email

4. Data Collection on this Website

Contact Form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Retention period: Until your inquiry is fully processed, then 30 days
Recipients: Web3Forms (GDPR-compliant form processing service)

Newsletter

If you would like to subscribe to the newsletter offered on the website, we require your email address as well as information that allows us to verify that you are the owner of the specified email address and agree to receive the newsletter.

Legal basis: Art. 6(1)(a) GDPR (consent)
Revocation: Possible at any time via unsubscribe link in the newsletter
Processing: Newsletter data is stored on a GDPR-compliant server

hCaptcha

We use hCaptcha (provider: Intuition Machines, Inc., USA) to protect against spam and abuse. When using hCaptcha, data is transmitted to servers in the USA.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Privacy Policy: https://www.hcaptcha.com/privacy

Waitlist Management (Brevo)

When you sign up for our waitlist, we use Brevo (provider: Sendinblue GmbH, Germany) to store and manage your contact information. Brevo is a GDPR-compliant email marketing platform with servers located in the EU.

Data collected: Email address (required), name, phone number, city, and your selected interests/roles
Legal basis: Art. 6(1)(a) GDPR (consent - provided when submitting the waitlist form)
Retention period: Until you unsubscribe from the waitlist or request deletion
Data location: EU servers (GDPR-compliant)
Privacy Policy: https://www.brevo.com/legal/privacypolicy/

5. Analytics Tools and Advertising

GoatCounter Analytics

This website uses GoatCounter, a privacy-friendly web analytics service. GoatCounter uses no cookies and does not collect personal data.

The following anonymous data is collected:
- Pages visited (URL)
- HTTP referrer (origin of visit)
- Browser and operating system (without version)
- Device type (desktop/mobile)
- Country (based on IP, but IP is not stored)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Special feature: Since GoatCounter does not use cookies and does not collect personal data, no consent is required
Privacy Policy: https://www.goatcounter.com/help/privacy

6. Your Rights

You have the following rights regarding your personal data:

• Access (Art. 15 GDPR): Right to information about your stored data
• Rectification (Art. 16 GDPR): Right to correction of incorrect data
• Erasure (Art. 17 GDPR): Right to deletion of your data
• Restriction (Art. 18 GDPR): Right to restriction of processing
• Data Portability (Art. 20 GDPR): Right to data portability
• Objection (Art. 21 GDPR): Right to object to processing
• Complaint (Art. 77 GDPR): Right to lodge a complaint with a supervisory authority

To exercise your rights, please contact: Show email

Competent Supervisory Authority

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany
Phone: +49 (0) 981 180093-0
Email: Show email
Website: www.lda.bayern.de

7. Cookies

This website uses only technically necessary cookies that are required for the operation of the website. These are set without your consent as they are essential for the functionality of the website.

No tracking or marketing cookies are used.

8. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognize an encrypted connection by the fact that the address bar of the browser changes from "http://" to "https://" and by the lock symbol in your browser bar.

9. Poster Module — Third-Party Platform Integrations

The OneFamily.uno Poster module (poster.onefamily.uno) lets members publish their own content to third-party social media and email platforms. This section applies only if you choose to connect at least one of these platforms — it does not apply to members who use the core OneFamily.uno features only.

Lawful basis

We process data shared through the Poster module on the basis of your explicit consent (Art. 6(1)(a) GDPR), given each time you authorize a new platform via OAuth or by pasting a personal API key. You can withdraw this consent at any time by disconnecting the platform inside the Poster app.

Categories of data

When you connect a third-party platform, we store the following on our servers in Germany:

• An OAuth access token (and refresh token where applicable), encrypted at rest, used only to publish content you author
• The third-party platform's user ID, so we can route published content to the correct account
• A list of the pages, organisations, lists, or groups you choose as publishing targets
• The content you author (text, media, scheduled time) until it has been delivered to the platform

Third-party recipients

Once you choose to publish via a platform, the post content you author is transmitted to that platform's servers. Each platform is an independent controller for the data it processes after delivery.

• Meta (Facebook, Instagram): post content + access token. United States. Transfer covered by the EU-US Data Privacy Framework.
• LinkedIn: post content + access token. United States. Transfer covered by the EU-US Data Privacy Framework.
• Mailchimp (Intuit): campaign content + access token. United States. Transfer covered by the EU-US Data Privacy Framework.
• Meetup: event content + access token. United States. Transfer covered by Standard Contractual Clauses in Meetup's Data Processing Addendum.
• Brevo (Sendinblue): campaign content + API key. France, EU. No international transfer.

International transfers

Where data is transferred outside the EU/EEA (Meta, LinkedIn, Mailchimp, Meetup), we rely either on the EU-US Data Privacy Framework or on Standard Contractual Clauses. You can request a copy of these safeguards by contacting us.

Retention

OAuth tokens and API keys are deleted immediately when you disconnect a platform or delete your OneFamily.uno account. Post and campaign history is retained for 12 months from the date of publication, then automatically purged by a weekly job. Operational logs that may contain pseudonymous references to platform connections (which user connected which platform and when) are retained for security and debugging purposes; these logs never contain access tokens or post content and rotate on a regular schedule.

How to revoke

You can disconnect any platform at any time from the Poster app's Connections screen. We will revoke the token at the platform side immediately and delete our local copy. You can also revoke access directly from the platform (e.g. in your Facebook Business Settings) — we detect this on the next API call and mark the connection as inactive.

10. Blockchain Storage and Encryption Keys

OneFamily.uno is building toward a blockchain-anchored economy (Polygon PoS) so that ORE token balances and reciprocity records can be independently verified. This section explains what we will write to chain, the immutability that comes with it, and how your encryption keys protect you. Today no data is on chain — smart contracts have not been deployed yet — but the disclosure below applies the moment they go live.

Today: nothing is on chain

As of this version of the privacy policy, no part of your data is written to any public blockchain. Everything described below is forward-looking and will apply once the smart contracts (OREToken, OREActivityTracker, OREMinting, OREVault) are deployed on Polygon PoS.

What will be written to chain once contracts are live

Only the minimum required for verifiable economic accounting:

• ORE token balances — your aggregate received / usable / invested amounts, indexed by a hashed user identifier (not your email, name, or any other personal identifier)
• Activity references — hashes of unlock activities (deeds, payments, invitations, welcome bonus) so they can be independently audited
• Daily minting + age-backlog distributions — aggregated, pseudonymous

Blockchain entries are immutable

A core property of public blockchains is that entries cannot be deleted or altered after the fact. This means that even after you delete your OneFamily.uno account, the pseudonymous hashes and ORE balances written for you remain on chain. They are not personally identifiable on their own — without our database mapping, they are just numbers next to a hash.

Encryption and your keys

If a future feature ever encrypts personal content before writing it on chain, the encryption uses a key held by you (the user) — not by us. Deleting your copy of the key renders the corresponding on-chain entry cryptographically unreadable, even though the encrypted bytes themselves remain on the ledger. This is consistent with the GDPR concept of "crypto-shredding" recognised by EU data protection authorities.

Your right to download your keys before deletion

When you initiate account deletion, you are offered a download containing all your personal data plus your encryption public key and any blockchain identifiers we use for you. We strongly recommend you download this archive before confirming deletion — without it, you cannot later prove ownership of an on-chain entry. The download is also available at any time from your in-app Security settings.