Privacy Policy

This Privacy Policy describes how CommunityPool(“CommunityPool,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects personal information when you access or use the CommunityPool website, dashboard, smart-contract interface, APIs, and related services (collectively, the “Service”).

This Policy is incorporated into and forms part of our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

The Service is non-custodial: we do not hold your private keys or your funds. We do, however, collect personal information required to provide the Service, verify your identity, comply with law, and protect against fraud and abuse.

We collect the following categories of information.

(a) Information you provide directly

• Account information — email address, username, and any profile fields you choose to add (display name, address, phone number). The Service is passwordless: we authenticate you with email one-time codes or Google sign-in. We do not collect or store passwords.
• Identity-verification (KYC) information — full legal name, date of birth, residential address, phone number, and images of a government-issued identification document. KYC information may include sensitive personal information as defined under applicable privacy law.
• Wallet information — public wallet addresses you connect to or designate within the Service. We do not collect or store private keys or seed phrases.
• Pool-related information — pool addresses, pool configuration parameters, co-Owner addresses, and metadata you attach to a Pool.
• Communications — messages, support requests, feedback, and any other content you submit to us.

(b) Information collected automatically

• Device and connection information — IP address, browser type and version, operating system, device identifiers, referring URL, language preference, and approximate location derived from IP.
• Usage information — pages and features accessed, time stamps, session duration, error logs, and interaction events.
• Cookies and similar technologies — see Section 6.

(c) Information from third parties

• Identity-verification providers — verification results, risk scores, and metadata returned by our identity-verification provider when you complete KYC.
• Payment processor — for paid subscriptions, we receive billing status, last four digits of card, expiration date, and similar information from our payment processor. We do not receive or store full payment-card numbers.
• Public blockchain data — balances, transactions, and contract interactions associated with addresses you connect to or that we display in your portfolio.
• Fraud and compliance providers — sanctions screening, wallet-risk scoring, and similar signals from third-party providers.

We use the information described above to:

• Provide, maintain, and improve the Service, including authenticating sessions, presenting your portfolio, and recording your Pool activity;
• Verify your identity and meet our regulatory and contractual obligations, including KYC, sanctions screening, and recordkeeping;
• Process subscription payments and manage your account on the applicable tier;
• Detect, investigate, and prevent fraud, security incidents, prohibited activity, and violations of our Terms;
• Communicate with you about the Service, including service announcements, security notices, support responses, and — where you have consented or where permitted — marketing messages;
• Generate aggregated or de-identified analytics that do not identify you;
• Comply with applicable law, lawful requests from regulators or law-enforcement agencies, court orders, and our legal rights and obligations.

For users in the European Economic Area, the United Kingdom, or other jurisdictions with similar law, the legal bases on which we rely include performance of a contract (providing the Service), compliance with a legal obligation (KYC, sanctions, tax), legitimate interests (security, fraud prevention, product improvement), and consent (marketing, certain cookies). You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell your personal information. We share personal information only as described below.

• Service providers and processors. Hosting, database, authentication, identity verification, payments, customer support, email delivery, analytics, and security vendors that process personal information on our behalf under contract, including but not limited to our identity-verification provider, our payment processor, Supabase (authentication and database), our hosting provider, and our product-analytics provider.
• Legal and compliance.Regulators, courts, law-enforcement agencies, and other governmental authorities when required by law, in response to a lawful request, or to protect our or others’ rights, property, or safety.
• Corporate transactions. A successor entity in the event of a merger, acquisition, financing, reorganization, sale of assets, or insolvency. We will require any such successor to honor the commitments in this Policy.
• With your direction. When you direct us to share information — for example, by inviting a co-Owner to a Pool or publishing a portfolio link.
• Aggregated or de-identified information. Information that does not reasonably identify you, used for research, analytics, marketing, or product development.

We do not share personal information with third parties for their own marketing purposes without your consent.

When you deploy a Pool, fund a Pool, or sign any other transaction through the Service, the resulting transaction is broadcast to a public blockchain. The wallet address you used, the contract address, the asset and amount, the time of the transaction, and the link between funder and recipient are recorded permanently and publicly. Anyone with internet access and a block explorer can view this information.

Linking a wallet address to your account, your name, or other identifying information you provide to us increases the likelihood that on-chain activity associated with that address can be attributed to you by third parties — including chain analytics firms, regulators, and the public. You should consider this before connecting an address that you wish to keep private.

We and our service providers use cookies, local storage, and similar technologies to operate the Service, remember your preferences, maintain your session, prevent fraud, and measure performance. Some of these technologies are strictly necessary and cannot be disabled without breaking the Service. Others are optional and you may control them through your browser settings or any cookie-preferences interface we provide.

We do not currently respond to browser “Do Not Track” signals because there is no industry consensus on how to interpret them. Where required by law, we will honor recognized opt-out preference signals such as Global Privacy Control.

We retain personal information for as long as we need it to provide the Service, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements. Specifically:

• Account information is retained while your account is active and for a reasonable period after closure to allow for reactivation, dispute resolution, and audit;
• KYC information is retained for the period required by applicable anti-money-laundering and recordkeeping laws, typically at least five (5) years from the closure of your account or the date of the relevant transaction;
• Transaction and activity records are retained for accounting, tax, and audit purposes for the period required by law;
• Logs and security data are retained for the period necessary to investigate and respond to incidents.

On-chain data is permanent and outside our control; closing your account does not erase any data already recorded on a public blockchain.

We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, access controls, authentication requirements, hardware-backed credential storage where available, monitoring, and vendor diligence.

No system is perfectly secure. You are responsible for keeping your account credentials, recovery factors, Wallet seed phrases, and devices secure, and for notifying us promptly at privacy@communitypool.app of any suspected unauthorized access.

We are based in the United States and may process personal information in the United States and in any country where our service providers operate. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in jurisdictions whose data-protection laws may differ from those of your country.

Where required by law, we use appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses or equivalent mechanisms.

Depending on where you live, you may have rights with respect to your personal information. Subject to verification of your identity and to limits set by law, these may include the right to:

• Access the personal information we hold about you and obtain a copy in a portable format;
• Correct inaccurate or incomplete information;
• Delete personal information, subject to our retention obligations and other legal exceptions;
• Restrict or object to certain processing, including processing based on legitimate interests;
• Withdraw consent where processing is based on consent;
• Opt out of the “sale” or “sharing” of personal information, and limit the use of sensitive personal information, where those concepts apply;
• Lodge a complaint with a supervisory authority in your jurisdiction;
• Be free from discrimination for exercising these rights.

To exercise any of these rights, contact us at privacy@communitypool.app. We may need to verify your identity before responding. You may also use an authorized agent to submit a request on your behalf, subject to applicable law. We will respond within the time required by law.

California residents: the categories of personal information described in Section 2 correspond to the CCPA categories of identifiers, customer records, characteristics of protected classifications, commercial information, internet or network activity, geolocation data, professional information (in limited cases), and inferences. We disclose personal information for the business purposes described in Sections 3 and 4. We do not sell personal information and do not knowingly share personal information for cross-context behavioral advertising.

The Service is not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. If you believe a minor has provided us with personal information, contact us at privacy@communitypool.app and we will take appropriate steps to delete it.

The Service integrates with and links to third-party services, including self-custodied wallets (such as MetaMask, Coinbase Wallet, and Binance Wallet), public blockchains, price oracles (including Chainlink), block explorers, KYC providers, and payment processors. We are not responsible for the privacy practices of those services. Their handling of your information is governed by their own privacy policies, and you should review them.

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we will provide reasonable advance notice (for example, by email or through an in-app notice). Your continued use of the Service after the changes take effect constitutes acceptance of the revised Policy.

For privacy questions, requests, or complaints, contact us at:

Email: privacy@communitypool.app
Mail: CommunityPool, [Company mailing address]

If you are located in the European Economic Area or the United Kingdom and we are unable to resolve your concern, you may lodge a complaint with your local supervisory authority.