Privacy Policy

EffectiveDate: June 15,2025

Last Updated: June 15, 2025


1. Introduction

This Privacy Policy ("Policy") outlines how Bastion Genossenschaft ("Bastion," "we", "us", or "our") collects, uses, processes, stores, and protects your personal data. It applies to all personal data collected through our business operations, services, website, and third-party providers.

Bastion is committed to safeguarding your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation ("GDPR") (EU 2016/679), the Liechtenstein Data Protection Act (2019), and other relevant regulations. This Policy provides transparency about our data practices and your rights regarding your personal data.

If you have any questions about this Policy, please contact us using the details in Section 3.

2. About Bastion

2.1. Who We Are

Bastion Genossenschaft is a cooperative registered in Liechtenstein on 31 August 2022 under the Liechtenstein Persons and Companies Act (Art. 483 para 1a PGR). Our registered office is located at: Schaanerstrasse 27, 9490 Vaduz, Liechtenstein.

We partner with global organisations in industries such as software development, cybersecurity, legal services, financial services, and strategic consulting to deliver innovative solutions.

2.2. What We Do

Bastion develops and maintains the Polity Network, a decentralised marketplace for on-chain finance. The Polity Network integrates decentralised and centralised applications, offering secure, scalable, and user-friendly infrastructure for high-value financial services.

As part of the Polity Decentralised Network Organisation ("Polity DNO"), Bastion is governed by the Polity Professional Decentralised Autonomous Organisation ("Polity pDAO®"), ensuring transparency and community-driven decision-making. For more information, visit the Polity website.

3. Contact Information

For inquiries or concerns about your personal data, please contact:

General Enquiries:

  • Email: privacy@bastion.li
  • Post: Bastion Genossenschaft, Schaanerstrasse 27, 9490 Vaduz, Liechtenstein
    Attention: Management Board

Data Protection Officer ("DPO"):

  • Email: laurent@cryptocommunity.ch
  • Post: Data Protection Officer, Bastion Genossenschaft, Schaanerstrasse 27, 9490 Vaduz, Liechtenstein

Supervisory Authority:

  • Liechtenstein Data Protection Authority Address: Städtle 38, 9490 Vaduz, Liechtenstein
    Website: www.datenschutzstelle.li

4. Legal Framework and Compliance

Bastion adheres to a robust framework of data protection laws and industry standards, including:

  • General Data Protection Regulation (GDPR) (EU 2016/679)
  • Liechtenstein Data Protection Act (2019)
  • Liechtenstein Privacy Regulation (2019)
  • Digital Advertising Alliance ("DAA") self-regulatory principles
  • European Interactive Digital Advertising Alliance ("EDAA") guidelines
  • ISO/IEC 27001 standards for information security management (where applicable)

We regularly review our practices to ensure compliance with evolving legal and regulatory requirements.

5. Categories of Data Subjects

We collect and process personal data from the following groups:

5.1. Website Visitors

Individuals who visit our website, engage with our social media platforms (e.g., LinkedIn, Twitter), or interact with our digital properties.

5.2. Members

Individuals who join Bastion’s cooperative or the Polity Community, including those who register for membership or participate in community activities.

5.3. Builders

Developers, contractors, and professionals contributing to the Polity Network, including those, subject to Anti-Money Laundering ("AML") and Know Your Customer ("KYC") compliance processes.

5.4. Delegates

Employees or representatives of third-party organisations collaborating with Bastion on projects or services.

5.5. Business Contacts

Individuals or representatives of partner organisations, vendors, or service providers with whom we maintain professional relationships.

6. Types of Personal Data We Collect

We collect various categories of personal data depending on your relationship with us:

  • Identity Information: Full name, date of birth, nationality, government-issued identification (e.g., passport or ID number).
  • Contact Information: Email address, postal address, phone number, social media handles.
  • Professional Information: Job title, employer details, professional qualifications, CV or resume, LinkedIn profile.
  • Financial Information: Bank account details, cryptocurrency wallet addresses, transaction history (where applicable).
  • Technical Information: IP address, browser type and version, operating system, device identifiers, geolocation data.
  • Communication Records: Emails, chat messages, meeting notes, support tickets, and other correspondence.
  • Blockchain-Related Data: Public wallet addresses, transaction metadata, or other data associated with on-chain activities (where relevant).
  • Usage Data: Information about how you interact with our website, services, or applications, including clickstream data and page views.

We only collect data that is necessary for the purposes outlined in this Policy.

7. How We Collect Personal Data

We collect personal data through the following methods:

  • Direct Collection: Data you provide when registering for membership, submitting forms, contacting us, or using our services.
  • Automatic Collection: Data gathered through cookies (if enabled in the future), analytics tools, or server logs during your interaction with our website or services.
  • Third-Party Sources: Data from KYC/AML service providers, public databases, blockchain explorers, or business partners.
  • Professional Networks: Data from platforms like LinkedIn or GitHub, where relevant to professional engagement.
  • Blockchain Transactions: Data derived from on-chain activities within the Polity Network, such as public wallet addresses or transaction records.

8. Purposes of Data Processing

We process personal data for the following purposes:

8.1. Legal and Regulatory Compliance
  • Conducting AML/KYC checks to prevent fraud and comply with financial regulations.
  • Fulfilling tax, audit, and reporting obligations.
  • Responding to lawful requests from regulatory or law enforcement authorities.
8.2. Business Operations
  • Managing membership accounts and community participation.
  • Facilitating collaboration within the Polity Network and with external partners.
  • Recruiting and onboarding talent for projects.
  • Administering contracts with builders, delegates, and service providers.
8.3. Financial Management
  • Processing payments, subscriptions, or donations.
  • Maintaining accurate financial records for audits and compliance.
  • Performing due diligence for financial transactions, including blockchain-based activities.
8.4. Communication and Engagement
  • Responding to inquiries, support requests, or feedback.
  • Sending updates, newsletters, or project announcements (with your consent).
  • Facilitating collaboration between community members, builders, and stakeholders.
8.5. Service Improvement
  • Analysing usage data to enhance our website, services, and user experience.
  • Conducting research and development to improve the Polity Network’s functionality.
8.6. Security and Fraud Prevention
  • Monitoring for unauthorised access or suspicious activity.
  • Protecting the integrity of our systems and the Polity Network.

9. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR:

  • Consent (Art. 6(1)(a)): Where you explicitly agree to data processing (e.g., for newsletters or marketing).
  • Contractual Necessity (Art. 6(1)(b)): To fulfill our obligations under a contract or to take pre-contractual steps (e.g., onboarding members or builders).
  • Legal Obligation (Art. 6(1)(c)): To comply with applicable laws, such as AML/KYC requirements or tax regulations.
  • Legitimate Interests (Art. 6(1)(f)): For purposes such as improving services, ensuring security, or managing business operations, provided your rights are not overridden.
  • Public Interest (Art. 6(1)(e)): In rare cases, to perform tasks in the public interest, such as cooperating with authorities.

We will inform you of the specific legal basis for processing when collecting your data.

10. Data Sharing and Disclosure

We may share your personal data with the following recipients, subject to strict safeguards:

10.1. Regulatory and Government Authorities
  • Tax authorities, financial regulators, or law enforcement agencies, as required by law.
  • Liechtenstein Data Protection Authority or other supervisory bodies during audits.
10.2. Business Partners
  • Members of the Polity DNO for collaborative projects.
  • Professional service providers (e.g., legal counsel, accountants, consultants) bound by confidentiality agreements.
10.3. Service Providers
  • KYC/AML compliance providers for identity verification.
  • Payment processors and financial institutions for transaction processing.
  • Cloud hosting, IT, and cybersecurity providers (e.g., AWS, Google Cloud) with GDPR-compliant agreements.
10.4. Professional Advisors
  • External auditors, compliance consultants, or legal advisors assisting with regulatory obligations.
10.5. Blockchain Networks
  • Public blockchain data (e.g., wallet addresses or transaction records) may be visible to participants in the Polity Network, as inherent to decentralised systems.

Important: We do not sell, rent, or share your personal data for marketing purposes without your explicit consent. All data sharing complies with GDPR and Liechtenstein data protection laws.

11. International Data Transfers

As a global organisation, we may transfer personal data outside the European Economic Area ("EEA"). When doing so, we implement safeguards to ensure compliance with GDPR, including:

  • Adequacy Decisions: Transferring data to countries recognised by the European Commission as providing adequate protection.
  • Standard Contractual Clauses ("SCCs"): Legally binding agreements with recipients to ensure GDPR-compliant data handling.
  • Binding Corporate Rules ("BCRs"): Internal policies for intra-group transfers (where applicable).
  • Certification Schemes: Compliance with recognised data protection frameworks, such as the EU-U.S. Data Privacy Framework (if applicable).

We assess all international transfers to ensure your data remains protected.

12. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law. Retention periods vary based on:

  • Legal Requirements: E.g., AML/KYC data may be retained for 5 - 10 years under Liechtenstein law.
  • Contractual Obligations: Data related to memberships or contracts is retained for the duration of the relationship plus a reasonable period.
  • Business Needs: Usage data for analytics may be retained for up to 2 years.
  • Consent-Based Processing: Data processed with your consent is deleted upon withdrawal of consent, unless otherwise required.

After the retention period, we securely delete or anonymise your data using industry-standard methods. Blockchain data, due to its immutable nature, may persist publicly but will not be linked to your identity where possible.

13. Data Security

We implement robust technical and organisational measures to protect your personal data, including:

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256).
  • Access Controls: Role-based access to systems, with multi-factor authentication ("MFA").
  • Regular Audits: Security assessments and penetration testing to identify vulnerabilities.
  • Incident Response: A dedicated protocol for detecting and responding to data breaches.
  • Staff Training: Ongoing education on data protection and cybersecurity best practices.

In the unlikely event of a data breach, we will notify you and the Liechtenstein Data Protection Authority within 72 hours, as required by GDPR.

14. Your Data Protection Rights

Under GDPR and Liechtenstein law, you have the following rights:

14.1. Right of Access

Request details about the personal data we hold and how it is processed.

14.2. Right to Rectification

Request correction of inaccurate or incomplete data.

14.3. Right to Erasure ("Right to Be Forgotten")

Request deletion of your data, subject to legal or contractual limitations.

14.4. Right to Restrict Processing

Request that we limit processing of your data in certain circumstances.

14.5. Right to Data Portability

Receive your data in a structured, machine-readable format or have it transferred to another organisation.

14.6. Right to Object

Object to processing based on legitimate interests or for direct marketing.

14.7. Right to Withdraw Consent

Withdraw consent at any time, without affecting prior processing.

14.8. Right to Non-Discrimination

We will not discriminate against you for exercising your rights.

14.9. Right to Lodge a Complaint

File a complaint with the Liechtenstein Data Protection Authority or your local supervisory authority.

15. Exercising Your Rights

To exercise your rights, contact our Data Protection Officer at laurent@cryptocommunity.ch or via post (see Section 3). We will:

  • Respond within one month (extendable by two months for complex requests).
  • Verify your identity to ensure security.
  • Provide information free of charge, unless requests are repetitive or excessive.

If we cannot fulfill your request (e.g., due to legal obligations), we will explain why.

16. Cookies and Tracking Technologies

As of June 15, 2025, our website does not use cookies, tracking pixels, or similar technologies. If we introduce such technologies in the future, we will:

  • Update this Policy to reflect the change.
  • Provide clear notice and obtain your consent where required.
  • Offer options to manage or disable tracking via a cookie banner.

17. Third-Party Links

Our website and services may include links to third-party websites or platforms (e.g., LinkedIn, GitHub, or partner sites). These sites have their own privacy policies, which we do not control. We recommend reviewing their policies before sharing personal data.

18. Special Considerations for Blockchain Technology

The Polity Network operates on decentralised blockchain infrastructure, which has unique implications for data processing:

  • Public Data: Transaction data, wallet addresses, and smart contract interactions may be publicly visible on the blockchain and cannot be erased due to immutability.
  • Pseudonymity: We minimise the link between blockchain data and your personal identity, using pseudonymous identifiers where possible.
  • Consent: Participation in blockchain-based services implies consent to public data processing, as outlined during onboarding.

We take steps to ensure GDPR compliance for blockchain activities, including data minimisation and secure key management.

19. Children’s Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware of such data, we will delete it immediately. Please contact us if you believe we have inadvertently collected data from a minor.

20. Changes to This Policy

We may update this Policy to reflect:

  • Changes in laws or regulations.
  • Updates to our services or business practices.
  • Technological advancements (e.g., new blockchain or AI tools).
  • Feedback from users or supervisory authorities.

Material changes will be communicated via:

  • Posting the updated Policy on our website.
  • Email notifications to registered users.
  • Prominent notices on our platform or services.

We encourage you to review this Policy periodically.

21. Effective Date and Version Control

Effective Date: June 15, 2025  

Document Version: 2.0  

Next Review Date: June 15, 2026

The latest version of this Policy is available at www.bastion.li/privacy.

For any questions, please contact us at privacy@bastion.li.