Effective Date: 01/09/2023
1. Responsible Entity’s Name and Contact Information
Responsible for the processing of data on CREDEBL (Verifiable Credential & Decentralised Identity management platform) and ADEYA (Mobile Wallet App): Blockster Labs Private Limited (“Blockster”); A Company established under provisions of Companies Act 1956 of Government of India, and as amended further from time to time and having its registered office at 409, Navale ICON, Off. Mumbai-Bangalore Highway, Narhe, Pune, Maharashtra, 411021 India Email: firstname.lastname@example.org
Note: A data control officer has not been mandated by the Responsible Entity. If you have queries or wish to assert any of your legal rights regarding data protection, kindly get in touch with the Responsible Entity immediately.
2. Information on the Processing of Personal Data
CREDEBL Platform and ADEYA Mobile Wallet App are designed to prioritize user privacy. As a basic principle, no data is processed by Blockster when the platform and app are used. All data is securely stored only on the user’s end device, and Blockster does not have access to this data.
However, the platform and app are associated with a digital mailbox service (“Mediation Agent”) operated by Blockster. The installation ID of the user is saved and processed for the purpose of the mailbox service. This allows incoming messages to be properly assigned to the respective user. The incoming messages are encrypted and sent to the mailbox service, which then forwards them to the user’s platform and app. The recipient of the message receives a dedicated code from the mailbox service, which is linked to the installation ID.
The Responsible Entity cannot identify individual users or access the content of the messages since they are encrypted and decrypted only on the user’s end device. Once the messages have been properly sent to the platform and app, the mailbox service deletes them. The messages are held on the mailbox service until they can be delivered if the user’s platform and app aren’t accessible.
To enhance the user experience and improve platform & app functionality, automated crash reports may be generated in the event of errors or application crashes. These reports may include information such as the cause of the crash, error reports, and additional data like the date and time of the crash, device model number, installed operating system version, language settings, and the user’s country.
3. Legal Basis of the Processing
The processing of the installation ID is based on contractual purposes (Article 6(1)(b) of the General Data Protection Regulation - GDPR). The installation ID is automatically provided by Blockster for the functioning of the mailbox service. Without processing the installation ID, Blockster cannot assign or deliver incoming messages to individual users. The processing is necessary to fulfil the purpose of the contract, which involves the exchange of identity information.
Error analysis and other analyses are carried out in the legitimate interests of Blockster (Article 6(1)(f) GDPR). These analyses aim to ensure platform and app functionality and improvement. No automated decision-making is involved in these processes.
4. Recipients and Categories of Recipients
In general, data transfer to third parties (other than Blockster) does not occur and is not planned. However, data transfer may occur in specific cases when legally obligated or with user consent. Such cases may include:
- Public authorities and institutions (e.g., tax authorities, prosecution authorities, family courts, land registry offices) if legally or officially required for any purposes that is the interest of justice and so called upon by the appropriate legal authorities using the due course of procedure laid down by current provisions of law.
- Service providers engaged in order-processing relationships
5. Data Transfer to Third Countries
Data transfers to third countries do not occur.
6. Storage Duration
Blockster processes and stores personal data as long as it is required to fulfil contractual obligations and protect our rights. The Installation ID associated with your personal data is also deleted when you close or uninstall the platform and app, respectively, from your device.
7. Information about data subjects’ rights
As an affected person, the User has the following rights regarding how their personal data is processed:
Right of access (Article 15 GDPR) Right to rectification (Article 16 GDPR) Right to erasure (“right to be forgotten”) (Article 17 GDPR) Right to restriction of processing (Article 18 GDPR) Right to data portability (Article 20 GDPR) Right to object (Article 21 GDPR) Right to withdraw consent (Article 7 Para. 3 GDPR) Right to lodge a complaint with a supervisory authority (Article 77 GDPR) The User may reach out to us using the details listed in No. 1 to exercise these rights.
7.1 Right of access (Article 15 GDPR) The Right of Access means that the User has the right to request confirmation from the Responsible Entity as to whether their personal data is being processed. If the processing is taking place, the User also has the right to obtain information about their personal data and the details listed in Article 15 Para. 1 of the GDPR.
7.2 Right to rectification (Article 16 GDPR) The Right to Rectification means that the User has the right to request the correction of inaccurate personal data concerning them without undue delay. They also have the right to have incomplete personal data completed.
7.3 Right to erasure (“right to be forgotten”) (Article 17 GDPR) The Right to Erasure means that the User fundamentally has the right to request the deletion of their personal data without undue delay. The Responsible Entity is obligated to delete the personal data promptly if one of the reasons listed in Article 17 Para. 1 of the GDPR applies. For example, this can be the case if the personal data is no longer necessary for the purposes for which it was collected or processed (Art. 17 Para. 1 specified in a) GDPR).
If the Responsible Entity has made the personal data public and is required to erase it, they are also obligated to take reasonable measures, considering available technology and implementation costs, to inform other data processing responsible entities that are processing the personal data about the User’s request for erasure. This includes deleting any links to, copies of, or replications of the personal data.
However, the Right to Erasure (“right to be forgotten”) does not apply in certain circumstances, as stated in Article 17 Para. 3 of the GDPR. For example, the right may not apply if the processing of personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
7.4 Right to restriction of processing (Article 18 GDPR) The Right to Restriction of Processing means that the User has the right to request the restriction of processing their personal data under certain conditions listed in Article 18 Para. 1 of the GDPR. For instance, if the User disputes the accuracy of their personal data, they can request the restriction of processing while the Responsible Entity verifies the accuracy of the data.
7.5 Right to data portability (Article 20 GDPR) The Right to Data Portability grants the User the right to receive their personal data, which they have provided to the Responsible Entity, in a structured, commonly used, and machine-readable format. The User also has the right to transmit this data to another responsible entity without hindrance, provided that the processing is based on consent or a contract and is carried out by automated means.
Additionally, when exercising the right to data portability, the User has the right to have their personal data transmitted directly from the Responsible Entity to another responsible entity if technically feasible.
7.6 Right to object (Article 21 GDPR) As soon as possible after the initial contact, we let the User know about their right to object. The Right to Object applies in the following cases:
7.6.1 Right to object on grounds relating to the data subject’s specific circumstances The User has the right to object at any time to the processing of their personal data based on their individual circumstances or for reasons of public interest. Profiling based on these laws is likewise subject to this right. Unless the Responsible Entity can show compelling legitimate grounds for the processing that outweigh the User’s interests, rights, and freedoms, or if the processing is required for the establishment, exercise, or defence of legal claims, the Responsible Entity will stop processing personal data if the User objects due to their unique situation.
7.6.2 Right to object to direct marketing If the User’s personal data is processed for direct marketing purposes, they have the right to object to the processing of their personal data for such marketing. This right also applies to profiling related to direct marketing. If the User objects to the processing of their personal data for direct marketing purposes, the Responsible Entity will cease processing their personal data for those purposes.
7.7 Right to withdraw consent If the processing of personal data is based on the User’s consent, they have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal. Before providing consent, the User must be made aware of their right to do so.
7.8 Right to complain to a supervisory authority The User has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data infringes the provisions of the GDPR. The relevant supervisory authority for the Responsible Entity is the data protection supervisory officer of the Government of India.
8. Version and changes to this data protection information
The most recent update to this data protection information was made in September 2023. This data protection information might need to be updated as a result of technical developments, adjustments to the platform’s and app’s functioning, and/or changing regulatory and governmental regulations. The platform and app always have the most recent version of the data protection information.