YieldX GDPR Policy

This GDPR Compliance Policy (“Policy”) explains how YieldX Foundation (“YieldX,” “we,” “our,” or “us”) collects, stores, processes, and protects the personal data of individuals located in the European Union (EU) or the United Kingdom (UK) in accordance with:

• The EU General Data Protection Regulation (Regulation (EU) 2016/679)
   
• The UK GDPR and UK Data Protection Act 2018
   
• Applicable local data protection laws
   

This Policy supplements the YieldX Privacy Policy and applies only to individuals located in the EU/UK whose data falls under these laws.

YieldX Foundation acts as the Data Controller for personal data processed in connection with the Platform.

Data Protection Contact:
📧 Email: privacy@yield-x.org

If YieldX appoints an EU or UK representative or Data Protection Officer (DPO), details will be added here.

We process personal data only where permitted under GDPR. Depending on context, the lawful basis may include:

Legal BasisExamples of Use CasesConsent (Art. 6(1)(a))Email newsletters, cookies, blockchain-related optional servicesContract (Art. 6(1)(b))Account creation, donation processingLegal Obligation (Art. 6(1)(c))Tax reporting, AML/KYC compliance, financial auditsLegitimate Interests (Art. 6(1)(f))Platform security, fraud monitoring, donor stewardshipPublic Interest/Nonprofit Purpose (Art. 6(1)(e)/(f))Philanthropic operations and reporting activities 

Where consent is the legal basis, Users may withdraw consent at any time.

YieldX may collect the following types of personal data:

• Identity Data: name, date of birth (if required for compliance)
   
• Contact Data: email address, physical address, phone number
   
• Financial and Donation Data: donation history, amounts, gift receipts
   
• Payment Information: processed via secure third-party processors (YieldX does not store full payment credentials)
   
• Compliance Data: identity verification documents (AML/KYC)
   
• Digital Interaction Data: IP address, device fingerprint, cookies, usage logs
   
• Optional Blockchain Interaction Data: public wallet addresses, transaction hashes
   

We do not use personal data for automated decision-making that produces legal or significant effects without human review.

Personal data may be used to:

• Process donations and issue tax receipts
   
• Manage donor accounts and communications
   
• Provide transparency on impact reporting
   
• Support blockchain-based reward or recognition systems (optional)
   
• Fulfill legal, tax, audit, and regulatory reporting requirements
   
• Improve platform functionality, accessibility, and security
   

YieldX does not sell personal data.

YieldX may share data only where necessary and legally justified with:

• Payment processors
   
• AML/KYC verification services
   
• Cloud hosting providers
   
• Auditors and regulatory bodies
   
• Government authorities where legally mandated
   

All third parties must adhere to GDPR-compliant data processing agreements (DPAs).

If data is transferred outside the EU/UK, we use approved safeguards such as:

• Standard Contractual Clauses (SCCs)
   
• UK International Data Transfer Addendums (IDTA)
   
• Adequacy decision frameworks
   
• Encryption and pseudonymisation where technically possible
   

If a donor opts into blockchain-based features, they acknowledge:

• Blockchain networks may store data immutably and outside EU jurisdiction.
   
• Wallet addresses may be considered personal data when linked to a user account.
   
• Users may request pseudonymisation where feasible, but blockchain records may not be fully erasable.
   

Participation in blockchain features is optional.

Personal data is retained only for lawful periods including:

• Financial records: up to 7–10 years, depending on jurisdiction
   
• AML/KYC compliance data: per legal requirement
   
• User accounts: until request for deletion, unless retention is required by law
   

Immutable blockchain records cannot always be deleted; however, identifiable links may be removed or anonymized.

EU/UK users have the following rights:

RightDescriptionRight of AccessRequest a copy of your personal dataRight to RectificationRequest corrections to inaccurate dataRight to Erasure (“Right to Be Forgotten”)Request deletion, subject to legal exemptionsRight to Restrict ProcessingPause processing while a request is reviewedRight to Data PortabilityReceive copies in a machine-readable formatRight to ObjectObject to certain processing based on legitimate interestRight to Withdraw ConsentStop any processing based solely on consentRight Not to Be Subject to Automated ProfilingRequest human review where applicable 

Requests will be completed within 30 days, with an extension to 90 days where justified.

YieldX does not knowingly collect personal data from individuals under 18 years of age.
If such data is discovered, we will take lawful steps to remove it.

We employ:

• Encryption of data in transit and at rest
   
• Role-based access controls
   
• secure key management (where applicable)
   
• Contractual vendor compliance auditing
   

No system can be 100% secure, but we maintain compliance with industry and nonprofit standards.

We may update this Policy periodically. Material changes will be communicated via website notice or email.

If you believe your rights have been violated, you may contact:

• YieldX Data Protection Officer (details above)
   
• Your local Data Protection Authority
   
• The UK ICO (if applicable)