Privacy Policy
Effective date: 01.09.2023
Last update: 29.06.2026
1. Data controller
Etherna SA, Via Rava 13, 6974 Aldesago (Lugano), Switzerland — CHE-315.583.090. Contact for privacy matters and to exercise your rights: [email protected].
Internal data-protection contact: Mirko Da Corte ([email protected]). Etherna manages compliance internally; no external consultant is appointed (the data-protection adviser under art. 10 FADP is optional).
2. Scope and applicable laws
This policy describes the processing of personal data of users of Etherna's services (the etherna.io website, Etherna SSO authentication, the gateway and related services — the "Service"). The Swiss Federal Act on Data Protection (FADP/nFADP, in force since 1 September 2023) applies and, where services are offered to data subjects in the European Union, Regulation (EU) 2016/679 (GDPR) applies.
Data of employees, suppliers and collaborators is covered by separate notices and is not addressed in this document.
3. Categories of data processed
- Registration and account data: username, password (stored only as a hash, never in clear text), invitation code (where applicable).
- Contact data: e-mail address (optional, unless you subscribe to the newsletter — see §4.5), phone number (optional). If provided, the e-mail is verified via a code.
- Authentication and security data: second factor (TOTP key for authenticator apps, FIDO2/WebAuthn credentials, recovery codes), security stamp, attempt counter.
- Blockchain-related data: Ethereum address(es) (for login and/or managed by the platform) and related on-chain references. For non-web3 accounts the platform automatically generates a "managed" Ethereum key as a technical fallback for identity/authentication: it is not a fund-custody wallet and must not be used to receive money. It can be obtained by the user via API but is not normally exposed and is encrypted at rest in the database (AES-256-GCM).
- Usage and technical data: application and security logs (e.g. logins), aggregate metrics, data collected in anonymous/aggregate form.
- Marketing data: e-mail address provided for the newsletter only and the related subscription status (handled by the newsletter provider — §4.5, §6).
- Records of acceptance of legal documents: for each acceptance, the document type (Terms of Service, Privacy Policy), the version accepted and the date/time. Kept by Etherna as proof of acceptance (accountability — §4.8); you can view them in your account area and include them in the export of your personal data (§9).
- Content uploaded to the storage/gateway services: governed by the respective terms of service; note the public and potentially immutable nature of blockchain and the Swarm network (§7).
4. Purposes and legal bases
We process data for the following purposes, each with its legal basis (FADP / GDPR):
- 4.1 — Registration, authentication and account management (SSO). Data: account, contact, authentication, Ethereum address. Basis: performance of the contract / relationship requested by the user (lawful under FADP; GDPR art. 6(1)(b)).
- 4.2 — Provision of the platform services (gateway, storage, etc.). Data: account, blockchain, content. Basis: performance of the contract (GDPR art. 6(1)(b)).
- 4.3 — Security, 2FA, abuse prevention. Data: authentication/security, logs. Basis: legitimate interest / performance of the contract / legal obligation (GDPR art. 6(1)(c)(f)).
- 4.4 — Technical and service communications (e.g. e-mail verification, password reset). Data: contact. Basis: performance of the contract (GDPR art. 6(1)(b)).
- 4.5 — Newsletter / marketing communications. Data: e-mail. Basis: consent (GDPR art. 6(1)(a) + art. 7); in CH prior opt-in under art. 3 para. 1 let. o UCA, revocable at any time.
- 4.6 — Statistics and analysis in anonymous/aggregate form. Data: anonymised technical data. Basis: anonymous data → outside the scope of personal data; if pseudonymous, legitimate interest.
- 4.7 — Legal, accounting and tax obligations. Data: data as required. Basis: legal obligation (GDPR art. 6(1)(c)).
- 4.8 — Proof of acceptance of the Terms and Privacy Policy (recorded at sign-up). Data: acceptance records (document, version, date/time). Basis: accountability and legitimate interest in demonstrating acceptance (FADP; GDPR art. 5(2), 7(1), 6(1)(c)(f)).
The e-mail in the SSO database is never used for non-technical communications: marketing takes place exclusively through the newsletter provider, subject to consent (§4.5).
Usage statistics (§4.6) are collected with a self-hosted analytics tool (on Etherna's servers), without cookies and with an anonymised IP address: they do not profile the individual user, do not involve transfers to third parties and do not require consent.
5. Nature of the provision of data
Providing registration data (username, password) is necessary to create the account. The e-mail is optional; it becomes necessary only if you choose to subscribe to the newsletter (in which case it is required and verified). Failure to provide the necessary data prevents the provision of the relevant service. Accepting the Terms of Service and acknowledging this Policy is required to complete registration; acceptance is recorded as proof (§3, §4.8).
6. Recipients and processors
Etherna does not sell personal data. It uses the following providers, which act as data processors (art. 9 FADP / art. 28 GDPR) on the basis of a data processing agreement (DPA):
- Exoscale (Akenes SA) — hosting/IaaS, database — Switzerland / EU.
- netcup GmbH — hosting/IaaS — Germany (EU).
- Contabo GmbH — hosting/IaaS — Germany (EU).
- Cloudflare, Inc. — CDN / network security — USA + global (see §6.1, DPF).
- SendGrid (Twilio Inc.) — transactional e-mail delivery — USA (see §6.1, DPF).
- Mailchimp (Intuit / The Rocket Science Group) — newsletter / list management — USA (see §6.1, DPF).
- BorgBase (Peakford Ltd) — off-site backups (received already encrypted, keys held by Etherna) — Malta (EU).
- Swarm network — decentralised storage — public distributed network (see §7).
- Proton AG — e-mail: internal mailboxes and public contact addresses (info@, privacy@) — Switzerland.
Data may also be disclosed to judicial/administrative authorities where required by law and, in the event of a merger/acquisition, to the successor entity.
6.1 International transfers (art. 16-17 FADP / Chapter V GDPR)
The US providers — Cloudflare, SendGrid (Twilio), Mailchimp (Intuit) — process data in the USA. The transfer relies on their Swiss-U.S. / EU-U.S. Data Privacy Framework (DPF) certification, found active at the verification of 2026-06 (source: the official list at dataprivacyframework.gov; in the alternative, Standard Contractual Clauses (SCC) with the Swiss addendum). The other providers are in Switzerland or the EU (Exoscale and Proton in CH; netcup and Contabo in DE; BorgBase in Malta), with no transfer to third countries.
7. On-chain data and the Swarm network
Certain data (e.g. Ethereum addresses, references and content) may be recorded on-chain or on the Swarm network, which are public, distributed and tendentially immutable systems: once published, it is not technically possible to modify or delete them, and they may be replicated by third parties outside Etherna's control. Consequently, the right to rectification and erasure is limited for such data. Etherna applies the principle of data minimisation, avoiding recording unnecessary identifying data on-chain.
8. Retention periods
Data is retained for as long as necessary for the purposes and is then deleted or anonymised:
- Account and associated data: deleted from the database immediately upon closure of the account.
- Accounting/tax data: 10 years (Swiss statutory obligation) — also after account closure, where due.
- Newsletter: until withdrawal of consent / unsubscription (handled by the provider).
- Legal acceptance records (§3, §4.8): for the duration of the account (deleted with it).
- Application/security logs: they do not contain personal data and are therefore outside the scope of this policy.
- On-chain/Swarm data: see §7 (deletion not technically guaranteed).
9. Data subject rights
Within the limits of the law, you have the right to: access (art. 25 FADP / art. 15 GDPR), rectification, erasure/destruction, restriction, objection, portability (art. 28 FADP / art. 20 GDPR) and withdrawal of consent at any time (without prejudice to the lawfulness of processing carried out before withdrawal). For the newsletter, unsubscription is always available via the link in every message and the provider's preference center. The acceptance records for the legal documents (§3, §4.8) can be viewed in your account area and are included in the export of your personal data.
Requests to [email protected]. Complaint to the supervisory authority: in Switzerland the FDPIC; in the EU, the competent supervisory authority.
10. Automated decision-making
Etherna does not carry out automated decision-making or profiling with legal or similarly significant effects on the data subject (art. 21 FADP / art. 22 GDPR).
11. Security
Etherna adopts appropriate technical and organisational measures: encryption of corporate e-mail, password hashing, encryption at rest (AES-256-GCM) of the managed-wallet key, encryption of off-site backups, two-factor authentication (2FA) available via authenticator app (TOTP) and physical security key (FIDO2/WebAuthn), access controls, etc. No system can guarantee absolute security.
12. Cookies
The Service uses only technical/essential cookies necessary for operation and authentication. It does not use third-party, profiling/tracking or advertising cookies, and performs no tracking: for this reason no consent banner is required (indeed none is present). Details in the Cookie Policy (updated 27.06.2025).
13. Minors
The Service — which includes a content publishing and sharing platform — is restricted to adults (18+) and is not intended for minors (see Terms §4). Etherna does not knowingly collect data from persons under 18; should it become aware of an account belonging to a minor, it will close it and delete the related data.
14. Changes to this policy
Etherna may update this policy; material changes will be communicated with reasonable notice and published on the Service with the date of update. For the Terms of Service, material changes may require re-acceptance; the accepted version is recorded (§4.8) precisely to allow any re-acceptance.
15. Governing law and jurisdiction
Governed by the Terms of Service (https://info.etherna.io/terms-conditions/), to which reference is made: Swiss law and the courts of Lugano (Ticino).