Privacy Policy

Last Updated: October 21, 2025

← Back to dApp

Privacy Policy - Tansu

Last Updated: October 21, 2025
Effective: October 21, 2025

1. Introduction

Consulting Manao GmbH (“Company”, “we”, “us”) operates the Tansu decentralized governance platform (“dApp”, “Service”). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and Austrian data protection laws.

Universal Application: This Privacy Policy applies equally to all users worldwide, with no distinction between EU and non-EU residents, though we distinguish between consumers and business users where necessary for legal compliance.

Minimal Data Collection: Our services involve minimal personal data collection. We do not operate backend servers or databases. All user data is stored on-chain (Stellar blockchain) or on decentralized IPFS networks. We use browser local storage instead of cookies for session management.

Contact Information:
Consulting Manao GmbH
FN 571029z
Köpplingberg 124, 8561 Söding-Sankt Johann, Austria
Email: [email protected]

Note: Reading our Terms of Service first will help you understand the terminology used in this Privacy Policy.

2. Data Controller

Consulting Manao GmbH is the data controller responsible for processing your personal data in connection with the Tansu dApp.

3. Types of Data We Collect

Important: We do not operate backend servers or databases. All data is either:

  • Stored on-chain via the Stellar blockchain (publicly visible and permanent)
  • Stored on decentralized IPFS networks (publicly accessible)
  • Stored locally in your browser using local storage (never leaves your device)

3.1 Data You Provide Directly

Account Information:

  • Stellar wallet addresses (public keys)
  • Profile information voluntarily submitted
  • Project metadata uploaded to IPFS

User Responsibility: You are responsible for ensuring uploaded content complies with privacy laws and does not contain personal data of others without consent.

3.2 Data Collected Automatically

Blockchain Data (publicly visible on Stellar Network):

  • Transaction hashes and timestamps
  • Smart contract interaction data
  • Voting records and outcomes
  • Badge assignments and voting weights

Technical Data (collected by hosting providers):

  • IP Addresses: Logged by Cloudflare CDN for security and DDoS protection (retained for 30 days). This processing is based on our legitimate interest under GDPR Article 6(1)(f) to protect our systems and users from cyber threats, fraud, and abuse. We have conducted a balancing test and determined this limited retention is necessary and proportionate.
  • Browser and Device Information: Collected for analytics and performance optimization
  • Usage Patterns: Anonymous analytics to improve services

Browser Local Storage (stored on your device only):

  • Wallet connection preferences
  • UI preferences and settings
  • Session management data
  • Analytics preferences (if using privacy-focused analytics)

IPFS Data (publicly accessible):

  • Content Identifiers (CIDs) for uploaded content
  • Content metadata and timestamps
  • File sizes and types

3.3 Data from Third-Party Services

GitHub Integration:

  • Repository information
  • Commit history and metadata
  • Contributor information
  • README files and project documentation

Stellar Network:

  • Account balances and transaction history
  • Network fees and transaction status
  • Account metadata

We process your personal data based on the following legal grounds under GDPR:

Contract Performance (Article 6(1)(b)): Processing necessary for providing our governance services, including account management, proposal creation, and voting functionality.

Legitimate Interest (Article 6(1)(f)): Processing for platform security, fraud prevention, service improvement, and analytics.

Consent (Article 6(1)(a)): For optional features like profile customization and marketing communications.

Legal Obligation (Article 6(1)(c)): Compliance with Austrian and EU legal requirements, including anti-money laundering and sanctions screening.

No Automated Decision-Making: We do not engage in automated decision-making or profiling with legal effects. All governance decisions are made by community members through voting.

5. How We Use Your Data

5.1 Service Provision

  • Account Management: Creating and maintaining your member account
  • Governance Operations: Facilitating proposal creation, voting, and execution
  • Project Registration: Managing project information and maintainer roles
  • Badge System: Assigning and managing voting weights and permissions

5.2 Platform Operations

  • Security: Monitoring for fraudulent activities and security threats
  • Performance: Optimizing service delivery and user experience
  • Analytics: Understanding usage patterns to improve our services
  • Support: Providing technical support and resolving issues
  • Regulatory Requirements: Complying with Austrian and EU laws
  • Sanctions Screening: Checking against restricted jurisdiction lists
  • Audit Trail: Maintaining records for transparency and accountability

6. Data Sharing and Third-Party Services

6.1 Third-Party Service Providers

We share data with third-party services necessary for operations (Stellar Network, IPFS/Storacha, GitHub, Netlify, Cloudflare). See Terms of Service Section 14 for complete list with privacy policy links.

Data Processing Agreements: We have executed GDPR Article 28 compliant DPAs with all processors (Netlify, Cloudflare, Storacha).

6.2 No Backend Data Storage

We do not store any user data on our own servers. All data exists on:

  • The Stellar blockchain (permanent, public, immutable)
  • IPFS networks (distributed, public, persistent)
  • Your browser’s local storage (client-side only)

We may disclose your data when required by law, including:

  • Compliance with Austrian or EU legal obligations
  • Response to valid legal requests from authorities
  • Protection of our rights and the rights of other users
  • Prevention of fraud or illegal activities

6.4 No Sale of Data

We do not sell, rent, or trade your personal data to third parties for commercial purposes.

7. Data Security

7.1 Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption: Data transmission is encrypted using industry-standard protocols
  • Access Controls: Limited access to personal data on a need-to-know basis
  • Regular Audits: Security assessments and vulnerability testing
  • Staff Training: Data protection training for all employees

7.2 Blockchain Security

  • Non-Custodial: We do not store or have access to your private keys
  • Decentralized Storage: User content is stored on IPFS, not our servers
  • Public Transparency: Blockchain transactions are publicly verifiable

7.3 Data Breach Response

In the event of a data breach, we will:

  • Notify relevant authorities within 72 hours (GDPR Article 33)
  • Inform affected users without undue delay (GDPR Article 34)
  • Take immediate steps to contain and remediate the breach

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You can request information about the personal data we process about you, including:

  • Categories of data processed
  • Purposes of processing
  • Recipients of your data
  • Retention periods
  • Your rights regarding the data

8.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, including:

  • Data no longer necessary for original purposes
  • Withdrawal of consent
  • Unlawful processing
  • Objection to processing

Technical Limitations:

  • Blockchain Data: Permanently recorded and immutable (GDPR Article 17(3)(b) exception for data made public by the data subject)
  • IPFS Content: Cannot be deleted once uploaded to the decentralized IPFS network
  • On-Chain Unlinking: We can remove IPFS CID references from our smart contracts (e.g., by revoking proposals), making content no longer discoverable through our dApp
  • CID Persistence: The content remains accessible via its CID through IPFS gateways, which we cannot control or remove

User Responsibility: Before uploading content, consider that IPFS storage is permanent. Do not upload personal data or sensitive information unless you accept this permanence.

Maintainer Options: Project maintainers can revoke proposals to unlink content from our dApp, but this does not delete from IPFS.

8.4 Right to Restrict Processing (Article 18)

You can request limitation of data processing in certain situations.

8.5 Right to Data Portability (Article 20)

You can request a copy of your data in a structured, machine-readable format.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated decision-making, though our platform does not use automated decision-making for individual users.

9. Exercising Your Rights

To exercise your rights, contact us at:

Email: [email protected]
Subject: Data Protection Request

We will respond to your request within one month (GDPR Article 12(3)). We may request verification of your identity to protect your privacy.

10. Data Retention and Deletion

Blockchain Data: Permanently recorded (GDPR Article 17(3)(b) exception for data made public by the data subject).

IPFS Content: Persists indefinitely on decentralized network; we cannot delete once uploaded.

IP Address Logs (Cloudflare): 30 days for security.

Browser Local Storage: Until you clear browser data.

Tax Records: 7 years per Austrian Federal Fiscal Code (Bundesabgabenordnung - BAO) §132 and §212.

Deletion Limitations: Blockchain and IPFS data cannot be deleted. We can only unlink IPFS references from our smart contracts. See Terms of Service Section 7 for details.

11. International Data Transfers

11.1 Data Transfers

Your data may be transferred to and processed in countries outside the EU/EEA, including:

  • IPFS Networks: Global decentralized storage networks
  • Stellar Network: Distributed blockchain network
  • GitHub: United States-based service provider

11.2 Safeguards

We ensure appropriate safeguards for international transfers:

  • Adequacy Decisions: Transfers to countries with adequate data protection
  • Standard Contractual Clauses: EU-approved contractual safeguards
  • Technical Measures: Encryption and access controls

12. Browser Local Storage and Tracking

12.1 No Cookies Policy

We do not use cookies. Instead, we rely on browser local storage for essential functionality:

  • Wallet Connection: Remembering your connected wallet address
  • UI Preferences: Theme, language, and display settings
  • Session Management: Maintaining your session state
  • Analytics Preferences: Respecting your privacy choices

ePrivacy Directive Compliance: Browser local storage is used only for strictly necessary technical functionality (wallet connection, session management) and does not require user consent under ePrivacy Directive Recital 66.

12.2 Local Storage

Browser local storage data:

  • Stays on your device only (never transmitted to our servers)
  • Can be cleared through your browser settings
  • Is essential for dApp functionality
  • Does not track you across websites

12.3 Third-Party Tracking

We do not use third-party tracking services. Any analytics we implement are:

  • Privacy-focused and cookieless
  • Aggregate only (no individual tracking)
  • Opt-out available through browser settings

13. Children’s Privacy

Our services are not intended for children under 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete such information.

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy to reflect:

  • Changes in our data processing practices
  • New legal requirements
  • Platform feature updates
  • Security improvements

14.2 Notification

We will notify you of significant changes by:

  • Posting the updated policy on our dApp
  • Displaying prominent notices on the platform
  • Social media announcements

14.3 Continued Use

Continued use of our services after policy updates constitutes acceptance of the new terms.

15. Data Protection Officer

As a small GmbH, we are not required to appoint a Data Protection Officer under GDPR Article 37, but privacy inquiries can be directed to [email protected].

Why No DPO Required: Under GDPR Article 37(1), DPO appointment is mandatory only for:

  • Public authorities
  • Organizations whose core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale
  • Organizations whose core activities consist of processing on a large scale of special categories of data

Our dApp operates with minimal data collection, no backend storage, and all sensitive operations occur client-side or on public blockchains, thus not meeting these thresholds.

16. Supervisory Authority

You have the right to lodge a complaint with the Austrian Data Protection Authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna, Austria
Website: dsb.gv.at

17. Contact Information

For any questions about this Privacy Policy or our data practices:

Consulting Manao GmbH
Registered in Austrian Commercial Register (Firmenbuch)
Landesgericht Graz, FN 571029z
VAT ID: ATU77780135
Managing Director: Pamphile Tupui Christophe Roy

Address:
Köpplingberg 124
8561 Söding-Sankt Johann
Austria

Contact:
Email: [email protected]
Website: tansu.dev

Last Updated: October 21, 2025

← Back to dApp