This Privacy Policy explains how UFO TECHNOLOGIES LIMITED ("we", "us", "our") collects, uses, and protects your personal data when you use the websites maatx.io and wallet.maatx.io and related services (together, the "Services"). We are committed to processing your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
- UFO TECHNOLOGIES LIMITED
- Registered in England and Wales, company number 17022120
- Registered office: 50 Princes Street, Ipswich, England, IP1 1RJ
- Contact for privacy matters: privacy@maatx.io
Where we use third-party providers to process data on our behalf (for example, identity verification), those providers act as our data processors, and we remain the controller.
2. The personal data we process
Depending on how you use the Services, we may process the following categories of data:
(a) Identity verification (KYC) data. To enforce the "one person, one vote" principle and prevent fake or duplicate accounts, participants may complete identity verification. This verification is performed by our processor Sumsub (Sum and Substance Ltd) and may include your full name, date of birth, nationality, country of residence, images of your identity document, and a facial image / liveness check. We act as the data controller for this verification; Sumsub processes the data on our behalf and under our instructions.
(b) Biometric data (special category). The facial image and liveness check used to confirm you are a real, unique person may constitute biometric data used for unique identification. This is special category data under Article 9 UK GDPR and we only process it on the basis of your explicit consent (see Section 4).
(c) Blockchain and wallet data. Public wallet addresses, on-chain transactions, balances, and related public ledger data. Please note that blockchain data is public, immutable, and outside our control once recorded; we cannot edit or delete it.
(d) Technical and usage data. IP address, browser type, device information, and similar diagnostic data. Certain preferences (such as theme, language, and your locally generated wallet/seed) are stored in your browser's local storage on your own device, not on our servers.
(e) Communications. If you contact us by email or messaging channels, we process the content of those communications and your contact details.
3. How and why we use your data
- Identity verification and integrity of voting — to confirm uniqueness of participants and prevent fraud and manipulation of the "one person, one vote" mechanism.
- Providing the Services — to operate the website, web wallet, and related features.
- Legal and regulatory compliance — to comply with applicable anti-fraud, anti-money-laundering, and record-keeping obligations.
- Security — to detect, prevent, and respond to abuse, attacks, and security incidents.
- Communication — to respond to your enquiries.
4. Lawful bases for processing
Under Article 6 UK GDPR we rely on:
- Consent (Art. 6(1)(a)) — for identity verification you choose to undertake, and, under Article 9(2)(a), explicit consent for any biometric data. You may withdraw consent at any time (this does not affect processing carried out before withdrawal).
- Legitimate interests (Art. 6(1)(f)) — to protect the integrity of the cooperative's voting, secure the Services, and prevent fraud and abuse.
- Legal obligation (Art. 6(1)(c)) — where we must process data to comply with the law.
- Contract (Art. 6(1)(b)) — where processing is necessary to provide a service you have requested.
5. Identity verification by Sumsub
Identity verification is carried out by Sumsub, an independent specialist provider, acting as our processor under a data processing agreement. During verification you interact with Sumsub's secure interface. We receive the verification result and a limited set of data necessary to confirm your status; the underlying documents and biometric data are held within Sumsub's systems in accordance with their retention practices and our instructions. Sumsub's own privacy notice applies to their processing and is available on their website.
6. Sharing and international transfers
We share personal data only with: (i) our processors (such as Sumsub and our hosting provider) under contracts that require appropriate safeguards; and (ii) authorities or advisers where required by law. Some processors may process data outside the United Kingdom. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or transfers to countries with UK adequacy.
We do not sell your personal data.
7. Retention
We keep personal data only as long as necessary for the purposes set out above and to meet legal obligations. Verification results are retained for the duration of your participation and for a reasonable period thereafter; documents and biometric data held by Sumsub are retained in line with the agreed retention period. Locally stored browser data remains on your device until you clear it. On-chain data cannot be deleted by us due to the nature of blockchains.
8. Cookies and local storage
We use only essential, functional storage. We do not use third-party advertising or tracking cookies. Your browser's local storage holds preferences (theme, language) and, in the web wallet, your locally generated keys — these stay on your device and are not transmitted to us. You can clear this data via your browser settings at any time.
9. Your rights
Under UK GDPR you have the right to: access your data; request correction; request erasure; restrict or object to processing; data portability; and withdraw consent at any time. Where processing relies on consent (including biometric data), you may withdraw it without affecting prior lawful processing. To exercise any right, contact us at privacy@maatx.io. We respond within one month.
Please note: due to the immutable nature of public blockchains, we cannot amend or erase data already recorded on-chain.
10. Security
We apply appropriate technical and organisational measures to protect personal data. In the web wallet, your private keys and seed phrase are generated and stored locally on your device — we never receive or store them, and you are solely responsible for keeping them safe.
11. Children
The Services are intended for adults (18+). We do not knowingly process the personal data of children.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be highlighted on the Services.
13. Complaints
If you have concerns about how we handle your data, please contact us first at privacy@maatx.io. You also have the right to complain to the UK Information Commissioner's Office (ICO): ico.org.uk, helpline 0303 123 1113.