Privacy Policy

Last updated: 27 June 2026

We collect as little personal data as possible and never write personal data to the blockchain. Blockchain data (addresses, transactions) is public and permanent by design and outside our control.

1. Data controller

The controller is GEMBA EOOD, a company registered in Bulgaria (EU). For any privacy matter, contact [email protected].

2. What we collect, why, and the legal basis

Data	Why	Legal basis (GDPR Art. 6)
Wallet / EVM addresses (public by design)	Deliver GMB to your address; provide the network and dApps	Performance of a contract
Email address	One-time codes (OTP), service notifications, replying to your messages, your message copy	Contract / consent / legitimate interest
Payment data (processed by GembaPay and, through it, Stripe/PayPal)	Process your payment for GMB or services. We do not receive or store your card details.	Performance of a contract
KYC/AML data (only if such checks apply to a purchase)	Identity verification, legal/AML compliance	Legal obligation
Technical data — IP address, browser/user-agent, server & proxy logs, cookies	Security, reliability, and abuse-prevention. Note: the faucet enforces rate limits per IP (and per account) to prevent abuse.	Legitimate interest

We do not sell personal data and do not use advertising or cross-site tracking.

3. Purposes

Providing the network and the dApps; processing payments and delivering GMB; sending OTPs and notifications; preventing abuse (per-IP and per-account limits); security; and meeting AML/legal obligations.

4. On-chain transparency — and the "right to be forgotten"

Blockchain transactions and balances are public and permanent: they are visible to anyone (e.g. via the GembaScan explorer) and cannot be edited or deleted by us or anyone. This is an inherent property of public blockchains. Because of this, your GDPR right to erasure ("right to be forgotten") cannot apply to data already written on-chain — which is precisely why we keep personal data off-chain and never publish it to the blockchain. The address you provide is used to send your GMB and is stored only in our off-chain order records.

5. Third parties (processors / recipients)

GembaPay — payment processing, and through it Stripe and PayPal for card/account payments.
Email provider — the gembachain.io SMTP service that delivers OTPs, notifications and your message copy.
Hosting — Hetzner (and, for some infrastructure, other providers) and Cloudflare (CDN, security and the Turnstile anti-bot check).

We disclose data to authorities only where legally required.

6. International transfers

Our processing is primarily within the EU/EEA. Where a provider processes data outside the EEA, we rely on appropriate safeguards (e.g. EU Standard Contractual Clauses).

7. Retention

We keep contact messages, order records and any KYC data only as long as needed for the purpose and to meet legal/accounting obligations, then delete or anonymise them. Server logs are kept for a limited period for security.

8. Your GDPR rights

You have the right to access, rectify, erase, restrict or object to processing of your personal data, and to data portability; you may withdraw consent at any time. To exercise these rights, email [email protected]. You may also lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP). (As noted in §4, data already on a public blockchain cannot be erased.)

9. Cookies

We use only the cookies/local storage strictly necessary for the site and its security (including the Cloudflare anti-bot check). We do not use advertising or analytics tracking cookies.

10. Security

We use TLS/HTTPS, restricted access, anti-bot protection and least-privilege practices. No method is 100% secure, but we take reasonable measures to protect your data.

11. Children

The Services are not directed to anyone under 18, and we do not knowingly collect their data.

12. Changes & contact

We may update this Policy; the "Last updated" date will change. Questions or requests: [email protected].