‍WHO WE ARE AND HOW TO CONTACT US

Fox Foundation is the data controller in relation to the collection and processing of personal data through the Services we maintain, such as the ShapeShift.com informational website. The ShapeShift Community is the controller in relation to the collection and processing of personal data through the Services they maintain, such as the ShapeShift Web and Mobile applications. To inquire about our collection or processing of your personal data, or if you have any questions or concerns about this policy, you may contact us via email at privacy@foxfoundation.io. For all correspondence, please include any necessary identifying information such as your name, return e-mail, and any other information relevant to your request. Failure to do so may prevent us from or cause a delay in providing a response. 

For law enforcement agencies seeking to request KYC Data for a former user of ShapeShift AG’s Services, please contact legal@shapeshift.io. For more information on why Fox Foundation does not have access to this data, please see the section below.

May 2022 Data Transfer from ShapeShift AG to the Fox Foundation

On May 25th 2022, as part of ShapeShift AG’s efforts to decentralize, ShapeShift Global Limited transferred the ownership and operation of ShapeShift software products to Fox Foundation, a nonprofit foundation formed in Liechtenstein with the purpose of transitioning operation of such platform and software to the ShapeShift community, which is a decentralized autonomous organization. For more information on these efforts, see this article. As a result of this transition, user data in connection with user accounts of the original ShapeShift platform (ie. email addresses and encrypted seed phrases) were transferred from ShapeShift Global Limited to Fox Foundation in order for our users to enjoy a seamless transition and to avoid any downtime of the platform or the deletion of their accounts, which was a legitimate interest of ShapeShift Global Limited. Communication around this scheduled transfer was communicated by email, allowing for users to exercise their right to object (GDPR Art. 21). ‍In various jurisdictions, ShapeShift AG had been required by law to verify the identity or locations of a user before allowing such user to trade digital assets with the centralized exchange service offered through April 2021. This practice is known as “Know-Your-Customer” or “KYC” (any data collected in connection with KYC, such as name, address, phone number, date of birth, government identification number, or a copy of a government issued identification, is referred to as “KYC Data”) and accordingly any collection or processing of KYC Data is done in compliance with a legal obligation. Since April 2021, when this centralized exchange service was shut down, it has not been a legitimate interest for ShapeShift to collect this data from users, nor was it a legitimate interest for Fox Foundation to receive the KYC Data collected by ShapeShift AG prior. KYC regulations in certain jurisdictions require ShapeShift AG to retain this user data for 5 years as well as comply with applicable requests from regulatory authorities. For law enforcement agencies seeking to request KYC Data for a former user of ShapeShift AG’s Services, please contact legal@shapeshift.io.

Following this transition, Fox Foundation maintained ShapeShift’s products and user data while supporting the ShapeShift community in developing open-source replacements to ShapeShift’s products that do not require or collect any Personally Identifiable Information (“PII”) on users. After successful migration of all users from the the products maintained by Fox Foundation to products maintained by the ShapeShift community, all legacy user data maintained by Fox Foundation was permanently deleted in April 2024. The Privacy Policy for the new ShapeShift web and mobile applications can be found here.

‍
Introduction

This privacy notice lists the data privacy practices and processes of Fox Foundation, a nonprofit foundation formed in Liechtenstein (“Foundation”, “we”, “our”, or “us”) and includes detailed descriptions of the third-party services we utilize to collect and process your data. Protection and security of the data of our users is very important to us and our affiliates, as is your trust in us and the services we provide. The Foundation is committed to handling your data responsibly and in compliance with all legal requirements. This notice describes how we collect, process, transfer, and secure your personal data when you access and use ShapeShift.com (“Services”). All other aspects of your interaction with ShapeShift.com are governed by our Terms of Service (“Terms”). Any conflicts between this notice and the Terms will be resolved in favor of this notice.

‍

The following is an example of what information relevant to processing activities is expected in the privacy notice and how systematic providing this information needs to be. The tabular approach helps map activities (a) to purposes (b) to data points ©, their retention (e) and legitimation (d) and rights (f).

These notices may supplement or clarify our privacy practices or may provide you with additional choices about how we process your data. If you are not comfortable with any aspect of this notice, you should immediately discontinue access or use of ShapeShift.com.

How we may change this notice

Fox Foundation, in its sole discretion, may modify or update this notice at any time, so you should review this page periodically. If we update this notice, the “last modified” date will list the month when such update(s) were made. If we make any material changes to this notice, we notify our registered users via email and summarize those changes. Your continued use of our Services after any change to this notice is deemed your acceptance of such change(s).

‍
DATA WE COLLECT AND PROCESS IN ORDER TO MAKE THE SERVICES GENERALLY AVAILABLE

Delivering our Services

You can use some aspects of our Services, including our websites, and obtain information about our Services without telling us who you are, however, when accessing any website, a user makes a connection with a webserver, which automatically logs and stores certain technical data including: that user’s internet protocol address (“IP Address”), the operating system of that user’s device, the time the website was accessed, or the web browser used to access the site. Logging this data is required in order to make the Services available to you and other users and ensure the functionality of the Services. To the extent we, thereby, process such data, we do not store any data enabling us to link activity to a specific user.

Data processing when loading our website
Similarly, our Services use Google Fonts (previously known as Google Web Fonts), a library of open-source font families that enhance your browsing experience. To integrate Google Fonts into our websites, your browser establishes a connection to Google’s server and the IP Address of your device is transmitted to Google. Google logs records of font queries and protects this data from unauthorized access. Google analyzes aggregate data to optimize Google Fonts and identify which websites use Google Fonts.

Data processing though hosting our Services
We use Amazon Web Services (“AWS”) to host all of our Services. Thus, any data collected by us on any of our Services will be stored on AWS’s servers in Ohio. Some of this data is either processed by us directly or transferred to and processed by one of our third-party partners, both of which are described in further detail in this notice.

DATA WE COLLECT AND PROCESS TO ANALYZE AND IMPROVE THE USE OF THE SERVICES; OUR USE OF COOKIES
Based on our legitimate interest to bring you the best possible user experience, we collect and process certain data to analyze how our users use of the Services to gain insight on how we may improve our Services. This data may include information on the type of web browser or device you use to access the website, the geographical region where you access the website, the date and time of your access, and the parts of the website you access.

3rd Party Services and Cookies

We use the following third-party services to collect and analyze the data of our users:‍

• We use Google Analytics, a web analytics service provided by Google and located in the US. Google Analytics uses Cookies to distinguish unique users and to collect the information required to analyze your use of the websites and to report aggregate usage statistics that support our analysis and improvement of the websites, in which we have a legitimate interest. We use Google Analytics only with IP Address anonymization enabled. This means that your IP Address will be shortened beforehand. Only in exceptional cases will the full IP Address be transmitted to a Google server in the USA and shortened there. Accordingly, Google only stores the information collected via Cookies in anonymous form and processes it in aggregated form. These cookies can last for up to 2 years. For further information on how Google Analytics anonymizes IP Addresses click here. Additionally, you can prevent Google Analytics from using your data by installing a browser add-on to disable Google Analytics here. Lastly, details on data protection and your options in connection with Google Analytics can be found here. 
• We use Google Tag Manager to generate tags for our websites and applications. In connection with Google Tag Manager, we use advertising technologies by Google’s AdWords platform. Google sets conversion Cookies in accordance with our settings in Google Tag Manager. This is necessary for checking the effectiveness of the respective advertising campaigns. We have a legitimate interest in this. We also use Google Tag Manager to set re-targeting tags. These tags enable us to target users with information about our Services when they visit different websites. 
• We use Cloudflare, Inc. (“Cloudflare”) to secure our services (to identify individual clients behind a shared IP Address and apply security settings on a per-client basis) in which we have a legitimate interest. The Cookies do not correspond to any user ID on our Services, and do not store any personal data. 

DATA WE COLLECT AND PROCESS IN ORDER TO COMMUNICATE WITH YOU

Direct Correspondence
If you provide us with your email address, typically by responding to a request for us to contact you or requesting us to contact you, we will, based on your consent, retain your email address and respond to your request. 

‍Email communication
We use Gmail to manage email correspondence related to our Services. We process your email messages, including any attachments to maintain a record of our communications with you, respond to your inquiries efficiently, and provide ongoing support. We do not make use of your email address for marketing purposes and it is not shared or sold to other 3rd parties. 

‍HOW WE PROCESS AND PROTECT YOUR PERSONAL DATA; HOW LONG WE STORE IT
‍We apply adequate technical and organizational security measures, commensurate with the level of known risk, in order to protect the confidentiality and integrity of the personal data we collect when using the Services. The only case in which personal data may be stored is detailed in the section titled, Email Correspondence, above. In this case, we only allow access to certain employees or contractors who are required to perform the purposes for which you provide the personal data. 

‍THE RIGHTS YOU HAVE REGARDING YOUR PERSONAL DATA

‍You have certain rights regarding the personal data that we collect and process about you. In particular, generally, you have the following rights: 

• to access or receive the personal data we process; 
• to have your personal data rectified; 
• to object to the processing of your personal data, or to ask us to restrict processing where we process that data under legitimate interest;
• to have us delete your personal data where it is no longer used or does not need to be retained for a legal purpose. 
• to restrict processing if you contest the accuracy of the data we process, if you believe the processing is unlawful, it is no longer needed but you require it for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

If the GDPR applies to you (i.e., if you are in the EU) you also have the right to receive a copy of your personal data or have us transmit it to a third-party directly where processing is based on your consent or the performance of a contract (our Terms of Service).  

Limitations to the exercise of data subject rights
Please note, however, that your rights are subject to exceptions or derogations. Specifically, we may need to further process and retain your personal data to perform a contract with you, to protect our legitimate interests (such as the establishment, exercise or defense of legal claims), or to comply with legal requirements. To the extent permitted by law, namely, to protect the rights and freedoms of others or to protect our own legitimate interests, we may therefore refuse to satisfy your request or we may satisfy your request with qualifications. Lastly, if you are in the EU, you have a right to submit a complaint with the supervisory authority in Liechtenstein or your country of residence.