Last Updated: 10 October 2025
This privacy policy ("Privacy Policy") describes how Sophon Foundation, a Cayman Islands foundation company, and its affiliates (collectively, "we", "us" or "our") may collect, use, share, retain or transfer (collectively referred to as "Processing", "Process" or "Processed") any information relating to an identified or identifiable person ("Personal Data") and how we keep Personal Data secure. We also explain your rights in this relation.
By accessing (a) the website located at https://sophon.xyz or any sub-URL of such a website, (b) the mobile and desktop application "Sophon App", or (c) any other of our websites or products that link to this Privacy Policy ((a) to (c) are together referred to as the "Products"), you agree to the terms of this Privacy Policy and all of the terms incorporated in it by reference.
Please review this Privacy Policy carefully to understand how we Process your Personal Data. Note that the Privacy Policy can change over time, for example to comply with legal requirements or to meet changing business needs. Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on this website (or as otherwise indicated at the time of posting). In case there is an important change that we want to highlight to you, we will also inform you in another appropriate way (for example via a pop-up notice or statement of changes on our website).
If you do not agree with this Privacy Policy and our practices, please do not use our Products.
We Process your Personal Data in accordance with this Privacy Policy and in compliance with applicable data protection legislation, including but not limited to the Cayman Islands Data Protection Act (as amended), the EU General Data Protection Regulation ((EU) 2016/679) ("GDPR"), the UK General Data Protection Regulation, the EU Privacy and Electronic Communications Directive (2002/58/EC), and the California Consumer Privacy Act ("CCPA"). If your Personal Data is subject to the GDPR or the UK GDPR, please review the additional disclosures for users in the European Economic Area and the United Kingdom. If you are a California resident, please review the notice to California residents.
When you use the Products, we and our service providers may obtain or request Personal Data about you, your computer or mobile device, and your interaction over time with the Products, as described below. The Personal Data that we collect and Process about you depends on how you use our Products and what consents you provide to us.
Some of the Personal Data you share may be required to make parts of the Products work. Other information is optional, but choosing not to share it might affect the quality of the experience when using the Products.
We may use zkTLS (zero-knowledge Transport Layer Security) technology when collecting and sharing your Personal Data. Please read Section 2.7 for information about how we use zkTLS when collecting your Personal Data and Section 4.3 for information about how it is used when sharing Personal Data.
You have the right to change your mind. If you previously gave us your consent to use your Personal Data, you can withdraw that consent at any time in accordance with this Privacy Policy and applicable law. Withdrawal will stop any future use of your Personal Data for these purposes, but it will not affect Processing already carried out while your consent was active. Note that if your Personal Data has already been included in anonymized datasets or AI models, it may not be possible to remove it retroactively. Personal Data stored on a blockchain cannot be deleted, but will no longer be used for profiling or advertisements.
Below in Sections 2.2-2.7, you will find a more detailed explanation of how we collect Personal Data in different ways. To learn more about why we collect Personal Data, please navigate to Section 3.
When you use the Products, we and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with the Products, our communications and other online services. We may automatically collect the following:
Device data, such as your computer's or mobile device's operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 5G), and general location information such as city, state or geographic area when you access the Products.
Online activity data, such as pages or screens you viewed using the Products, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access, and whether you have opened our marketing emails or clicked links within them.
Certain Personal Data may originate from the use of cookies and similar technologies (for example, pixel tags and device identifiers) on our sites or sites of third parties. For more information on cookies and similar technologies, please see Section 5 below.
When you use the Products, you may be asked to provide the following information to us:
Contact and account information, such as your first and last name, email address, phone number, date of birth, photographic identification, government issued identification and other contact details. We will not request such sensitive Personal Data unless strictly necessary under applicable law to provide the Products (or parts thereof).
Feedback or correspondence, such as information you provide when you contact us with questions, feedback, product reviews, or otherwise correspond with us online.
Usage information, such as information about how you use the Products and interact with them, including information associated with any content you upload to the Products or otherwise submit to us, and information you provide when you use any interactive features of the Products.
Marketing information, such as your preferences for receiving communications about our activities, events, and publications, and details about how you engage with our communications.
Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy, applicable law, and which is otherwise disclosed prior to the time of collection.
When using the Products, you may choose to connect your accounts from third-party platforms (e.g. Spotify, X, Uber or Netflix accounts). By accepting to link any such accounts, you may allow or direct the relevant platform to send us Personal Data that you have explicitly authorized to share via the platform's permission settings.
The scope of the Personal Data collected depends on the permissions granted by you in each individual instance. For instance, you may agree to share (parts) of your music listening history from Spotify, ride history from Uber or information about follows and likes on X.
At all times, you control whether you wish to connect any external account. If you choose to connect one or more external accounts, you can revoke access at any time.
Each time we request you to share Personal Data by linking your account, we will on beforehand explain what Personal Data we are collecting, to enable you to make an informed decision about whether you wish to connect your external account or not.
When you use our Products, we may also obtain Personal Data from the following third-party sources:
We may use plug-ins from social networks and/or maintain pages on social media platforms, such as LinkedIn, Instagram, and other third-party platforms. When you activate plug-ins by clicking on them, the operators of the respective social networks may record that you are using the Products and may use this information. Additionally, when you visit or interact with Product-related pages on those social media platforms, the platform provider's privacy policy will apply to your interactions and their collection, use and Processing of your Personal Data. We are not responsible for Personal Data collected by these individual social media platforms, and any Processing of your Personal Data by social media platforms is solely their responsibility and occurs according to their privacy policies. Please check with them regarding their privacy policies.
We may obtain your Personal Data from other third parties, such as marketing partners, publicly available sources and data providers.
While we will not store any Personal Data collected from you on any blockchain, note that the nature of a public blockchain means that certain information is publicly available, including but not limited to: your wallet address; the address of a sender initiating a transaction; the address of a recipient; the maximum amount of gas fees that the sender is willing to allocate for executing the transaction; the price the sender is willing to pay per unit of gas; the nonce (a sequential number issued by the sender's address); the cryptographic signature generated using the sender's private key; the IP address from the requester (visible only to remote procedure call nodes); and any additional data needed for the transaction, such as invoking functions in a smart contract or providing arguments for those functions.
Where the use of a cryptocurrency wallet is used to access the Products, we may obtain information from the wallet public key related to your wallet. We do not collect information about your private keys and cannot access your wallets.
When you authorize a blockchain transaction through any of the Products (i.e., use a crypto wallet to "sign" a blockchain transaction), you are authorizing us to collect and use all information associated with that transaction which we will do in accordance with this Privacy Policy. Note that we are not able to control whether or how third parties use information that is stored on the blockchain, and we expressly disclaim responsibility for any such activities by third parties.
When collecting Personal Data, we may use zkTLS (zero-knowledge Transport Layer Security), which is a cryptographic protocol that allows someone to prove that a secure TLS session happened and reveal certain information from it, without revealing everything in the session. In other words, zkTLS is a technology that allows users to share part of their Personal Data from a third-party website or platform and prove its authenticity without having to expose any unwanted information. It combines TLS (the standard protocol for secure connections on the web) with zero-knowledge proofs (which let you prove a statement is true without revealing the underlying data).
When using zkTLS, Personal Data will be Processed into cryptographic proofs. These proofs demonstrate facts (e.g. that a user has Spotify Premium, or that a user has completed 100 Uber rides) without exposing the raw underlying Personal Data. To use less information that's connected to individual users, in some cases, we use zkTLS proofs as a tool to de-identify, aggregate or anonymize Personal Data so that it no longer identifies you.
| Purpose of Processing | Categories of Personal Data | Legal basis | Retention period |
|---|---|---|---|
| Account creation and service provision: Create and administer a Sophon single sign-on (SSO) or direct wallet log-in account (known as a "Sophon Account"). | Wallet ID, basic registration data, device/browser data. | Performance of contract, you enter into a contract with us when accepting our Terms of Use for the service. | For as long as the account is active; deletion within a reasonable period of time after closure to comply with legal or contractual obligations. Blockchain-related data (e.g., cryptocurrency wallet addresses or transaction records) may be permanently recorded on-chain and cannot be deleted. |
| Importing data from third-party services (see Section 2.5): To enrich your Sophon profile and enable personalized ads, recommendations, or rewards. | Profile information (e.g. username, subscription type), activity data (e.g. playlists, usage activity), and any data categories explicitly authorised during the linking process. | Your consent. | Until consent is withdrawn or account is unlinked; already imported data is kept only for the purposes you have separately consented to (e.g. ads, research). |
| Tailoring your experience: By connecting your Personal Data to one or more cryptocurrency wallets tied to your Sophon Account, we do our best to tailor your use of our Products. | Wallet ID linked to account, imported third-party data, profile attributes. | Your consent. | Until consent is withdrawn or your Sophon Account is closed. |
| Marketing communications: Notify you about new product releases and service developments, events, special offers and associated campaigns and promotions (including via newsletters). We may also use Personal Data to advertise the Products, the Sophon ecosystem or related products and services, and also to have our partners notify you about our Products or their products or services (such as via joint product promotions). |
Contact details (e.g. email, wallet ID linked to account), communication preferences, interaction history with campaigns | Your consent. | Until consent is withdrawn or Sophon Account is closed; suppression list retained to respect opt-out requests. |
| Personalization & Interest-based advertising. To build your personalised profile to enable personalized ads including from third-parties, audience segmentation, and campaign targeting (without sharing your data to third parties, unless you separately consent). | Wallet ID (linked to your Sophon Account), advertising identifiers, profile attributes (interests, preferences, derived from wallet activity or imported data), imported data (e.g. activity, social/content platform data), and zkTLS proofs. | Your consent. | Until consent is withdrawn or Sophon Account is closed. |
| Sharing your data with our partners (Section 4). | Wallet ID (linked to your Sophon Account), advertising identifiers, profile attributes (interests, preferences, derived from wallet activity or imported data), imported data (e.g. activity, social/content platform data), and zkTLS proofs. | Your consent. | Until consent is withdrawn or account is closed. |
| Rewards for data sharing (Section 6). | Wallet ID, campaign/reward participation data. | Our legitimate interest or the legitimate interest of our partners to offer incentives or rewards for data sharing, or your consent where explicitly required. | For the duration of the program; deleted when participation ends. Reward transactions recorded on blockchain remain permanent. |
| Research and AI training: Research, analytics and artificial intelligence and machine learning training that support the Products and our services. | Aggregated datasets, usage/interaction data from the Products, imported third-party data, if consent was given. | Your consent (when Personal Data is used) and our legitimate interest to anonymise Personal Data to conduct research activities. | Where data is anonymised, no retention period applies (as it is no longer Personal Data) Where Personal Data is used, retention applies until withdrawal of consent. |
| Fraud prevention, security, enforcement: For compliance, fraud prevention, and safety including to (a) protect our, your or others' rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern the Products; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity. IP addresses may be evaluated, together with other data, in case of attacks on the network infrastructure or other unauthorized use or misuse of the Products, for the purpose of intelligence and protection, and if appropriate, used in criminal proceedings for identification and civil and criminal proceedings against the relevant users. |
IP address, device/browser data, wallet data. | Our legitimate interest to protect our Products against fraud, abuse, and misuse as well as to comply with a legal obligation or as otherwise required by applicable law. | As long as necessary for fraud detection and enforcement; typically up to 5 years. |
| Analytics and product improvement: Develop existing Products and new products and services, including by studying how you use our Products. | Usage logs, interaction data. | Our legitimate commercial interest to improve our Products and develop Products. | Up to 12 months; anonymized thereafter. |
| General communications and information about the Products: This can for instance include alerts, updates, terms changes, announcements, security alerts, and support and administrative messages. | Email, account details. | Contractual necessity; you enter into a contract with us when accepting our Terms of Use relating to a Product and service. | Until consent is withdrawn or Sophon Account is closed. |
| Respond to your requests, questions and feedback. | Email, account details. | Our legitimate interest to respond to your communication. | Up to three years after your last contact with us. |
When you use the Products, we may combine the information you provide (such as account details and imported third-party data) with your wallet ID(s) and generate proofs (for example, zkTLS proofs) to establish certain attributes (such as whether you hold a subscription or show particular usage patterns). We use these profiles to tailor your experience when using the Products, decide which rewards or campaigns to show you, and enable personalized advertising and recommendations from us or our partners.
The logic behind profiling is to link your wallet and related data with other information you choose to share, in order to identify likely interests and preferences. The significance is that your experience of the Products may differ from that of other users, for example, you may be offered different rewards, campaigns, or advertisements. The consequence is that you may see content or offers that are more relevant to you.
We do not make your Personal Data available to third parties unless you have expressly consented to it or if we are legally obligated to. We require partners that we share Personal Data with to follow rules about how they can use Personal Data shared.
See below for more detail about who we share Personal Data with. To read further about the reasons as to why we may share Personal Data, please read Section 3 above.
We may share your Personal Data with third-parties as follows:
Third-party services on our behalf or help us operate the Products, such as customer support, hosting, data processors, payment facilitators, analytics, email delivery, identity verification, and database management services. For instance, if you conduct financial transactions by credit card or debit card when using the Products, we may forward your credit/debit card information to the credit/debit card issuer and the credit/debit card acquirer.
Advertisers for a business purpose to facilitate interest-based advertising or partners that offer specific campaigns via the Products.
Professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
Regulators and law enforcement as required by law for compliance, fraud prevention and safety purposes, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary.
In connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution. If we do so, we may give the new owner your Personal Data as part of that transaction, but only as far as the law allows it.
When we share Personal Data with service providers or partners, we take appropriate contractual, technical, and organizational measures to ensure that the Personal Data is Processed only for the purposes described in this Privacy Policy and in accordance with applicable law.
We may apply zkTLS to protect the way Personal Data is shared and verified:
Secure Verification: zkTLS allows us to confirm that the Personal Data truly came from the platform you connected, over a secure TLS session, without needing to expose the entire session or raw data.
Proof without disclosure: Instead of sharing everything, zkTLS enables us to only reveal the facts needed to provide our service. For example, we could prove that you listened to more than 100 hours of music of certain music genres in the last month through info shared via Spotify, without sharing your full Spotify library, or that you reached a fitness milestone through info shared via Strava (e.g. ran 10 kilometers this week) without showing your exact route.
Privacy Protection: While raw data is required to create proofs, our policy is to minimize the use to the purposes described here.
Each zkTLS proof related to you is associated with your wallet address(es) and, subject to your consent, advertisers may use the proofs to target you as part of an audience defined by proofs (e.g. targeting all wallets that are linked to a proof showing purchase history of Spotify Premium). You have the right to opt out of such sharing of zkTLS proofs at any time.
We use essential cookies and similar technologies to enable the Products to work. We currently also use analytics cookies for certain Products to understand how users interact with them and to improve performance and the user experience. Cookies are small pieces of data — usually text files — placed on your computer, tablet, phone or similar device when you use that device to access our services. You can opt out of having your online activity and device data collected through these third-party services, including by:
Subject to applicable law, we or our partners may offer rewards, discounts or incentives tied to the Personal Data collected from you (either by use of zkTLS proofs or otherwise). By using your cryptocurrency wallet(s) tied to your Sophon Account, rewards may be distributed on-chain.
Participation in any campaigns is voluntary. If you join, you will be informed about what Personal Data is needed to become eligible for a giveaway (for instance your email to deliver a concert ticket). To participate in a campaign, you will also be required to accept the specific terms and conditions applying to such campaigns.
Depending on where you live, you may have some or all of the following rights, as provided under applicable law and subject to any limitations in such law:
In addition, under GDPR you have the absolute right to object, at any time, to the processing of your Personal Data for direct marketing purposes, including profiling to the extent that it relates to such direct marketing. If you exercise this right, we will stop Processing your Personal Data for those purposes.
Please note that, prior to any response to the exercise of such rights, we may require you to verify your identity. In addition, we may have valid legal reasons to refuse your request and will inform you if that is the case. For more information on your rights, please contact us using the details in the "How to contact us" section below.
Further note that part of the Products incorporates blockchain technology. As, by design, data on a blockchain cannot be changed or deleted, your ability to exercise your data protection rights such as your right to erasure, or your rights to object or restrict Processing with respect to on-chain Personal Data may be affected.
If you are a California resident, please read Section 13 as well.
By using the Products, you acknowledge that we may transfer your Personal Data to service providers and other third parties located in countries that may not provide the same level of data protection as the laws in your country of residence. This may include, for example, service providers supporting the Products and e-commerce providers such as payment processors who assist us in handling online payments.
When we transfer Personal Data internationally for the purposes described in this Privacy Policy, we take appropriate measures to ensure that your information remains protected in accordance with applicable data protection laws. These measures may include:
If you are based in specific jurisdictions:
As Sophon Foundation is established outside the EEA and UK, we may be required under the GDPR and UK GDPR to appoint representatives in the European Union and United Kingdom. If applicable, their contact details will be published on our website and may be obtained by contacting us at data@sophon.xyz.
For more details about international data transfers, please contact us as set out in the "How to contact us" section below.
The Products may contain links to other websites, mobile applications, blockchain protocols, blockchain applications, blockchain exchanges and other online and blockchain services (collectively, "Third Party Resources") operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included in Third Party Resources that are not associated with us. We do not control Third Party Resources, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your Personal Data. We encourage you to read the privacy policies of the Third-Party Resources you use.
We implement appropriate technical and organizational measures to protect your Personal Data against manipulation, loss (whether partial or complete), and unauthorized access by third parties, including zkTLS.
However, please note that no method of transmitting data over the internet, or storing data on systems (including blockchain technologies), can be guaranteed as completely secure. While we take steps to protect your Personal Data, transmissions via the internet or blockchain may be subject to security risks outside our control.
The Products are not intended for use by children. If we become aware that we have collected Personal Data from a child in a manner that does not comply with applicable local laws or without the required parental or guardian consent, we will take steps to promptly delete that information.
The GDPR and UK GDPR distinguish between organizations that Process Personal Data for their own purposes (known as "controllers") and organizations that Process Personal Data on behalf of other organizations (known as "processors"). We act as a controller with respect to Personal Data collected as you interact with the Products.
The GDPR and UK GDPR require a lawful basis for Processing Personal Data. Our lawful basis is explained in Section 3 above.
The California Consumer Privacy Act or "CCPA" (Cal. Civ. Code § 1798.100 et seq.) affords consumers residing in California certain rights with respect to their Personal Data. If you are a California resident, this Section 13 applies to you.
California Civil Code Section 1798.83 permits individual California residents to request certain information regarding our disclosure of certain categories of Personal Data to third parties for those third parties' direct marketing purposes. To make such a request, please contact us using the information in the "How to Contact Us" section below. This request may be made no more than once per calendar year.
If you are a California resident, you have certain additional rights with respect to your Personal Data pursuant to the CCPA, including:
We may share Personal Data (such as wallet IDs, advertising identifiers, and profile attributes) with advertising partners for cross-context behavioral advertising, as defined under the CCPA. You can opt-out by sending us an email at data@sophon.xyz.
If you choose to share Personal Data with us, you may receive rewards. This may be considered a "financial incentive" under the CCPA/CPRA. Participation is voluntary, and you can withdraw at any time by sending us an email at data@sophon.xyz. The value of the incentive is reasonably related to the value of the Personal Data you provide.
We will not discriminate against any consumer for exercising their CCPA rights.
You may exercise these rights yourself or you may designate an authorized agent to make these requests on your behalf. To protect your Personal Data, we may need to verify your identity before Processing your request, including by collecting additional information to verify your identity, such as government issued identification documents. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Data. We will only use the Personal Data provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose. When we verify your agent's request, we may verify your identity and request a signed document from your agent that authorizes your agent to make the request on your behalf. To protect your Personal Data, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.
If you would like to exercise any of these rights, please contact us at the email in the "How to Contact Us" section below.
If you have a concern about our privacy practices, including the way we handle your Personal Data, please contact us at data@sophon.xyz. We will endeavor to respond to your complaint as soon as possible. You can also report it to your local data protection authority that is authorized to hear those concerns. Contact details for certain data protection authorities can be found using the links below:
The Sophon Foundation is the entity responsible for the Processing of your Personal Data in connection with the Products and is the data controller in respect of such Processing. If you have any questions or comments about this Privacy Policy, our privacy practices, or if you would like to exercise your rights with respect to your Personal Data, please contact us by email at data@sophon.xyz.