This Privacy Notice explains how Arbitrum OpCo Foundation, a Cayman Islands foundation company (Arbitrum OpCo Foundation”, “OpCo”, “we”, “us” or “our”) collects, uses, discloses and otherwise processes personal information, and how you can exercise your privacy rights. It is intended to meet the requirements of the Cayman Islands Data Protection Act (as amended) and, where applicable, the EU/UK General Data Protection Regulation and similar laws.
This Privacy Notice applies to personal information about natural persons that we process when you:
Visit or use our website and related online interfaces (together, the “Site”); and/or
Interact with us in connection with programs, grants, incentive schemes, events, ecosystem support initiatives, research activities, partnerships and other activities we operate or support (collectively, the “Programs”), including but not limited to the Firestarters program and the RAD Delegate Incentive Program (RAD).
We may update this Privacy Notice from time to time. If we make material changes, we will provide notice as required by applicable law. Your continued use of the Site or participation in Programs after any update is effective means you acknowledge the revised Privacy Notice.
1. Scope of this Privacy Notice
This Privacy Notice applies to personal information regarding natural persons processed by us when:
You browse, access or use the Site;
You communicate with us through the Site, by email or other channels we operate;
You apply to, participate in, or interact with any OpCo Program (including, without limitation, Firestarters, RAD, grants, accelerators or incubators, research or policy projects, events or other ecosystem support initiatives);
We otherwise act as a data controller in relation to your personal information.
This Notice does not cover processing carried out independently by third-party projects, wallets, dApps, community tools, service providers or other ecosystem participants. Their use of your personal information is governed by their own privacy policies.
2. Personal Information We Collect
The categories of personal information we collect depend on how you interact with us and on applicable law. We may collect:
Information you provide directly to us;
Information collected automatically when you use the Site; and
Information we receive from third parties.
2.1 Personal Information You Provide to Us Directly
We may collect personal information you choose to provide, including:
(a) Communications with us
Name and contact details (such as email address, phone number, country/jurisdiction);
The content of your messages and any other information you choose to share when you:
Request information about the Site or Programs;
Subscribe to a newsletter;
Register to attend calls, governance sessions, events or similar;
Otherwise get in touch with us.
(b) Program and application data (OpCo Programs)
If you apply to, participate in or interact with any Program we operate or support (for example, Firestarters, RAD or other present/future initiatives), we may collect:
Identification and profile information:
• Name, alias or handle, contact details, jurisdiction, role or affiliation, organisation, delegate profile, public forum usernames or links;
• Wallet addresses or other on-chain identifiers that you choose to provide or that are linked to your participation.
Application, grant and incentive information:
• Program applications, proposals, questionnaires and forms (including project descriptions, governance activity, rationale for proposals or votes, milestones, deliverables, KPIs);
• Information related to eligibility thresholds and metrics (for example, minimum voting power, voting participation percentages, public rationales, links to your on-chain or forum activity), especially in the context of RAD;
• Information related to grant, incentive or reward amounts, payment instructions, and relevant transaction references.
Participation and performance data:
• Milestones, deliverables, reporting updates, progress notes;
• Attendance or participation in calls, events or working groups linked to a Program;
• Feedback you provide about a Program.
(c) KYC / KYB, AML and compliance data
In connection with certain Programs (including Firestarters, RAD and other initiatives where we must vet participants), we may carry out know-your-customer (KYC*), know-your-business (KYB), sanctions and other compliance checks directly and/or via third-party providers (such as SumSub, MADA or similar). In that context, we may collect:
Identification data and documents:
• Full name, date of birth, nationality, contact details, residential address;
• Government-issued identification or passport details;
• Proof of address and similar documentation.
Compliance and risk-related data:
• Results of sanctions, politically exposed person (PEP) and adverse-media checks;
• Basic information about source of funds and similar representations, where required;
• Other information necessary for us or our providers to comply with applicable laws or internal risk standards.
(d) Ecosystem collaboration and business development data
If you engage with us as a collaborator, advisor, vendor or similar, we may collect information relating to your role, professional background, organisation and relationship with OpCo, as well as your communications and interactions with us.
(e) Careers / contributor opportunities
If we publish roles, fellowships or contributor opportunities and you apply, we may collect:
Information in your CV/resumé, cover letter and any supporting documents;
Professional history and references;
Other information you choose to provide in the context of recruitment or contributor selection.
You may always choose not to provide certain information, but this may limit our ability to interact with you, provide the Site or include you in certain Programs.
2.2 Information Collected Automatically
When you access or use the Site, we may automatically collect certain information, which may be personal data depending on your jurisdiction, including:
Technical and device information: IP address, approximate location derived from IP, device type, operating system, browser type and version, language settings and similar technical details.
Usage information: Pages you view, links you click, referring and exit pages, date and time of access, the amount of time you spend on pages, and other actions taken on the Site.
We use this information primarily to operate, secure, maintain and improve the Site, to understand usage patterns, and to diagnose technical issues.
Cookies and similar technologies
When you access or use the Site, we may automatically collect certain information, which may be personal data depending on your jurisdiction, including:
Enable and support basic Site functionality (for example, keeping you logged in where needed);
Perform analytics, understand how visitors use the Site and improve user experience;
In some cases, support marketing, audience measurement and interest-based advertising.
You can usually configure your browser to limit or block Cookies. If you disable Cookies, certain features of the Site may not function properly.
2.3 Information from Third Parties
We may receive information about you from third parties, such as:
KYC/KYB and compliance providers (for example, SumSub, MADA or similar):
• Identity verification results, status of checks, risk flags and other compliance-related outputs.
Service providers that support our operations:
• Website hosting, analytics, communications, project management and document tools.
Publicly available sources:
• Governance forums, Snapshot, Tally, social media, public delegate profiles and other public channels, particularly when relevant to evaluating your participation in a Program or understanding governance activity.
These third parties may act as our processors (processing information on our instructions) or as independent controllers (for example, where they must process information to comply with their own legal obligations).
3.How We Use Personal Information
We act as a data controller for the purposes described in this Notice. We use personal information for the following purposes and legal bases
3.1 How We Use Personal Information
We use personal information to:
Provide, operate, maintain and secure the Site;
Improve the Site, including by monitoring usage patterns and troubleshooting issues;
Communicate with you in relation to your use of the Site and respond to your requests or inquiries.
Legal bases include legitimate interests (running and improving our Site) and, where applicable, performance of a contract (providing requested services).
3.2 Administering Programs (Grants, Incentives, Ecosystem Initiatives)
In connection with OpCo Programs (including but not limited to Firestarters and RAD), we use personal information to:
Design, launch and manage Programs, including publishing program terms and application processes;
Receive, review and evaluate applications and proposals;
Verify eligibility criteria and thresholds (for example, voting participation, minimum voting power, publicly posted rationales for votes in RAD, or other Program-specific criteria);
Draft, issue, administer and enforce grant and incentive agreements, multisig agreements and related arrangements;
Coordinate payments, including grants, rewards, reimbursements or other disbursements;
Monitor performance against milestones, deliverables and KPIs, process reports and evaluate Program impact;
Prepare anonymised or aggregated statistics and transparency reports for the Arbitrum ecosystem and relevant stakeholders.
We generally rely on **performance of a contract** (including taking steps at your request prior to entering into a contract) and **legitimate interests** (supporting the Arbitrum ecosystem and DAO-approved initiatives) for these activities.
3.3 Compliance, KYC/KYB, AML and Risk Management
We use personal information to:
Carry out identity verification, KYC/KYB, sanctions and other risk checks directly or via third-party providers;
Comply with applicable laws, regulations, guidance and supervisory expectations (including anti-money laundering and sanctions requirements);
Maintain appropriate records for audit, governance and legal purposes;
Prevent, detect and respond to fraud, misuse, governance manipulation, or other harmful or unlawful activity.
Legal bases include compliance with legal obligations and legitimate interests in managing risk and protecting the integrity of OpCo, its Programs and the broader Arbitrum ecosystem.
3.4 Analytics, Research and Service Improvement
We may use personal information (often in aggregated, pseudonymous or de-identified form where feasible) to:
Conduct analytics on Site usage and Program performance;
Improve our decision-making, tooling and operational processes;
Develop new or improved Program formats, governance processes and community-support initiatives.
Legal bases include legitimate interests in understanding and improving how we operate and support the ecosystem.
3.5 Marketing, Communications and Community Engagement
Subject to applicable law, we may use your contact details and preferences to:
Send you updates about Programs, governance calls, events or other ecosystem activities that may be relevant to you;
Provide newsletters or similar communications where you have subscribed or where we otherwise have a lawful basis to contact you;
Invite you to participate in surveys, research or feedback exercises.
You can opt-out of non-operational communications at any time by following unsubscribe instructions in the message or by contacting us. We may still send you service or operational communications (for example, about your grant, RAD rewards or important changes to Program terms).
Legal bases include consent where required (for example for certain email marketing) and legitimate interests (community and governance engagement) where permitted.
3.6 Targeted Advertising and Online Analytics
Where permitted by law and supported by our tooling, we may:
Use Cookies and similar technologies to understand how visitors interact with our Site;
Engage analytics and advertising partners to help measure the effectiveness of communications and, in some cases, to display personalised content or ads on third-party sites.
You may be able to limit certain targeted advertising by:
Adjusting your browser and device settings (for example, limiting Cookies or resetting advertising identifiers); and/or
Using industry opt-out tools where available (for example, the Digital Advertising Alliance or similar frameworks in your region).
We do not currently treat browser “Do Not Track” signals as a binding instruction, but if we change this in future, we will update this Notice.
3.7 Other Purposes
We may also use personal information:
To enforce our agreements and address disputes;
To enforce our agreements and address disputes;
For any other purpose that is clearly explained at the time of collection or that is compatible with the original purpose and permitted by law.
4. How We Share Personal Information
We may share personal information with the following categories of recipients, as permitted by law:
4.1 Service Providers and Vendors
We share personal information with third-party service providers that perform services on our behalf, including:
Website hosting, infrastructure and security providers;
Analytics and measurement providers;
KYC/KYB and AML/sanctions screening providers (for example, SumSub, MADA or similar);
Communication, mailing and collaboration tools;
Legal, tax, compliance and other professional advisers.
Where these service providers act as processors, they are required to process personal information only on our instructions and subject to appropriate confidentiality and security obligations. In some cases, they may act as independent controllers where they must process data to comply with their own legal obligations.
4.2 Program Stakeholders and Ecosystem Entities
Where appropriate and consistent with Program goals and transparency requirements, we may share limited, relevant personal information with:
Members of OpCo’s internal teams, oversight bodies and committees who need access to make or oversee decisions;
Other Arbitrum-aligned entities and ecosystem stakeholders where collaboration is necessary for governance processes, Program delivery or ecosystem initiatives;
External counsel, auditors, consultants and advisors assisting us in fulfilling our duties.
We aim to minimise personal data in any public dashboards or forum updates and focus on aggregated or pseudonymous information where feasible.
4.3 Legal, Regulatory and Safety Disclosures
We may disclose personal information to third parties if we believe in good faith that such disclosure is necessary to:
Comply with applicable laws, regulations, court orders, regulatory requests or legal processes;
Protect the rights, property, or safety of OpCo, the Arbitrum DAO, our users or others;
Investigate, prevent or respond to actual or suspected fraud, security incidents, abuse, or other harmful or unlawful activity.
4.4 Business or Structural Events
If OpCo undergoes a reorganisation, restructuring or similar process (to the extent permitted by Cayman law and its constitutional documents), personal information may be transferred as part of that process, in accordance with applicable law and subject to appropriate safeguards. We do not “sell” personal information.
5. Your Choices and Rights
Your rights over your personal information depend on applicable law and your location.
5.1 Email and Communication Preferences
You can opt-out of receiving non-essential communications by following the unsubscribe instructions in the relevant message or by contacting us. We may still send you messages that are transactional or operational in nature.
5.2 Cookies and Online Tracking
You can configure your browser to restrict or block Cookies, and you may delete Cookies already placed on your device. If you disable certain Cookies, some Site features may not function properly.
As noted above, we currently do not interpret “Do Not Track” signals as a binding instruction, but you may use other tools and settings to manage tracking technologies.
5.3 Rights Under Data Protection Laws
Depending on the laws that apply to you, you may have some or all of the following rights, subject to legal conditions and exemptions:
Right to information – to be informed about how we collect and use your personal information;
Right of access – to request confirmation as to whether we process your personal information and to receive a copy;
Right to rectification – to request correction of inaccurate or incomplete personal information;
Right to erasure – to request deletion of personal information where there is no overriding reason for us to continue processing it;
Right to restriction – to request that we limit the processing of your personal information in certain circumstances;
Right to object – to object to processing based on our legitimate interests, including profiling, where applicable;
Right to data portability – to receive certain personal information in a structured, commonly used and machine-readable format and/or to request that we transmit it to another controller;
Right to withdraw consent – where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before withdrawal.
To exercise these rights, please contact us using the details in Section 11 – Contact Us. We will respond in accordance with applicable law.
You may also have the right to lodge a complaint with a supervisory authority, as described in Section 8.
6. International Data Transfers
We may transfer and store your personal information in countries other than the one in which it was originally collected, including the Cayman Islands and other jurisdictions that may have different data protection standards from those in your home country.
Where required by law, we implement appropriate safeguards for such transfers (for example, Standard Contractual Clauses or equivalent mechanisms) and take steps to ensure that your personal information remains protected in line with applicable requirements.
You can contact us for more information about international transfers and the safeguards in place.
7. Data Retention
We retain personal information for as long as reasonably necessary to:
Operate and improve the Site;
Administer Programs and maintain appropriate records for governance, audit and compliance;
Comply with legal, regulatory, tax and accounting obligations;
Resolve disputes and enforce our agreements.
When determining retention periods, we consider:
The nature and sensitivity of the information;
The risks of harm from unauthorised use or disclosure;
The purposes for which we process it and whether those purposes can be achieved by other means;
Applicable legal or regulatory retention requirements.
When personal information is no longer required, we will take reasonable steps to delete, anonymise or otherwise de-identify it, in accordance with our policies and applicable law.
8. Additional Information for Certain Jurisdictions
Where the EU/UK GDPR or similar laws apply, you may also have the right to lodge a complaint with your local supervisory authority. Examples include:
Contact details for these authorities are available on their respective websites.
We may also provide additional jurisdiction-specific information in separate notices where required by local law.
9. Children’s Privacy
Our Site and Programs are not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or any higher age where required by local law). If we become aware that we have collected personal information from a child in violation of applicable law, we will take reasonable steps to delete it.
If you believe that a child has provided personal information to us, please contact us using the details below.
10. Third-Party Websites and Services
The Site may contain links to third-party websites, applications, services and resources (including, for example, wallets, dApps, governance tools or community platforms). We are not responsible for the privacy or security practices of those third parties.
We encourage you to review the privacy policies of any third-party services you use.
11. Contact Us
Controller:
Arbitrum OpCo Foundation, a Cayman Islands foundation company
Registered office:
Arbitrum OpCo Foundation
c/o Leeward Management Limited
Suite 3119, 9 Forum Lane
George Town, Grand Cayman, KY1-9006
Cayman Islands.
Privacy contact email:
If you have any questions about this Privacy Notice, our privacy practices, or if you wish to exercise your rights, please contact us using the details above.
