1. Introduction

This Privacy Policy (the “Policy”) describes how XStars S.r.l., operating under the Fanex brand (“Fanex”, “we”, “us”, or “our”), collects, processes, stores, shares, and protects personal data in connection with the website www.fanex.market and the Fanex platform (collectively, the “Service”).

This Policy is issued in compliance with Regulation (EU) 2016/679 (“GDPR”), the Italian Personal Data Protection Code (Legislative Decree 196/2003, as amended by Legislative Decree 101/2018), and the Google API Services User Data Policy, including the Limited Use requirements.

The Service is intended exclusively for users aged eighteen (18) years or older. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will promptly delete such data. Parents or guardians who believe a minor has provided us with data may contact us at help@fanex.market.

2. Data Controller and Privacy Contact

2.1 Data Controller

XStars S.r.l. (Fanex brand)
Via Gaetano de Castillia, 23, 20124 Milano (MI), Italy
Email: help@fanex.market

2.2 Privacy Contact

Fanex has not appointed a Data Protection Officer, as it is not currently required to do so under Article 37 GDPR. For any privacy-related request or inquiry, users may contact Fanex at help@fanex.market.

3. Principles of Processing

In compliance with Article 5 GDPR, Fanex processes personal data in accordance with the following principles:

Lawfulness, fairness, and transparency— Processing is conducted on a clearly identified legal basis and communicated to the data subject in clear and intelligible language.
Purpose limitation— Data is collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes.
Data minimization— Only data adequate, relevant, and limited to what is necessary is collected.
Accuracy— Reasonable measures are taken to ensure data is accurate and, where necessary, kept up to date.
Storage limitation— Data is retained only for as long as necessary for the purposes for which it is processed.
Integrity and confidentiality— Appropriate technical and organizational measures are implemented to protect data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability— Fanex is responsible for, and able to demonstrate, compliance with the above principles.

4. Categories of Data Subjects

This Policy applies to the following categories of data subjects:

Visitors— Any person accessing the Fanex website without registering for an account.
Registered Users— Natural or legal persons who register on the platform and may purchase, hold, transfer, or otherwise interact with tokens made available through the platform.
Creators— Natural or legal persons who, acting in their professional capacity, enter into a contractual relationship with Fanex authorizing the listing of their video content and the connection of such content to tokens made available through the platform.
Other contacts— Any person who interacts with Fanex through support channels, marketing communications, or other touchpoints.

Different sections of this Policy apply to different categories of data subjects. Section 11 (Google API Data) is particularly relevant for Creators.

5. Categories of Personal Data Processed

5.1 All users

Identification data: name, surname, date of birth, where required.
Contact data: email address, telephone number, where provided or required.
Authentication data: login credentials, login timestamps, authentication identifiers.
Technical data: IP address, device identifiers, browser type and version, operating system, language settings.
Navigation data: pages visited, session duration, referral source, clickstream data.

5.2 Registered Users

All of the above, plus:

Identity verification and compliance data, where required by applicable law, platform risk controls, or regulated third-party providers, which may include verification status, risk flags, government-issued identification, proof of address, wallet-related checks, sanctions screening results, or equivalent information depending on the verification flow.
Financial data: bank account details, payment instrument data, and settlement information, primarily processed by certified or regulated payment service providers.
Transaction data: records of token purchases, holdings, transfers, amounts, timestamps, and on-chain wallet addresses where applicable.
Communications: support tickets, feedback, correspondence.

5.3 Creators

All of the above, plus:

Business identification data: VAT number, company registration details, beneficial ownership information where applicable.
Contractual data: Creator Agreement, schedule of Contracted Videos, agreed commercial terms, settlement or buy-back information where applicable.
Google API data,including YouTube AdSense revenue data of Contracted Videos — see Section 11.

5.4 Special categories of personal data

Fanex does not knowingly collect special categories of personal data under Article 9 GDPR. Should such data be inadvertently collected, for example because it is included in a support inquiry, it will be promptly deleted unless retention is required by law.

6. Purposes and Legal Bases of Processing

Fanex processes personal data on the following legal bases, in accordance with Article 6 GDPR and, where applicable, Article 9 GDPR. For each purpose below, Fanex identifies the categories of data processed, the legal basis under Article 6 GDPR, and, where the legal basis is legitimate interest under Article 6(1)(f) GDPR, the specific legitimate interest pursued as required by Article 13(1)(d) GDPR.

#	Purpose	Data	Legal basis	Legitimate interest
1	Account registration, authentication, and session management	Identification, contact, authentication data	Art. 6(1)(b) GDPR — Contract	—
2	Provision of platform services to Registered Users, including token purchase, holding, transfer, and platform account functionalities	Identification, transaction, financial data, wallet-related data	Art. 6(1)(b) GDPR — Contract	—
3	Provision of platform services to Creators, including technical access to AdSense data via Google APIs	Creator data, Google API data	Primary: Art. 6(1)(b) GDPR — performance of the Creator Agreement; secondary: Art. 6(1)(a) GDPR — explicit consent where required for the publicly visible display of AdSense data	—
4	Identity verification, fraud prevention, sanctions screening, wallet-related checks, and compliance checks where required by applicable law, platform risk controls, or regulated third-party providers	Identity verification data, identification data, transaction data, wallet-related data, risk flags	Art. 6(1)(c) GDPR — Legal obligation, where applicable; Art. 6(1)(f) GDPR — Legitimate interest where checks are based on platform risk controls and are not legally mandated	Platform integrity, fraud prevention, sanctions screening, abuse prevention, and protection of users and the Service
5	Tax, accounting, and financial reporting	Identification, transaction, financial data	Art. 6(1)(c) GDPR — Legal obligation	—
6	Computation and execution of platform distributions and token-related operations through smart contract logic	Transaction data, on-chain data, AdSense data	Art. 6(1)(b) GDPR — Contract	—
7	Continued processing of AdSense data necessary to honor token-related platform obligations after Creator OAuth withdrawal	AdSense data relating to Contracted Videos only	Art. 6(1)(b) GDPR — Contract with the Creator (residual obligations under the Creator Agreement); Art. 6(1)(f) GDPR — Legitimate interest in the protection of vested rights of Registered Users; Art. 6(1)(c) GDPR — Legal obligation where applicable	Protection of the vested rights of Registered Users who acquired tokens in good faith and reliance on the Creator’s authorization
8	Customer support and dispute handling	Contact data, communications	Art. 6(1)(b) GDPR — Contract; or Art. 6(1)(f) GDPR — Legitimate interest	Efficient handling of inquiries, complaints, and disputes
9	Platform security, fraud prevention, abuse detection	Technical, navigation, transaction data	Art. 6(1)(f) GDPR — Legitimate interest	Platform security and integrity, protection of users from fraud and abuse
10	Service improvement and analytics, aggregated where possible	Technical and navigation data	Art. 6(1)(f) GDPR — Legitimate interest, where analytics are essential or privacy-preserving; Art. 6(1)(a) GDPR — consent where required	Continuous improvement of the Service and user experience
11	Establishment, exercise, or defense of legal claims	All categories, as relevant	Art. 6(1)(f) GDPR — Legitimate interest	Defense against legal claims and protection of Fanex’s legal position
12	Direct marketing to existing customers (soft opt-in)	Contact data	Art. 6(1)(f) GDPR — Legitimate interest, with opt-out	Promotion of services analogous to those already used by the customer
13	Direct marketing to prospects and non-customers	Contact data	Art. 6(1)(a) GDPR — Consent	—
14	Use of non-essential cookies and non-essential analytics	Technical and navigation data	Art. 6(1)(a) GDPR — Consent	—

Where processing is based on consent under Article 6(1)(a) GDPR, you may withdraw consent at any time by contacting help@fanex.market or by using the mechanisms described in Section 13. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Users may object to direct marketing at any time, free of charge, by using the unsubscribe link in the relevant communication or by contacting help@fanex.market.

6.5 Mandatory and Optional Provision of Data

Providing personal data required for account creation, authentication, transaction execution, identity verification where applicable, payment processing, contractual performance, tax/accounting compliance, and platform security is necessary to use the relevant parts of the Service. Failure to provide such data may prevent Fanex from creating or maintaining an account, enabling platform functionalities, processing transactions, executing payments or distributions, complying with legal obligations, or entering into or performing the relevant agreement. Providing data for marketing, non-essential cookies, non-essential analytics, and optional communications is voluntary and refusal does not affect access to core Service functionalities.

7. Cookies and Tracking Technologies

Fanex uses cookies and similar technologies on the website. Cookies are classified as follows:

Strictly necessary cookies— Required for the functioning of the website, including session management and security. No consent required.
Functionality cookies— Remember user preferences and choices. Consent required.
Analytics/performance cookies— Collect usage statistics and performance information. Consent required.
Marketing/targeting cookies— Used to deliver, measure, or personalize marketing content. Consent required.

You can manage your cookie preferences at any time through the cookie banner or via your browser settings. Non-essential cookies are not placed unless and until valid consent has been obtained, where required. Refer to our Cookie Policy for the full list of cookies in use, their purposes, providers, and retention periods.

We may use Google Analytics or similar analytics tools to analyze website usage, subject to applicable consent requirements. You can opt out of Google Analytics tracking via tools.google.com/dlpage/gaoptout.

8. Data Sharing and Recipients

8.1 Categories of recipients

Fanex may share personal data with the categories of recipients listed below, each acting as either data processor under a Data Processing Agreement pursuant to Article 28 GDPR or as an independent data controller, depending on the processing activity.

Category	Function	Role
Cloud and hosting providers	Infrastructure, storage, server operations	Data processor
Authentication providers	Sign-in and identity federation, including Google OAuth	Data processor / independent controller
Database and analytics providers	Data storage and operational analytics	Data processor
Payment service providers	Payment processing, settlement, safeguarding or related regulated services	Independent controller
Identity verification and compliance providers	Identity checks, document verification, wallet-related checks, sanctions screening, risk scoring, and anti-fraud checks where applicable	Independent controller / data processor
Wallet and on-chain infrastructure providers	Wallet connectivity, smart contract interaction, on-chain settlement	Data processor / independent controller, depending on the service
Email and customer support providers	Communication, notifications, ticketing	Data processor
Marketing platform providers	Newsletter, marketing automation, campaign management	Data processor
Google APIs (YouTube Data API and YouTube Analytics API)	Authentication and access to YouTube/AdSense data as described in Section 11	Independent controller
Legal, accounting, and tax advisors	Professional services	Independent controller
Regulatory, supervisory, and law enforcement authorities	Disclosures required by law	Independent controller

A current list of named data processors, including company name, country, and role, is available upon request at help@fanex.market.

8.2 Public display of Creator AdSense revenue data — general framework

For Creators who have entered into a contractual relationship with Fanex and provided separate, informed, and granular authorization for public display, AdSense revenue data of Contracted Videos is displayed on the Fanex platform.

The public display applies exclusively to videos that are the subject of a signed Creator Agreement with Fanex and that are linked to tokens made available through the platform.
The public display is based on the Creator’s contractual obligation to make such data available and on the Creator’s separate, informed, and granular authorization for the publicly visible display.
The public display is a core, user-facing feature of the Fanex Service, requested and authorized by the Creator and disclosed to the Creator before authorization.
The public display is governed in its revocability and in the persistence of token-related platform obligations by Section 11 of this Policy and by the Creator Agreement.

8.3 Granularity of the public display

The specific format, granularity, and visibility of publicly displayed AdSense data is determined by Fanex in accordance with the platform terms of service and may include the following parameters:

Metrics displayed— Historical and/or current revenue figures, view count, and other AdSense or YouTube Analytics metrics relevant to the verification of the Contracted Video’s economic profile.
Granularity— Data may be displayed at the individual video level and/or in aggregated form.
Timeliness— Data may be displayed in real time, with delay, or as periodic snapshots, depending on technical and operational considerations.
Visibility— Data may be visible to registered users, authorized platform participants, or visitors of the platform, depending on platform configuration.
Format— Data may be presented as figures, charts, tables, or other formats and may or may not be downloadable.

Publicly displayed revenue data may be aggregated, rounded, delayed, anonymized at the channel level, or otherwise limited where appropriate to protect Creator confidentiality, platform security, or compliance obligations. The exact parameters of the public display in force at any given time are described in the platform terms of service.

8.4 Accuracy of displayed AdSense data

AdSense revenue data displayed on the platform is sourced from Google’s AdSense and YouTube Analytics systems. Such data:

Is historical and informational.
Reflects revenue accrued on already-published video content.
May be subject to retroactive adjustments by Google, which Fanex will reflect on the platform as and when propagated or otherwise made available.
Does not constitute a forecast, guarantee, or representation of future revenue performance.

8.5 No sale of personal data

Fanex does not sell personal data to third parties.

8.6 Business transactions

In the event of a merger, acquisition, corporate restructuring, sale of assets, or insolvency proceeding, personal data may be transferred to the successor entity, subject to prior notice to data subjects where required by applicable law and to the successor entity’s commitment to honor the terms of this Policy with respect to the transferred data.

9. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), such transfer takes place exclusively on one of the following bases:

Transfer to a country recognized by the European Commission as ensuring an adequate level of protection under Article 45 GDPR.
Transfer subject to appropriate safeguards under Article 46 GDPR, including Standard Contractual Clauses adopted by the European Commission, with supplementary measures where necessary following the Schrems II ruling (Case C-311/18).
Transfer based on the data subject’s explicit consent or another derogation under Article 49 GDPR, where applicable.

A copy of the relevant transfer safeguards is available upon request at help@fanex.market.

10. Data Retention

Fanex retains personal data only for as long as necessary for the purposes set out in Section 6:

Category	Retention period	Basis
Account data — account with no transaction history	Until account deletion plus up to 24 months for security and legal defense purposes	Legitimate interest, security, legal defense
Account and transaction data — accounts with paid transactions	Up to 10 years from termination of the relationship, where required for tax, accounting, compliance, or legal defense purposes	Italian civil law, including Article 2220 of the Italian Civil Code where applicable, tax law, applicable compliance obligations, legal defense
Identity verification and compliance records	Where Fanex is legally required or contractually required by regulated third-party providers to retain identity verification or compliance records, such records may be retained for the applicable statutory or contractual retention period. Where verification is performed by third-party providers, retention is governed primarily by the provider’s own legal obligations and privacy policy.	Applicable law, platform risk controls, contractual requirements with regulated third-party providers, and provider-specific legal obligations
Navigation, session, and technical logs	Maximum 13 months	Legitimate interest, security
Cookie data	As specified in the Cookie Policy	Consent or legitimate interest depending on cookie category
Marketing data — existing customers	Until opt-out plus 30 days, or otherwise for a maximum of 24 months from the end of the customer relationship or last meaningful interaction, unless a longer period is justified by applicable law or documented legitimate interest	Legitimate interest with opt-out
Marketing data — prospects and non-customers	Until consent withdrawal plus 30 days, or otherwise for a maximum of 24 months from the last meaningful interaction or consent renewal, whichever occurs first	Consent
Google OAuth authentication data	Duration of active session; minimum identifiers retained for account lifetime where necessary for authentication and account integrity	Contract
Google AdSense data of Contracted Videos	Duration of the Creator Agreement plus the period necessary to honor token-related platform obligations, as described in Section 11.7	Contract, legal obligation where applicable
Support communications	5 years from closure of ticket	Legitimate interest, legal defense
On-chain blockchain data	Permanent and outside Fanex’s technical control, as described in Section 12	Technical architecture of public blockchain networks

Upon expiry of the applicable retention period, data is securely deleted or, where permitted by law, anonymized. Where deletion is technically impossible for on-chain data, Fanex applies off-chain deletion or de-linking measures as described in Section 12.

11. Google API Data — Specific Disclosure

This Section describes how Fanex accesses, processes, stores, and protects data obtained through Google APIs, in compliance with the Google API Services User Data Policy.

Fanex’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

11.1 Two distinct levels of Google API integration

Fanex uses Google APIs at two distinct and independent levels:

Authentication layer (all users)— Google OAuth 2.0 for user login.
AdSense data layer (Creators only)— YouTube Data API and YouTube Analytics API for accessing AdSense revenue data of Contracted Videos.

The two layers operate independently. Authorizing the authentication layer does not authorize the AdSense data layer, which requires a separate authorization process at the moment of API connection.

11.2 Authentication scopes (all users)

When you sign in with Google, Fanex accesses:

email— Your Google account email address.
profile— Your public Google profile information, such as name and profile picture.
openid— Your unique Google identifier, used to authenticate your session.

Authentication data is used solely for account creation, authentication, session management, and onboarding pre-fill.

11.3 AdSense data scopes (Creators only)

For Creators who have entered into a signed Creator Agreement and provided OAuth authorization at the moment of API connection, Fanex accesses:

https://www.googleapis.com/auth/yt-analytics-monetary.readonly — YouTube Analytics monetary data, including historical and current AdSense revenue of Contracted Videos.
https://www.googleapis.com/auth/youtube.readonly — Public metadata of Contracted Videos, including title, publication date, and view count, for verification and display purposes.

Access is granular and limited to the Contracted Videos listed in the Creator Agreement.

11.4 Legal bases for AdSense data processing

The processing of AdSense data is grounded in the following bases:

(a) Primary basis — Performance of the Creator Agreement. Article 6(1)(b) GDPR: the Creator has entered into a commercial agreement with Fanex under which the Creator undertakes to make AdSense data of the Contracted Videos available to Fanex for the purposes of the agreement (verification, public display, automatic distribution, token-related platform operations, compliance).
(b) Secondary basis — Explicit consent for public display. Article 6(1)(a) GDPR: the publicly visible display of AdSense data is additionally based on the Creator’s separate, informed, and granular consent obtained at the moment of OAuth authorization.
(c) Technical authorization mechanism — OAuth 2.0. Google OAuth 2.0 authorization functions as the technical authorization mechanism to access the Google APIs and is not itself a self-standing GDPR legal basis.

11.5 Purposes of AdSense data processing

AdSense data is used exclusively for the following purposes:

Eligibility verification— Verifying that Contracted Videos meet platform listing criteria, including active monetization and other criteria set out in the Creator Agreement and platform terms of service.
Public display— Displaying AdSense revenue data of Contracted Videos on the platform, in the form and with the granularity described in Section 8.3, as a core user-facing feature requested and authorized by the Creator and disclosed to the Creator before authorization.
Automatic distribution— Computing and executing proportional platform distributions through the platform’s deterministic smart contract logic.
Token-related platform operations— Supporting token-related platform operations linked to Contracted Videos, including issuance, holding, transfer, settlement, and other platform functionalities.
Legal compliance— Complying with applicable legal, tax, accounting, reporting, and compliance obligations.

11.6 Limited Use compliance

Fanex’s use of Google API data adheres to the Limited Use requirements of the Google API Services User Data Policy. Specifically, Fanex:

Uses Google API data solely to provide or improve user-facing features that are clearly disclosed to and requested by the user.
Does not use Google API data to serve advertisements, including retargeting, personalized, or interest-based advertising.
Does not allow humans to read Google user data, except: (i) with the user’s explicit affirmative agreement for specific messages; (ii) where strictly necessary for security purposes such as investigating abuse; (iii) where required by applicable law; or (iv) where data is aggregated and used for internal operations in compliance with applicable law.
Does not sell Google API data.
Does not transfer Google API data to third parties except where permitted by the Google API Services User Data Policy, including: (i) where strictly necessary to provide or improve user-facing features clearly disclosed to and authorized by the user; (ii) to comply with applicable law; (iii) for security purposes; or (iv) as part of a merger, acquisition, or sale of assets where the required prior consent or notice has been obtained.
Does not use Google API data to develop, improve, or train generalized or non-personalized artificial intelligence or machine learning models.

The public display of Contracted Videos’ AdSense revenue data is limited to the Contracted Videos, is part of the user-facing functionality requested and authorized by the Creator, and is disclosed before authorization. Such public display is not a sale of data and occurs only as a disclosed user-facing feature authorized by the Creator.

11.7 Revocation of OAuth authorization and contractual obligations of the Creator

In compliance with Article 7(3) GDPR, the Creator may revoke OAuth authorization at any time through Google account security settings (myaccount.google.com/permissions) or by written request to help@fanex.market.

(a) Effect on technical access.Revocation of OAuth authorization immediately terminates Fanex’s technical ability to access AdSense data via Google APIs on the basis of the revoked authorization. No new AdSense data shall be retrieved by Fanex via the revoked OAuth authorization for Contracted Videos affected by the revocation.
(b) No effect on the Creator Agreement. Withdrawal of OAuth authorization does not terminate the Creator Agreement and does not affect reporting, payment, settlement, audit, tax, accounting, distribution, or token-related platform obligations already accrued under the Creator Agreement. The Creator’s contractual obligation to make AdSense data available for the duration of the agreement and for outstanding token-related platform obligations remains in force.
(c) Cooperation obligation. Where OAuth access is withdrawn while token-related platform obligations remain outstanding, the Creator must cooperate with Fanex by providing equivalent revenue reporting through alternative means, such as manual reporting, periodic exports, renewed OAuth authorization, or activation of the contractual settlement or buy-back mechanism, as set out in the Creator Agreement.
(d) No retroactive invalidation of prior processing. Processing of AdSense data carried out before revocation remains lawful under Article 7(3) GDPR. Past public displays and past token-related platform operations carried out in reliance thereon are not affected.
(e) Residual processing on a combined legal basis. Where, at the moment of revocation, token-related platform obligations remain outstanding, Fanex shall be entitled to continue processing AdSense data already lawfully collected or subsequently provided by the Creator or by another lawful and properly authorized reporting mechanism, strictly limited to what is necessary to honor such obligations. This residual processing operates on a combined legal basis: (i) Article 6(1)(b) GDPR, performance of residual Creator Agreement obligations toward the Creator; (ii) Article 6(1)(f) GDPR, legitimate interest in the protection of the vested rights of Registered Users who acquired tokens in good faith and in reliance on the Creator’s authorization; and (iii) Article 6(1)(c) GDPR, compliance with legal obligations where applicable. This residual processing operates independently of the revoked OAuth authorization and of the Creator’s individual consent.
(f) Termination of residual processing. The Creator may terminate the residual processing by exercising the contractual mechanisms set out in the Creator Agreement, including early termination, buy-back, or settlement of outstanding token-related platform obligations.

11.8 Storage and protection of Google API data

Only the minimum data necessary for the purposes described in Sections 11.2 and 11.5 is stored.
Google API data is encrypted in transit using TLS 1.3 or equivalent industry-standard encryption and encrypted at rest using AES-256 or equivalent industry-standard encryption.
Access is restricted to authorized Fanex systems and personnel on a need-to-know basis, governed by role-based access control.
OAuth refresh tokens for AdSense data access are stored encrypted and only while the Creator Agreement is in force and authorization is not revoked, unless retention is required for security or legal evidence purposes.
OAuth authentication tokens are not stored beyond the active session, except for minimum identifiers necessary for account integrity.

11.9 Deletion of Google-derived data

Upon termination of the Creator Agreement, and assuming no outstanding token-related platform obligations remain, Google-derived data is permanently deleted within 30 days unless further retention is required by law.
Upon user account deletion, Google-derived data is deleted within 30 days, subject to retention required to honor token-related platform obligations or to comply with legal obligations.
All users may request deletion at any time at help@fanex.market.

12. Blockchain Transactions and On-Chain Data

Transactions on the Fanex platform may be recorded on a public blockchain through the platform’s smart contracts, in particular with respect to the issuance, transfer, and execution of token-related platform operations linked to Contracted Videos. Public blockchains are decentralized, distributed ledgers designed to record transactions immutably across networks not operated or controlled by Fanex.

12.1 Nature of on-chain data

Data recorded on a public blockchain — including wallet addresses, transaction amounts, timestamps, and smart contract interactions — is, by the technical architecture of the underlying networks, publicly accessible, immutable, and not under the technical control of Fanex. Such data may be subject to forensic analysis by third parties, which may, in combination with other data, lead to re-identification of transacting individuals.

12.2 Limits to the right of erasure

Fanex cannot technically erase or modify public blockchain records, because such records are not under Fanex’s technical control. This is a structural feature of public, decentralized distributed ledgers and not a discretionary choice by Fanex. Where users exercise the right of erasure under Article 17 GDPR with respect to data associated with on-chain transactions, Fanex will comply by deleting or de-linking the off-chain personal data under its control, for example the mapping between wallet addresses and user identity, without affecting the on-chain record itself, which remains technically immutable.

12.3 Data minimization and prior notice

To minimize privacy impact, Fanex adopts the following measures:

Data minimization— Only the minimum data strictly necessary for the platform’s automatic distribution logic is recorded on-chain; personal identifiers are not intentionally written on-chain.
Off-chain storage of identifying data— Mapping between wallet addresses and user identity is stored off-chain and is subject to standard GDPR deletion and rectification procedures.
De-linking— Where erasure is requested, Fanex de-links the wallet address from identifying personal data, rendering the on-chain record effectively pseudonymous to the extent technically possible.
Prior notice— Before any on-chain transaction, users are informed that blockchain data may be permanent, public, and not erasable by Fanex. By proceeding with an on-chain transaction, the user acknowledges these technical characteristics.

12.4 Smart contract immutability

Where Fanex deploys smart contracts on public blockchains as immutable contracts with no administrative key or upgrade mechanism, such immutability is an essential technical feature of the platform’s deterministic, ministerial distribution logic and is disclosed to users as part of the platform terms of service. Where different technical configurations apply, they will be disclosed in the relevant platform documentation.

13. Rights of Data Subjects

Under the GDPR, you have the following rights:

Right of access (Art. 15 GDPR)— Obtain confirmation of whether your data is processed and receive a copy.
Right to rectification (Art. 16 GDPR)— Request correction of inaccurate data.
Right to erasure (Art. 17 GDPR)— Request deletion, subject to the limitations of Article 17(3) GDPR and to the technical limits applicable to on-chain data described in Section 12.
Right to restriction of processing (Art. 18 GDPR) — Request that processing be limited in specific circumstances.
Right to data portability (Art. 20 GDPR)— Receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21 GDPR)— Object to processing based on legitimate interests or to direct marketing.
Right not to be subject to automated decision-making (Art. 22 GDPR) — Fanex does not engage in automated decision-making producing legal or similarly significant effects on the data subject.
Right to withdraw consent (Art. 7(3) GDPR) — Withdraw consent at any time, without affecting prior lawful processing.
Right to lodge a complaint (Art. 77 GDPR) — Lodge a complaint with a supervisory authority.

To exercise any of these rights, contact help@fanex.market. We will respond without undue delay and in any case within one month of receipt of the request, in accordance with Article 12(3) GDPR, subject to any lawful extension where the request is complex or numerous.

You may object to direct marketing at any time, free of charge, by using the unsubscribe link or by contacting help@fanex.market.

Pursuant to Article 77 GDPR, you have the right to lodge a complaint with the Garante per la protezione dei dati personali or with the supervisory authority of your country of residence, place of work, or place of the alleged infringement within the EEA.

14. Security Measures

Fanex implements appropriate technical and organizational measures pursuant to Article 32 GDPR, including:

Encryption for data in transit using TLS 1.3 or equivalent industry-standard protocols.
Encryption for data at rest using AES-256 or equivalent industry-standard encryption where technically applicable.
Role-based access control with principle of least privilege.
Multi-factor authentication for administrative access.
Regular vulnerability assessments and penetration testing, proportionate to the risk and maturity of the Service.
Logging and monitoring of access to personal data.
Data minimization and pseudonymization where appropriate.
Incident response procedures with notification mechanisms under Articles 33 and 34 GDPR, including notification to the supervisory authority without undue delay and, where feasible, not later than 72 hours after Fanex becomes aware of a personal data breach, where required.
Periodic security training for personnel with access to personal data.
Data Processing Agreements with data processors pursuant to Article 28 GDPR.

Notwithstanding these measures, transmission of information via the internet is not entirely secure. We cannot guarantee absolute security of data transmitted to or from the Service.

15. Children

The Service is intended exclusively for users aged 18 or older. Fanex does not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected, we will delete it without delay.

16. Links to Third-Party Sites

The Service may contain links to third-party websites, applications, or services. Fanex does not control such third parties and is not responsible for their privacy practices. We encourage users to review the privacy policies of any third-party site, application, or service they visit or use.

17. Changes to this Privacy Policy

Fanex may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. Material changes will be communicated through the website or other appropriate channels at least 15 days before they take effect, where required by applicable law. The Effective Date at the top of this Policy indicates the date of the latest version. Continued use of the Service after the Effective Date of an updated Policy constitutes acknowledgement of the updated Policy. Where changes materially affect processing based on consent, fresh consent will be requested where required.

Please also review our Terms and Conditions for additional information about the use of our services.

18. Contact

Data Controller: XStars S.r.l. (Fanex brand)

Address: Via Gaetano de Castillia, 23, 20124 Milano (MI), Italy

Email: help@fanex.market

Privacy contact: help@fanex.market

Supervisory authority: Garante per la protezione dei dati personali