Privacy Policy.

The Bantu Blockchain Foundation (referred to in this policy as 'the Foundation', 'BBF', 'we', 'us') is a non-profit organisation incorporated in the Republic of Seychelles. This Privacy Policy explains, in plain language, what information we collect when you interact with bantufoundation.org or services operated by the Foundation, why we collect it, how long we keep it, who we share it with, and the rights you have under applicable data-protection law.

We have written this policy to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the EU ePrivacy Directive, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's PIPEDA, South Africa's POPIA, Singapore's PDPA, and other comparable privacy frameworks. Where a regional law gives you stronger rights than this policy describes, that regional law prevails.

We follow a principle of data minimisation: we collect the smallest amount of information we can while still operating the site, communicating with you, and improving the public materials we publish. We do not sell personal information. We do not share personal information with advertisers. We do not build cross-site profiles. We do not use automated decision-making that produces legal effects on visitors.

The Foundation is the data controller for personal information processed through bantufoundation.org and Foundation-operated channels. Our registered office is in Seychelles. You can reach the privacy contact at general contact. We have appointed an internal Data Protection point of contact reachable through that same address.

Where this policy refers to 'Foundation-operated services', it means: the public website at bantufoundation.org and its localised paths; the Foundation's email channels (info@, operations@, security@, grants@, governance@); the Foundation's official social-media presences; and Foundation-hosted developer documentation, dashboards, and explorer mirrors. It does not cover third-party validators, exchanges, wallets, or community-run infrastructure that interact with the Bantu blockchain. Those parties publish their own policies.

Information you give us directly

Information collected automatically

Information from cookies and similar technologies

See Section 5 for the full breakdown. In short: we set only strictly-necessary cookies by default (locale preference, consent record). Analytics cookies are only loaded if you explicitly opt in through the cookie banner. We do not use advertising or remarketing cookies.

Information we do NOT collect

We use information only for the purposes described below, and only on a lawful basis. The relevant legal basis under EU/UK GDPR is shown for each purpose in brackets.

We never process your personal information for purposes that are incompatible with the ones disclosed here. If we ever propose to use information for a materially new purpose, we will update this policy and, where the law requires it, ask for your consent again.

A cookie is a small text file stored by your browser. We also use the equivalent local-storage APIs to remember your locale and your consent choice. We classify cookies and storage entries into three categories, only the first of which is set without your consent.

You can change your choice at any time using the 'Manage cookie preferences' button below or in the site footer. Withdrawing consent does not affect the lawfulness of processing carried out under your previous consent.

The Foundation does not sell, rent, or barter personal information. We share only what is strictly necessary with carefully selected service providers (processors) who act on our written instructions and under appropriate data-protection agreements (including EU Standard Contractual Clauses where applicable).

We may also disclose information if we are legally required to do so by a competent authority with valid jurisdiction, or if disclosure is necessary to defend the Foundation's rights, the safety of users, or the integrity of the public Bantu network. Where lawfully possible, we will notify the affected person before disclosure.

The Foundation operates from Seychelles. Our processors maintain data centres in multiple jurisdictions; when you visit the site, request metadata may be processed at an edge node geographically close to you (Europe, North America, Africa, Asia-Pacific).

For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, or other approved transfer mechanisms. For transfers from Brazil, we follow the international-transfer requirements of LGPD Art. 33. You can request a copy of the relevant safeguards by writing to general contact.

We retain personal information only for as long as we need it for the purpose we collected it, plus any retention period required by law. The specific periods are:

After the retention period expires, we either irreversibly delete the information or anonymise it so that you can no longer be identified from it.

No system can be made absolutely secure. If we ever become aware of a personal-data breach that creates a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where the law requires it, and we will inform affected individuals without undue delay using the contact details we hold for them.

Depending on where you live, you have a number of rights over the personal information we hold about you. The list below covers all the rights we recognise globally. You may exercise these rights free of charge, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act, and tell you why).

EU / UK / EEA / Switzerland (GDPR & UK GDPR)

California (CCPA / CPRA)

Brazil (LGPD)

Canada (PIPEDA), South Africa (POPIA), Singapore (PDPA), and other jurisdictions

We honour rights to access, correction, withdrawal of consent, and complaint to the relevant regulator (the Office of the Privacy Commissioner of Canada; the Information Regulator of South Africa; the Personal Data Protection Commission of Singapore; or the equivalent in your jurisdiction).

Send a request to general contact. Describe what you are asking for. Where we cannot verify your identity from the email address on file, we may ask for additional information strictly necessary to confirm we are dealing with the right person. We will respond within 30 days where the law requires it, and within 45 days for CCPA-class requests, with one extension permitted where reasonably necessary.

You also have the right to complain to a supervisory authority. In the EU, that is the data-protection authority of your country of residence; in the UK, the Information Commissioner's Office (ICO); in California, the California Privacy Protection Agency (CPPA); in Brazil, the Autoridade Nacional de Proteção de Dados (ANPD). We would appreciate the chance to address your concern first, but you are not required to contact us before going to the regulator.

bantufoundation.org is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to the Foundation, contact general contact and we will delete it. In jurisdictions where a higher age threshold applies (for example 13 under COPPA in the United States), the local threshold governs.

The Bantu blockchain itself is open and permissionless. Every transaction, account address, and asset transfer that has ever been recorded on the chain is permanently visible to anyone running a Horizon-compatible client. The Foundation does not publish this information — the protocol does. We cannot remove records from the ledger. We can only help you understand what is and isn't private about how you use it.

Wallet addresses are pseudonymous, not anonymous. If you publicly associate your address with your real-world identity (in a public post, on an exchange profile, in a tweet), anyone can link your on-chain activity back to that identity. Self-custody means you hold both your private keys and your privacy. We recommend using fresh addresses for sensitive transfers, and we encourage you to read the Foundation's guidance on operational privacy before transacting at scale.

bantufoundation.org links to third-party platforms — exchanges, wallets, validators, RPC providers, ecosystem applications, social-media profiles, and code repositories. When you click out, you are leaving the Foundation's site and are subject to that third party's privacy policy and terms. The Foundation does not control and is not responsible for the privacy practices of those services. We encourage you to read their policies before sharing information with them.

We honour the Global Privacy Control (GPC) browser signal. If your browser transmits a GPC header, we treat it as a valid opt-out of 'sale' and 'sharing' under CCPA/CPRA-class laws and we will not load analytics until you explicitly opt in through the cookie banner. We do not currently respond to legacy 'Do Not Track' headers because the standard was deprecated, but the practical effect — no third-party advertising trackers, no cross-site profiling — is the same on this site regardless.

We may amend this policy from time to time. Material changes will be announced at least 30 days in advance on the Foundation's news channel and, where we have your email and the change requires it, by direct notice. The effective date and version at the top of this page show the version currently in force. Earlier versions are archived and available on request.

For any question about this policy or about how the Foundation processes your personal information, write to general contact. For security-sensitive concerns or coordinated disclosure of vulnerabilities, use security team. Our registered office is in the Republic of Seychelles. Postal correspondence can be addressed to the registered office; please email first so we can confirm the current mailing address.