Effective as of 1 August 2022


Who we are

We are PhotoChromic AG (PhotoChromic). Our mission is to empower all humans with a portable, verifiable digital identity to transact online. PhotoChromic is a gateway that enables safe online interactions, allowing owners of personal data to obtain control over the sharing of their personal data, unlocking opportunities for individuals and corporates alike with ownership over their identity.

The address of our website is https://photochromic.io

We are headquartered at:
PhotoChromic AG
Grabenstrasse 25
6340 Baar/Zug

The contact details of our Data Protection Officer are:
XpertDPO Ltd
Email Address: [email protected]
Address: 20 Harcourt St, Saint Kevin's, Dublin, D02 H364, Ireland
Telephone Number: +353 1 678 8997
Queries should be directed to our Data Protection Office in writing. Our Data Protection Officer will respond to written enquiries within one calendar month.

The scope and purpose of this Data Privacy Policy

This is our Data Privacy Policy (Privacy Policy). The purpose of this Privacy Policy is to inform and provide you with an overview of your rights as the owner of Personal Data when interacting with our website and the dApp.

This Privacy Policy will also set out an overview of our data privacy practices and the obligations of PhotoChromic, including what Personal Data we will collect and process when providing you with our products and services.

Importantly, we take no responsibility for how your Personal Data are managed or protected by the owners and operators of any other websites. These include websites whose links are included on our website and the websites of external service providers to PhotoChromic. We recommend that you review the privacy policies on these websites and service providers before you share Personal Data with them.

This Privacy Policy is published on our website at https://photochromic.io and will be updated from time to time.

Key terms

We will use a few important terms in this Privacy Policy and we have set these out below to help you understand the terms of this document.

Agreement means the Data Processing Agreement that we enter into with you before you mint your NFT.

dApp refers to our decentralised application which you will use to mint your NFT.

Data Controllers are the people or organisations that determine the purposes for which, and the manner in which, personal data are processed. They make independent decisions in relation to personal data, these include who stores and controls personal data. The Data Controller may enter into a Data Processing Agreement with a Data Processor.

Data Privacy Laws refers to the GDPR and the Swiss Federal Act. These are the laws that govern how we interact with your Personal Data.

Data Processing Agreement is the agreement that the Data Controller and Data Processor enter into, setting out the terms and conditions on which the Data Processor may process personal data on behalf of the Data Controller. The powers of the Data Processor are limited to those rights specifically described in the Data Processing Agreement.

Data Processors process personal data on behalf of the Data Controller in accordance with the terms and conditions of the Data Processing Agreement. Data Processors simply process personal data and, at no time, does the Data Processor own, control or store the personal data they process.

Data Subjects are the owners of personal data.

GDPR is the EU2016/679 General Data Protection Regulation.

NFT is the non-fungible token that holds your Personal Data and which you mint using the dApp.

Personal Data means the information relating to the Data Subject which is required to mint your NFT, including the name, nationality and date of birth of the Data Subject.

Swiss Federal Act is the Swiss Federal Act on Data Protection 1992.

PhotoChromic’s role

When you use the dApp to mint your NFT, you are both the Data Subject and the Data Controller of the Personal Data. At all times, you are the owner and controller of your Personal Data and you independently decide the purposes for which and means by which the Personal Data are processed. You are the only person or party who has the right to use and store your Personal Data.

You will use the dApp to mint your NFT and we provide that service to you strictly in accordance with the terms and conditions of the Agreement. During that process, PhotoChromic may process your Personal Data in its role as a Data Processor. Prior to processing your Personal Data, you and PhotoChromic will enter into the Agreement. The terms of the Agreement will clearly set out that PhotoChromic may not have access to, use, store or in any other way interact with your Personal Data without your specific consent and under your direction. PhotoChromic will be strictly bound by these terms that we agree under the Agreement.

When using our website and /or logging a general query as part of the minting process, you may share a limited amount of Personal Data, for example, but not limited to your name and email address. In respect of the Personal Data that you willingly provide to us, we will be the Data Controller and we will control that Personal Data in accordance with this Privacy Policy.

Who at PhotoChromic must comply with our Data Privacy Policy?

All of our staff are required to comply with our Data Privacy Policy and our related policies and procedures. This includes our full-time staff, part time staff, temporary staff and contractors.

What types of Personal Data will we collect and process?

Data Processor

As set out above, during the minting of your NFT, we are acting strictly in accordance with the Agreement. The Agreement clearly sets out that PhotoChromic is not permitted to collect, share or retain any of your Personal Data.

There are scenarios where during the minting process, you may instruct us to assist you in correcting errors in the Personal Data. The correction of your Personal Data is part of the process of minting your NFT. We do not have the right to retain or store any of the Personal Data that is shared with us during this process.

Data controller

The limited amount of Personal Data which you may share with us on our website will be used and stored strictly in accordance with the Data Privacy Laws. We utilise the highest standards of security and confidentiality for the Personal Data that we store.

Sensitive Data and the Personal Data of children

The Data Privacy Laws set out certain categories of sensitive Personal Data. We do not collect any sensitive data. PhotoChromic is not designed to be used by children. The Personal Data of children should not be shared with us on our website and you should not instruct us to process the Personal Data of children.

Automated Processing

Neither our website nor the dApp utilise your Personal Data for automatic decision-making or profiling. 

How long do we keep your Personal Data?

As set out above, the only Personal Data we may retain is the Personal Data you elect to share with us on our website. This is likely to be limited to your name and email address. We will retain a log of your contact with us for as long as the law permits.

Where you use the dApp to mint your NFT, we will retain this data until such time as you no longer utilise your NFT or until such time as you ask us to delete these details. Please direct any queries in this regard in writing to our Data Protection Officer.

Third Parties and Disclosures of your Personal Data

PhotoChromic will not share your Personal Data with any third party.

Sharing the Personal Data with us

As described above, you may share the Personal Data with us either during the process of minting your NFT or in your general communication with us via our website. Before sharing your Personal Data with us, you undertake to have read and understood this Privacy Policy, the contents of our website and the dApp, your rights and our obligations under all relevant laws and where applicable, the terms and conditions of the Agreement. Further, if you are sharing the Personal Data of another Data Subject, you undertake to have ensured that you are legally permitted to disclose that Personal Data. Your decision to share the Personal Data with us is an informed decision and represents your consent for us to use or process the Personal Data so that you may utilise our products and services.

By consenting to the processing of your Personal Data during the minting of your NFT, you are giving us permission to process the Personal Data specifically for the purposes identified in the Agreement.

You may withdraw consent at any time by providing written notice to our Data Protection Officer. The withdrawal of your consent will not have any effect or impact on our processing of the Personal Data prior to the withdrawal of that consent.

PhotoChromic philosophy on data privacy and security

PhotoChromic believes that blockchain and Web 3.0 will be the future digital foundation for society and that it is imperative that these systems offer privacy, security, equality, and financial access for all.

We are deeply passionate about Web 3.0 and the power of decentralization. We recognize the need to balance the power of Web 3.0 with the importance of creating a safe digital space, where anonymity is not an inalienable right.

We feel that PhotoChromic provides a regulatory-friendly solution to the proposed EU legislation, while still putting the Web 3.0 customer first, by giving them the ownership and management rights to share information selectively.

We believe that the primitives of blockchain, decentralization, open-source software, immutability, consensus protocol, and community-governance lend themselves so well to reimaging the financial system of the future. Through the blockchain primitives, regulators are, in fact, afforded superpowers in combating financial crime.

Why is data protection important?

Data protection and privacy laws provide protection to individuals when they interact with other individuals and organisations, ensuring that Data Subjects are empowered to limit the extent to which the Personal Data that they share with third parties may be used by those third parties.

Data protection laws govern the collection, storage, handling, disclosure and other uses of Personal Data.

We are required to demonstrate accountability for our data protection obligations. This means that we must be able to show how we comply with the applicable data protection and privacy laws, and that we have in fact complied with the laws.

We do this, among other ways, by our written policies and procedures, by building data protection and privacy compliance into our products and business rules, by internally monitoring our data protection and privacy compliance and keeping it under review, and by taking swift action if any of our representatives, including employees or contractors, fail to follow the rules. We also have certain obligations in relation to keeping records about our data processing.

What are the general data protection principles and rules?

We aim to uphold and comply with the principles that are set out in the Data Privacy Laws:

  • Lawfulness, Fairness and Transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Retention
  • Integrity and Confidentiality
  • Accountability

For example, we have drafted the Privacy Policy to explain what Personal Data is required as part of the NFT minting process (Lawfulness, Fairness and Transparency), your Personal Data is required to confirm your identity prior to minting your NFT (Purpose Limitation), only the Personal Data necessary to mint your NFT is included in the NFT minting process (Data Minimisation), you have the ability to review and amend your personal data prior to minting your NFT (Accuracy), your Persona Data is not retained once your NFT is minted (Retention), your NFT is stored on the IPFS which is a secure, decentralised platform (Integrity and Confidentiality) and we have implemented robust information governance mechanisms within PhotoChromic (Accountability). 

How do you exercise your rights?

We monitor compliance with our data protection obligations with this policy and our related policies and procedures. If you have any questions about this policy or about our compliance with Data Protection Laws, please contact our Data Protection Officer.

Your right to lodge a complaint

Should you be unhappy with our conduct or have a complaint about how we have interacted with your Personal Data, please contact us at [email protected].

You, as the Data Subject, have the right to complain at any time to a relevant supervisory authority in relation to any issues related to our retention of your Personal Data in our capacity as Data Controller and how we are processing your Personal Data under the Agreement.

We would love to hear from you if you have a complaint in relation to the use of your Personal Data, so that we have a chance to address your concerns. If we fail in this, you can address any complaint to a relevant supervisory authority.

As our Data Protection Officer is located in Ireland, you may also contact the Irish Data Protection Commissioner in relation to our use of your Personal Data. You may also contact The Federal Data Protection and Information Commissioner (FDPIC) in Switzerland.


Our practices, as described in this Privacy Policy, may be updated and amended from time to time. Revised Privacy Policies will take effect from the date indicated on the first page and changes will only apply to activities and information on a going forward, not retroactive basis.

You are encouraged to review this Privacy Policy periodically to ensure that you understand how any Personal Data that you share with us is used and processed.

Any changes to this Privacy Policy will be posted on this website, so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any time we decide to use your Personal Data in a manner significantly different from that stated in this Privacy Policy, or otherwise disclosed to you at the time it was collected, we will notify you and you will have a choice as to whether or not we use your Personal Data in the new manner.