Data Sharing Terms

Data Sharing Terms

Data Sharing Terms

1. Application

These Data Sharing Terms (“DST”) apply to the Processing of Personal Data shared between us whenever this DST is incorporated by reference into another agreement between us (such as an Order Form, our Growth Product Terms, or Developer Terms).

The DST contains the rules applicable to our relationship as Independent Controllers and the transfer of Personal Data, along with additional rules about the transfer of data outside of the European Union (“EU”), European Economic Area (“EEA”) and United Kingdom (“UK”), as may be applicable. Each of us must Process Personal Data on the terms set out in this DST. The specific details of each data transfer, as required by the Standard Contractual Clauses(“SCCs”), are set out in the applicable Specification within Annexure I.

2. Precedence

The DST supplements the European Standard Contractual Clauses (“SCC”) and the UK International Data Transfer Addendum (“IDTA”), in accordance with Annexure I, where both Parties act as Independent Controllers (as defined below). In case of inconsistency between the terms of this DST and the SCC and/or the IDTA, the SCC and/or IDTA will apply to the extent of the inconsistency.

3. Independent controllership

While our relationship does not constitute (including for the purposes of the GDPR) either a Joint Controller relationship or a Data Controller to Data Processor relationship, the Parties still wish to detail the nature of the Processing operation. Our relationship (including for the purposes of the GDPR) is that of two distinct Controllers, each determining independently the purposes and means of the respective Processing with each of us being an “Independent Controller”.

4. Cross border data transfers

Each of us agrees that Applicable Data Protection Laws may require that additional measures be taken to secure transfers of Personal Data outside the country or region from which we originate. In such a case, we will help each other in implementing these additional measures. To that extent:

  • For transfers from the EEA: this DST is intended to supplement the SCC, which are incorporated by reference in accordance with its Module 1 – Data Controller to Data Controller, and provide the details for the relevant appendix in Annexures I and II to this DST.

  • For transfers from the UK: the acceptance of these terms is deemed acceptance and execution of the IDTA to the SCC as issued by the UK Information Commissioner’s Office, which is incorporated by reference.

4.1 Security of Processing

Clause 8.5(c) of the SCC is supplemented as follows:

“and have received sufficient training on data protection compliance”.

Clause 8.5(d) of the SCC is supplemented as follows:

“Data Importer shall promptly following discovery or notice of such Personal Data Breach, at its own costs and expenses, take (i) corrective action to mitigate any risks or damages involved with such Personal Data Breach and to protect Data Exporter Personal Data from any further use and/or access, (ii) investigate, evidence and document such Personal Data Breach, in particular its context, date of occurrence, type, extent and data involved, as well as any elements pertaining to the diagnosis of the origin or the occurrence of such Personal Data Breach, and the direct and indirect consequences of this Personal Data Breach, and provide Data Exporter with such evidence and documents, and (iii) any other actions that may be required by Applicable Data Protection Laws as a result of such Personal Data Breach, subject to Data Exporter’s prior written approval.”

Clause 8.5(h) of the SCC is added as follows:

“In any case, on becoming aware of any suspected or actual Personal Data Breach, the Data Importer shall notify the Data Exporter without undue delay and in any case within twenty-four (24) hours after having become aware of the suspected or actual Personal Data Breach”

4.2 Data Subject Rights

Clause 10 of the SCC is supplemented as follows:

Data Importer shall not respond to that request itself unless it has been authorised to do so by the Data Exporter or to confirm that such request has been duly forwarded to Data Exporter upon doing so.

4.3 Cooperation

The Data Importer will be responsible for all costs of cooperation and assistance by Data Importer to Data Exporter to enable Data Exporter to comply with its obligations under GDPR under clauses 8.6(d), 8.9(c) and 10 of the SCC.

4.4 Liability

Clause 12 of the SCC is supplemented as follows:Each party shall be liable to the other party/ies for any damages it, its staff or its authorized sub-Processors, causes the other party/ies by any breach of these Clauses and/or any data protection laws, including, but not limited to, loss of profits, reputation, image or business opportunity, and reasonable attorney's fees, subject to the limitation of liability set out in the General Terms.

4.5 Effective Date

The SCC and/or the IDTA shall come into force on the date you accept these terms or the first transfer of the Personal Data from the Data Exporter to the Data Importer, whichever the earlier. It shall be automatically terminated when our relationship terminates or expires for any reason (although any relevant provisions will survive for as long as Personal Data related to a party is retrained by the other party).

4.6 - Supervision

While the Data Exporter is not established in EEA, option 3 of Clause 13 of the SCC – (“The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority”) will apply.

4.7 Duration and consequence of termination

Clause 16 is supplemented as follows:

“Upon expiration or termination for whatever reason of these Clauses or the DST:The Data Importer shall inquire from the Data Exporter about the Data Exporter’s intention with regard to the Personal Data at least fifteen (15) days prior to the effective termination of these Clauses or the DST. Further to this inquiry, where the Data Exporter inform the Data Importer of its intention to retrieve Personal Data, the Data Importer shall retrieve all Personal Data and make them available to the Data Exporter under a commonly used electronic format within fifteen (15) days from effective termination or expirationFurther to such provision, or if Data Exporter has not instructed Data Importer for the retrieval of Personal Data prior to the effective expiration or termination of these Clauses or the DST, Data Importer shall delete all Personal Data on its systems (without prejudice to any backup archives) unless otherwise instructed by Data Exporter prior to the effective date of termination. Data Importer shall cooperate reasonably and in a timely manner with the efforts by Data Exporter, or any other party acting on Data Exporter’s behalf, to provide for an orderly transition of the Processing to Data Exporter or another service provider. Notwithstanding anything to the contrary, Data Importer may retain one copy of the Personal Data only for as long as there exists a legal requirement to do but in compliance with Applicable Data Protection Laws and subject to the provision of these Clauses.”

4.8 Governing law

Despite anything to the contrary in the General Terms, the Data Exporter not being established in the EEA, the governing law for data processing operations subject to the EU GDPR will be France. For data processing operations subject to the UK GDPR, the governing law shall be that of England and Wales.

4.9 Choice of forum and jurisdiction

The Data Exporter not being established in the EEA, the courts of France have been elected as competent jurisdiction in the occurrence of any dispute between the Parties relating to the SCC. For data processing operations subject to the UK GDPR, the courts of London shall have exclusive jurisdiction over any dispute arising out of the IDTA.

4.10 Options

Optional language contained in clause 7 (“Docketing Clause”) and the second paragraph of clause 11 (“Redress”) of the SCC are waived.

5. Definitions

The terms “Personal Data”, “Data Subject”, “Controller”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the meaning as defined in Article 4 GDPR. Any terms not defined in this DST have the meanings given in the Applicable Data Protection Laws.

Applicable Data Protection Law means: (i) the EU General Data Protection Regulation 2016/679 (“EU GDPR”) and any implementing local law; (ii) the e-Privacy Directive 2002/58/EC (“ePrivacy Directive”); (iii) the United Kingdom Data Protection Act (“UK GDPR”; and, together with the EU GDPR referred as “GDPR” for as long as they remain substantially similar); and (iv) any equivalent legislation in any jurisdiction in which we are established, or subject to specific data protection laws.

Annexure I to Data Sharing Terms

This Annexure I is intended to supplement the relevant Annexure of the SCC and / or IDTA (as applicable).

Data Transfer Specifications

The specific details of the data transfer applicable to the services you have subscribed to are set out in the relevant Specification below.

Specification A: Passport Integration Data

This specification applies if you have integrated Immutable Passport into your Application.

A. LIST OF PARTIES

Data importer(s):

Name: you, the Developer.

Address: the address details attributed to you, the Developer who agrees to the Developer Terms or any other protocol licence agreement with Immutable.

Contact person’s name, position and contact details: the contact details attributed to the authorised representative who is capable of agreeing to the Developer Terms or any other protocol licence agreement with Immutable on behalf of you, the Developer.

Activities relevant to the data transferred under these Clauses: Passport account creation and management

Role: Controller/Data Importer

Data exporter(s):

Name: Immutable zk Pty Ltd.

Address: c\o Bacchus Associates (Pratten Park) Pty Ltd, 56 Bowman Street, 2009 Pyrmont Australia

Contact person’s name, position and contact details: Alice Dillon, Head of Legal, Risk and Compliance; alice.dillon@immutable.com

Activities relevant to the data transferred under these Clauses: Passport account creation and management

Role: Controller/Data Exporter

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

  • Users or prospective users of the Passport product are the Data Subjects involved.

Categories of Personal Data transferred

  • Non-sensitive Personal Data only will be transferred, such as the user's email, social media handle name and/or wallet addresses.

The frequency of the transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis)

  • Continuous

Nature of the Processing

  • We collect relevant Personal Data through direct interactions with users e.g. when users create a Passport account. Detailed descriptions of how we process and use Personal Data are included in our Privacy Policy.

Purpose(s) of the Personal Data transfer and further Processing

  • Transfer of the relevant Personal Data is required to enable the operation of the Passport authorisation tool and associated account creation and management functions.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

  • Personal Data retention to be aligned to each organisation’s privacy policy. It will only be retained for as long as necessary to fulfil the purposes we collected it for.

Specification B: Growth Product – Wishlist Marketing Data

This specification applies if you have subscribed to a Growth Product that includes the sharing of Personal Data in relation to the provision of those Growth Products.

A. LIST OF PARTIES

Dataimporter(s):

Name: you, the customer receiving Growth Products.

Address: the address details attributed to you, the customer receiving Growth Products who agrees to the Growth Product Terms with Immutable.

Contact person’s name, position and contact details: the contact details attributed to the authorised representative who is capable of agreeing to the Growth Product Terms with Immutable on behalf of you, the customer receiving Growth Products.

Activities relevant to the data transferred under these Clauses: Receiving and using Personal Data in relation to the provision of Growth Products.

Role: Controller/Data Importer

Dataexporter(s):

Name: Immutable zk Pty Ltd.

Address: c\o Bacchus Associates (Pratten Park) Pty Ltd, 56 Bowman Street, 2009 Pyrmont Australia

Contact person’s name, position and contact details: Alice Dillon, Head of Legal, Risk and Compliance; alice.dillon@immutable.com

Activities relevant to the data transferred under these Clauses: Provision of Personal Data via the Growth Products.

Role: Controller/Data Exporter

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred

●     Users of Immutable’s platforms, including Immutable Play.

Categories of Personal Data transferred

●     Non-sensitive Personal Data only will be transferred, such as the user's email, social media handle name and/or wallet addresses.

The frequency of the transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis)

●     Continuous

Nature of the Processing

●     We collect relevant Personal Data through direct interactions with users on Immutable Platforms and or via external platforms such as “X”. Detailed descriptions of how we process and use Personal Data are included in our Privacy Policy.

Purpose(s) of the Personal Data transfer and further Processing

●     To allow the Data Importer to gain insights on their end user audiences and communicate with end users about the Data Importer's Game, including for community engagement and product updates.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data retention to be aligned to each organisation’s privacy policy. It will only be retained for as long as necessary to fulfil the purposes we collected it for.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority is determined to be that of France.

See section 4.6 of the DST.

Annexure II to Data Sharing Terms

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Data Importer must maintain technical and organisational measures to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.

The Data Importer is responsible for engaging appropriate expertise to ensure an appropriate level of security is maintained. Notwithstanding that, some of the following measures may be considered as part of an overall data security regime:

  • Measures of pseudonymisation and encryption of Personal Data

  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services

  • Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the Processing

  • Measures for user identification and authorisation

  • Measures for the protection of data during transmission

  • Measures for the protection of data during storage

  • Measures for ensuring physical security of locations at which Personal Data are Processed

  • Measures for ensuring events logging

  • Measures for ensuring system configuration, including default configuration

  • Measures for internal IT and IT security governance and management

  • Measures for certification/assurance of Processes and products

  • Measures for ensuring data minimisation

  • Measures for ensuring data quality

  • Measures for ensuring limited data retention

  • Measures for ensuring accountability

  • Measures for allowing data portability and ensuring erasure

Annexure III to Data Sharing Terms

For the purpose of this Annexure III and subject to Personal Data being transferred out of the UK, the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18 is deemed incorporated into the DST by reference, and the Tables set out in Part 1 shall be deemed completed by the information provided in Annexure I and the below:

  • Table 1 – Exporters and Importers: See Annexure 1-A

  • Table 2 – The option selected is option no. 1 “The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information” referred in Appendix 1

  • Table 3 –

    • Description of the transfers – See Annexures 1-2

    • Technical and Organization Measures – See Annexure 2

    • List of Sub Processors – Not applicable

  • Table 4 – The option selected is option no. 3 “Neither Party

© 2025 Immutable. All rights reserved.

Product

Audience

Passport

Chain

Company

About Us

Careers

Legal

Privacy Policy

Acceptable Use Policy

Collection Statement

Terms of Service

Product

Audience

Passport

Chain

Company

About Us

Careers

Legal

Privacy Policy

Acceptable Use Policy

Collection Statement

Terms of Service

Get a free demo

Get a free demo

Products

Company

Login

Get a free demo