GDPR Policy

Version 1.0 · Last updated 8 July 2026

1. Purpose of this notice

This GDPR Policy is a supplement to our Privacy Policy and explains how Elysium complies with Regulation (EU) 2016/679 (GDPR), the UK GDPR, and the Data Protection Act 2018. It is intended for individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland.

2. Controller and contact details

For the purposes of the GDPR, Elysium is the controller of personal data processed through the Elysium website, applications, and distributed compute services.

3. What personal data we process and why (lawful basis)

PurposeData categoriesLawful basis (GDPR Art. 6)
Account creation and service deliveryEmail, password hash, display name, rolePerformance of a contract (Art. 6(1)(b))
Billing, payouts, and tax recordsWallet addresses, transaction records, invoicesLegal obligation (Art. 6(1)(c)) and contract (Art. 6(1)(b))
Security, fraud prevention, and audit logsIP address, user-agent, session IDs, activity logsLegitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Analytics and optional marketing cookiesCookie identifiers, usage analyticsConsent (Art. 6(1)(a))
Customer support and legal claimsCommunications and account historyLegitimate interests and legal obligation (Art. 6(1)(f)/(c))

4. Data subject rights

If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

  • Right to be informed — this policy and our Privacy Policy satisfy that right.
  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations.
  • Right to restrict processing (Art. 18) — limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing.
  • Rights related to automated decision-making (Art. 22) — we do not make solely automated decisions with legal or similarly significant effects.

To exercise any right, email privacy@elysiumnetwork.io. We will respond within 30 days and, where required, within 72 hours for data breach notifications.

5. International transfers

We host our services with Cloudflare and Supabase. Where personal data is transferred outside the EEA or UK, we rely on:

  • The European Commission's Standard Contractual Clauses (SCCs) for transfers to third countries.
  • The UK International Data Transfer Addendum for UK residents.
  • Supplementary technical safeguards, including TLS 1.3 in transit and AES-256 encryption at rest.

A copy of our transfer impact assessment is available on request from privacy@elysiumnetwork.io.

6. Data retention

  • Account data — retained while your account is active, then deleted or anonymized within 90 days.
  • Job and telemetry data — up to 24 months, then aggregated or deleted.
  • Financial and tax records — 7 years, as required by law.
  • Security and audit logs — up to 12 months.
  • Cookie consent records — 24 months after withdrawal or supersession.

7. Cookies and consent

We use essential cookies by default. Analytics and marketing cookies are loaded only after you give explicit consent. You can withdraw or change your consent at any time.

8. Personal data breaches

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, where required by law.

9. Changes to this GDPR Policy

We may update this policy to reflect changes in our processing activities or applicable law. Material changes will be posted here and, where appropriate, notified by email. The version and last-updated date at the top of this page always reflect the current notice.