Privacy Policy
We, 0xNXT GmbH (hereinafter "NXT" or "we"), appreciate your visit to our website https://nxt.mercedes-benz.com and your interest in our NFT Platform. We operate a digital platform for minting and offering non-fungible tokens or NFTs of specific digital Artworks and collectibles (hereinafter “the Service”).
The protection of personal data is very important to us. We process personal data only in accordance with applicable data protection law requirements, in particular the General Data Protection Regulation (GDPR) and relevant national data protection laws. In this Privacy Policy, you will find all the information you need to review and exercise your privacy rights regarding the processing of your personal data in connection with our Website and the Service, as well as an explanation of key terms.
A. Information about the processing of your personal data
I. Data controller and data protection officer
The responsible data controller for the data processing in terms of this Privacy Policy is
0xNXT GmbH
c/o Omnicom Holding Germany GmbH,
Königsallee 92, 40212 Düsseldorf.
You can reach us via e-mail (gm@0xnxt.io).
II. Provision of website and creation of log files
1. What personal data is processed for what purpose?
Every time you access content on the website, data is temporarily stored that may allow identification. The following data is collected in particular:
date and time of access; IP address; Host name of the accessing computer; Website from which the website was accessed; Websites accessed via the website; Page visited on our website; Message whether the retrieval was successful; Transmitted data volume; Information about the browser type and version used; Operating system.
The temporary storage of data is necessary in order to enable the delivery of the website. Further storage in log files takes place in order to ensure the functionality of the website and the security of the information technology systems. Our legitimate interest in data processing is also based on these purposes.
2. On what legal basis are these data processed?
The data are processed on the basis of Art. 6(1)(f) GDPR.
3. Are there other recipients of the personal data besides the controller?
The website is hosted by TA Digital. The host provider receives and processes the above data as our data processor and processes the data exclusively on servers within the EU.
4. How long will the data be stored?
The log files are kept for a maximum of up to 7 days.
III. Provision of the Service: Minting and Purchase of NFT
Set-up a new personal wallet using Thirdweb's wallet-as-a-service
In order to purchase an NFT you need to connect your personal crypto wallet to our website to facilitate the transaction.
In case you do not have a personal wallet, you have the option to set-up a new personal wallet when you trigger the “Connect Wallet” button on our website. This wallet creation service is provided by a company called Thirdweb Inc.
We do not store or have access to the information you provide to Thirdweb, and your use of Thirdweb’s services are subject to Thirdweb’s own terms and conditions. Thirdweb is the Data Controller in respect to the personal data you provide to them. For details of how Thirdweb processes your personal data, please see Thirdweb’s terms and conditions and privacy notice.
Once your new personal wallet has been created, the section below applies to purchase using your personal wallet.
Connect to website and purchase using your Personal Wallet
1. What personal data is processed for what purpose?
In order to provide the Service using your personal wallet, we process certain of your personal data in pseudonymised form. If you trigger our payment buttons, your personal wallet connected to the NFT Platform will submit the following information to our Smart Contract:
- your personal wallet address (known as Public Key); your public transaction hash for the respective transaction; sale reference ID; quantity; amount per unit; date and time of access; domain address of NFT Platform.
The Smart Contract we use is a reliable code script permanently stored on the Ethereum blockchain and defines the unalterable rules of the NFT purchase. When the Smart Contract executes the transaction, your Public Key is permanently stored on the blockchain together with the following transaction data:
- unique ID of NFT, address of the smart contract and meta data of the NFT such as URI, additional purchase information, commission address and NFT Platform address.
We do not process any personal data other than your Public Key and the transaction data during this transaction. Even so, it cannot be excluded that your Public Key could allow conclusions about your identity and your transactions by using specific analytical tools. In any case, the possibility of identification depends largely on your own transaction behaviour. The fewer transactions are made with the same Public Key, the less likely it is to be identified. However, as the Public Key does not openly reveal your identity, your personal data is pseudonymised.
Please note:
In the case of the transaction, your Public Key is made publicly available and permanently stored on the blockchain. This is the particular characteristic of the NFT and blockchain technology. Only in this way the integrity and the unalterable assignment of the NFT can be ensured.
Once stored on the blockchain, it is technically impossible to revoke or change the storage of your Public Key!
We process your personal data for the purpose of enabling the purchase of our NFT.
For the avoidance of doubt, the data processing on the blockchain is controlled by the Ethereum Blockchain network and its providers, whereas the processing in connection with the cryptocurrency Ether (ETH) and the storage of your NFTs in your personal Wallet is controlled by your wallet service provider. In this respect, we are not responsible for the processing.
2. On what legal basis are these data processed?
The data is processed on the basis of Art. 6(1)(b) GDPR. The processing is necessary for the performance of the purchase contract between you and us. As set forth in the Platform Terms of Use, the primary function of NFT is to provide permanent digital documentation of your limited ownership of rights with respect to the respective referenced Artwork and is therefore part of the contractual performance. If you resell and transfer the NFT, this documentation will also include confirmation that you had limited ownership of the particular artwork in the past.
3. Are there other recipients of the personal data besides the controller?
The Service is technically performed for us by Mojito Inc., Delaware US, as our data processor.
Note: As of July 10, 2023, the new adequacy decision for the U.S., the so-called EU-US Data Privacy Framework ("DPF"), is in place. To the extent that data recipients are certified under the DPF, we rely on the DPF for processing. Where data recipients are not (yet) certified under the DPF, we have entered with such recipients into the EU Standard Contractual Clauses approved by the European Commission on June 4, 2021. As set forth in the Decision of 10 July 2023 on the adequate protection of personal data under the DPF (the "DPF Decision"), the European Commission considers that any interference by U.S. authorities with the fundamental rights of individuals whose personal data are transferred in the public interest, in particular for law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question and that there is effective legal protection against such interference (recital 203 of the DPF Decision), in particular in light of the implementation of EO 14086 and the designation of the EU as a Qualifying Organization, and therefore concludes that U.S. government access laws are no longer to be considered as problematic laws. We as an exporter and our importers therefore no longer have reason to believe that the laws and practices of the third country prevent the importer from fulfilling its obligations under the SCC.
The data processing on the blockchain is controlled by the Ethereum Blockchain network and its providers, whereas the processing in connection with the cryptocurrency Ether (ETH) and the storage of your NFTs in your personal Wallet is controlled by your wallet service provider. In this respect, we are not responsible.
4. How long will the data be stored?
Please note:
Your Public Key and the NFT meta data will be stored on the blockchain as long as the underlying distributed ledger technology continues its operation!
Payment using Credit Card or Cryptocurrency (ETH):
You can purchase your NFT using one of the following payment methods (i) Cryptocurrency (ETH) or; (ii) Credit Card.
If you choose to purchase using cryptocurrency, this transaction is controlled by you via your wallet service provider. In this respect, we are not responsible for the processing.
If you choose to purchase using credit card, you will be redirected to the overlay screen of Coinflow Inc., our secure payments provider, to process your transaction. We do not store or have access to the information you provide to Coinflow, and your use of Coinflow’s services are subject to Coinflow’s own terms and conditions. When Coinflow reimburse your payment to us, this payment is made in cryptocurrency meaning we never see or process your personal data in connection with this transaction.
Coinflow is the Data Controller in respect to the personal data you provide to them. For details of how Coinflow uses your personal data, please see Coinflow’s privacy notice.
IV. Donation and Transfer of the free NFT via Mint Pass
As part of certain events, we would like to donate a free NFT to eligible NFT owners. If you claim the donation, we will process certain personal data in order to transfer the NFT to you.
1. What personal data is processed for what purpose?
You can prove your eligibility with your Mint Pass. A Mint Pass is a non-fungible token, a unique digital unit that is stored and transferred via the Ethereum blockchain which serves as a digital documentation. In order to transfer this Mint Pass, we process certain of your personal data in pseudonymized form. When you trigger the “Get Mint Pass” button, your personal Wallet connected to the NFT Platform will submit the following information to our Smart Contract:
- your Public Key; information if you are the owner of issued NFTs; information if these NFTs have already been used to get a Mint Pass; information if you have accepted the Terms and Conditions, information if you claimed the issued NFTs; your public transaction hash for the respective transaction; sale reference ID; quantity; amount per unit; date and time of access; domain address of NFT Platform;
If you own this Mint Pass, we will transfer a free NFT to your wallet. For the transfer, we we process certain of your personal data in pseudonymized form. When you trigger the “Get Free NFT” button, your personal Wallet connected to the NFT Platform will submit the above mentioned personal data to our Smart Contract.
The Smart Contract we use is a reliable code script permanently stored on the Ethereum blockchain and defines the unalterable rules of the NFT donation. When the Smart Contract executes the transaction, your Public Key is permanently stored on the blockchain together with the following transaction data:
- NFT unique ID; address of the smart contract and meta data of the NFT such as URI; additional purchase information; commission address and NFT Platform address.
It cannot be excluded that your Public Key could allow conclusions about your identity and your transactions by using specific analytical tools. In any case, the possibility of identification depends largely on your own transaction behaviour. The fewer transactions are made with the same Public Key, the less likely it is that you will be identified. However, as the Public Key does not openly reveal your identity, your personal data is pseudonymized.
Please note:
In the case of the transaction, your Public Key is made publicly available and permanently stored on the blockchain. This is the particular characteristic of the NFT and blockchain technology. Only in this way the integrity and the unalterable assignment of the NFT can be ensured.
Once stored on the blockchain, it is technically impossible to revoke or change the storage of your Public Key!
We process your personal data for the purpose of enabling the Donation of the free NFT.
For the avoidance of doubt, the data processing on the blockchain is controlled by the Ethereum Blockchain network and its providers, whereas the processing in connection with the cryptocurrency Ether (ETH) and the storage of your NFTs in your personal Wallet is controlled by your wallet service provider. In this respect, we are not responsible for the processing.
2. On what legal basis are these data processed?
The data is processed on the basis of Art. 6(1)(b) GDPR. The processing is necessary for the performance of the mint pass agreement and the donation agreement between you and us. As set forth in the Platform Terms of Use, the primary function of NFT and the Mint Pass is to provide permanent digital documentation of your limited ownership of rights with respect to the respective referenced Artwork and is therefore part of the performance if the contract. If you resell and transfer the NFT, this documentation will also include confirmation that you had limited ownership of the particular artwork in the past.
3. Are there other recipients of the personal data besides the controller?
The Service is technically performed for us by Mojito Inc., Delaware US, as our data processor.
Note: As of July 10, 2023, the new adequacy decision for the U.S., the so-called EU-US Data Privacy Framework ("DPF"), is in place. To the extent that data recipients are certified under the DPF, we rely on the DPF for processing. Where data recipients are not (yet) certified under the DPF, we have entered with such recipients into the EU Standard Contractual Clauses approved by the European Commission on June 4, 2021. As set forth in the Decision of 10 July 2023 on the adequate protection of personal data under the DPF (the "DPF Decision"), the European Commission considers that any interference by U.S. authorities with the fundamental rights of individuals whose personal data are transferred in the public interest, in particular for law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question and that there is effective legal protection against such interference (recital 203 of the DPF Decision), in particular in light of the implementation of EO 14086 and the designation of the EU as a Qualifying Organization, and therefore concludes that U.S. government access laws are no longer to be considered as problematic laws. We as an exporter and our importers therefore no longer have reason to believe that the laws and practices of the third country prevent the importer from fulfilling its obligations under the SCC.
The data processing on the blockchain is controlled by the Ethereum Blockchain network and its providers, whereas the processing in connection with the cryptocurrency Ether (ETH) and the storage of your NFTs in your personal Wallet is controlled by your wallet service provider. In this respect, we are not responsible.
4. How long will the data be stored?
Please note:
Your Public Key,the NFT meta data and the Mint Pass meta data will be stored on the blockchain as long as the underlying distributed ledger technology continues its operation!
V. Compliance with legal obligations
1. What personal data is processed for what purpose?
We might process certain personal data to comply with legal obligations required by the respectively applicable law. Such obligations could be imposed, for instance, by tax, financial, criminal or money laundering law. For example, we may collect your IP address and geographical location in order to identify the relevant tax jurisdiction. We may also store Public Keys to block certain Users if required by law. We ensure you that we only disclose data to any authorities if there is a definite legal obligation to do so.
2. On what legal basis are these data processed?
The data is processed on the basis of Art. 6(1)(c) GDPR.
3. Are there other recipients of the personal data besides the controller?
Recipients of the data might be public authorities. Where IP lockup is required to comply with legal requirements, it is performed by TA Digital, our website hosting provider. TA Digital receives and processes the above data in its capacity as our data processor.
4. How long will the data be stored?
The respective storage period is determined by the relevant legal requirements.
VI. Renumeration of Artworks
1. What personal data is processed for what purpose?
We process certain personal data to ensure appropriate remuneration of the artist of the Artwork and the licensors of the rights associated with Mercedes-Benz. Therefore, we collect and transmit transaction-related information, which may include personal data such as your IP address. The processing is necessary to provide a basis for the calculation of the remuneration. We do not use the data for any other purpose. Especially, we do not aggregate, combinate or supplement this data with other data. Our legitimate interest in data processing is also based on these purposes.
2. On what legal basis are these data processed?
The data is processed on the basis of Art. 6(1)(f) GDPR.
3. Are there other recipients of the personal data besides the controller?
Recipient of the data could be:
- Mercedes-Benz Group AG, 70546 Stuttgart, Germany.
4. How long will the data be stored?
We store the data only as long as it is necessary for its respective purpose.
VII. YouTube
If you have given your consent, we use YouTube on our website to be able to show you certain content in the form of videos. YouTube is a video hosting service provided to users in the EU by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").
For more information, please see YouTube's privacy policy: https://policies.google.com/privacy
1. What data is processed for what purpose?
To protect your privacy, we offer this service as so-called "2-click buttons". The "2-click solution" prevents data (e.g. your IP address) from being transmitted to YouTube when you enter our website. For this purpose, the buttons are deactivated by default and are only activated by clicking on the embedded video for the first time.
YouTube also collects personal data after activation and sends it to its own servers where it is stored, for example:
- http data and IP address.
In addition, the activated service sets a cookie with a unique identifier when the relevant website is accessed. The data transfer takes place regardless of whether you have an account with YouTube and are logged in there. If you are logged in to YouTube, the data we collect is assigned to your existing account.
2. On what legal basis are these data processed?
The legal basis for the processing of personal data is your consent according to Art. 6(1)(a) GDPR and § 25(1) TTDSG.
3. Are there other recipients of the personal data besides the controller?
Recipients of the data can be
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
The data recipients are certified under the Data Privacy Framework ("DPF"). We rely on the DPF for data processing.
4. How long will the data be stored?
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For more information about the storage duration, please see YouTube's privacy policy: https://policies.google.com/privacy?hl=de
VIII. Social Media
If you click on one of the social media links on our site or otherwise interact with our social media pages such as on Twitter or Discord (including interacting with any “like” or similar embedded features on our site or social media accounts), we and the relevant social media platform may receive information relating to such interaction.
Please note that the relevant social media platform may also be a Data Controller in respect to the personal data that is collected via your use of our social media channels and may use that personal data for its own additional purposes. For details of how the relevant social media platform uses your personal data, please see the privacy notice of the relevant social media platform.
1. What data is processed for what purpose?
Participation in social media channels by users is voluntary, and although we discourage individuals from submitting any information that may identify them personally when participating in these areas, we may inevitably process their personal data in connection with their social media interaction.
We process this data in order to engage with our customers, share content, promote our services, and generally provide services to our users.
2. On what legal basis are these data processed?
Our legal basis for the processing of personal data is Art. 6(1)(f) GDPR.
3. Are there other recipients of the personal data besides the controller?
Other recipients of personal data are the relevant social media platforms with which you engage.
For details of how the relevant social media platform shares your personal data, please see the privacy notice of the relevant social media platform.
4. How long will the data be stored?
We store the data only as long as it is necessary for its respective purpose.
For details of how long the relevant social media platform stores your personal data, please see the privacy notice of the relevant social media platform.
IX. Service requests
1. What data is processed for what purpose?
When you send us a service request via e-mail to resolve a technical issue, we process your e-mail address and the information contained in the e-mail to resolve the issue as quickly as possible. For this purpose, we forward the request to our technical service providers.
2. On what legal basis are these data processed?
The legal basis for the processing of personal data is Art. 6(1)(f) GDPR (legitimate interest).
3. Are there other recipients of the personal data besides the controller?
The Service is technically performed for us by Mojito Inc., Delaware US, and TA Digital as our data processors.
Note: As of July 10, 2023, the new adequacy decision for the U.S., the so-called EU-US Data Privacy Framework ("DPF"), is in place. To the extent that data recipients are certified under the DPF, we rely on the DPF for processing. Where data recipients are not (yet) certified under the DPF, we have entered with such recipients into the EU Standard Contractual Clauses approved by the European Commission on June 4, 2021. As set forth in the Decision of 10 July 2023 on the adequate protection of personal data under the DPF (the "DPF Decision"), the European Commission considers that any interference by U.S. authorities with the fundamental rights of individuals whose personal data are transferred in the public interest, in particular for law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question and that there is effective legal protection against such interference (recital 203 of the DPF Decision), in particular in light of the implementation of EO 14086 and the designation of the EU as a Qualifying Organization, and therefore concludes that U.S. government access laws are no longer to be considered as problematic laws. We as an exporter and our importers therefore no longer have reason to believe that the laws and practices of the third country prevent the importer from fulfilling its obligations under the SCC.
4. How long will the data be stored?
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.
X. Cookies and comparable technologies
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.
1. What personal data is processed for what purpose?
We use technically necessary cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.
The data collected from you in this way is pseudonymised by technical precautions. Therefore, an assignment of the data to your person is no longer possible. The data is not stored together with your other personal data. When you access our website, we inform you about the use of cookies for analysis purposes and obtain your consent to the processing of personal data used in this context.
2. On what legal basis are these data processed?
In the case of technically necessary cookies, the legal basis for the processing of personal data is Art. 6(1)(f) GDPR (legitimate interest) and § 25(2)(2) TTDSG. In the case of technically unnecessary cookies, the legal basis for the processing of personal data is Art. 6(1)(a) GDPR (consent) and § 25(1) TTDSG.
3. Are there other recipients of the personal data besides the controller?
In case of third-party cookies, we transfer the personal data to the respective cookie provider.
4. How long will the data be stored?
We store the data only as long as it is necessary for its respective purpose.
B. Data subject rights
I. Right to obtain and access
You can request information in accordance with Art. 15 GDPR about your personal data that we process.
II. Right of objection
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Article 6(1)(f) GDPR. The controller will then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. The collection of data for the provision of the website and the storage of log files are absolutely necessary for the operation of the website.
III. Right of rectification
If the information concerning you is not (or no longer) correct, you can request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
IV. Right to erasure
You can request the deletion of your personal data in accordance with Art. 17 GDPR.
V. Right to restriction of processing
According to Art. 18 GDPR, you have the right to request a restriction of the processing of your personal data.
VI. Right to complain
If you believe that the processing of your personal data violates data protection law, you have the right to complain to a data protection supervisory authority of your choice in accordance with Art. 77(1) GDPR.
VII. Right to data portability
In the event that the requirements of Art. 20(1) GDPR are met, you have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to third parties. The collection of data for the provision of the website and the storage of log files are absolutely necessary for the operation of the website. They are therefore not based on consent according to Art. 6(1)(a) GDPR or on a contract according to Art. 6(1)(b) GDPR but are justified according to Art. 6(1)(f) GDPR. The requirements of Article 20(1) GDPR are therefore not fulfilled.
C. Key terms of this Privacy Policy
When we use the following terms, we mean what is described below:
- Artwork means a unique, indivisible digital content, stored in a decentralized filing system owned or licensed by us to which an NFT inseparably relates and in which the NFT Owner acquires a license in accordance with our Platform Terms and Conditions (accessible via https://nxt.mercedes-benz.com/terms-and-conditions).
- Mint means a time-limited sales process of a pre-defined number of NFTs carried out by us, where the NFTs are created and minted in accordance with the relevant NFT purchase by a User.
- NFT means non-fungible token, a unique, indivisible, irreplaceable, digital unit that is stored and transferred via Ethereum blockchain, is interlinked to an Artwork as its reference object accessible via an URL, cannot be converted into other crypto assets and is sold via the NFT Platform by us as primary seller.
- NFT Platform means the platform for the primary sale of Artworks and related NFTs operated by us under the domain https://nxt.mercedes-benz.com.
- Public Key means a unique identification number connected with your wallet which is publicly available.
- Smart Contract means an automated computer instruction defined on the Ethereum blockchain and linked to the NFT.
- User means any natural or legal person who uses the NFT Platform in accordance with our Platform Terms of Use.
- Wallet means a software application for storing, sending and receiving cryptocurrencies and tokens, which is provided to you by a third-party provider and for which you are solely responsible.
D. Status of Privacy Policy
The Privacy Policy is as of 28th February 2024 and is permanently available at https://nxt.mercedes-benz.com/privacy-policy.