Legal

Privacy Policy

This notice explains how the Threeya Autonomous Foundation processes personal data across its website, Telegram bot, smart contracts and verifier network.

Effective date: 5 July 2026Last updated: 5 July 2026Version: 1.0Governing law: Estonia / EU

1. Data controller

The data controller responsible for personal data processed through the Threeya website (threeya.com), the Threeya Telegram bot and related services is:

SUPPEER CAPITAL OÜ (registry code 17423420), trading as “Threeya Autonomous Foundation”, Wismari tn 32a, Tallinn 10136, Estonia. Contact: info@threeya.com.

A Data Protection Officer has not been formally appointed as processing does not meet the statutory thresholds of Art. 37 GDPR; privacy inquiries are handled by the controller at the address above.

2. Scope of this policy

This policy applies to anyone who interacts with Threeya, including website visitors, donors, applicants submitting humanitarian projects, individual and corporate verifiers, volunteers, Telegram bot users and members of our communication channels. It does not apply to third-party services we link to (blockchains, wallets, exchanges, social networks).

3. Data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

  • Identity & contact: name or handle, email, Telegram username, organisation, country, phone (only if you provide it).
  • Project submissions: title, region, description, evidence, and contact details of the applicant.
  • Verifier data: declared skills, coverage area, geolocated evidence (photos, timestamps, coordinates) submitted during milestone verification.
  • Donation data: public wallet address, transaction hash, on-chain amount, token, network, timestamp; and, where you disclose it, name and email for receipts.
  • Communications: messages you send to us, to the Telegram bot, or in response to our outreach, including AI-assisted chat history.
  • Technical data: IP address, device and browser information, referrer, pages visited, approximate location derived from IP, error logs.

We do not intentionally collect special categories of data (Art. 9 GDPR). Please do not submit health, biometric, political, religious or similar information unless strictly necessary for a humanitarian case, in which case we process it based on your explicit consent or substantial public interest.

4. Purposes & legal bases

PurposeLegal basis (GDPR)
Operating the website and Telegram botArt. 6(1)(b) — performance of a service you request
Processing donations and issuing receiptsArt. 6(1)(b) & (c) — contract and legal obligations
Evaluating project submissions and verifier signupsArt. 6(1)(b) — pre-contractual measures
Milestone verification and impact reportingArt. 6(1)(f) — legitimate interest in transparent aid
AML / KYC where required by lawArt. 6(1)(c) — legal obligation
Security, fraud & abuse preventionArt. 6(1)(f) — legitimate interest
Newsletters & optional marketingArt. 6(1)(a) — consent (withdrawable at any time)
Compliance with lawful requestsArt. 6(1)(c) — legal obligation

5. AI processing & automated decisions

Threeya operates an autonomous AI agent that scouts projects, drafts shortlists, generates summaries and answers questions through the Telegram bot. When you chat with the bot, your messages are transmitted to our AI provider (currently the Lovable AI Gateway, routing to foundational models such as Google Gemini) solely to generate a response. Prompts and completions are stored in our database to preserve conversation context and to improve service quality; we do not use them to train third-party foundation models.

No funding decision, verification outcome or exclusion produces legal or similarly significant effects on you without human review. Where the AI proposes shortlists, disbursements or risk flags, a human operator or verifier network confirms the outcome before funds move. You have the right to request human review of any automated output that affects you (Art. 22 GDPR).

6. Blockchain & on-chain data

Donations, treasury movements and milestone disbursements are recorded on public blockchains (e.g. Bitcoin, Ethereum, Solana and compatible networks). Data written to a public ledger is immutable, globally replicated and cannot be erased or rectified by us. We only publish pseudonymous data — wallet addresses, amounts, transaction hashes and milestone identifiers. We do not publish your name, email or IP address on-chain.

Before donating, please understand that on-chain transactions may be permanently linked to your wallet by anyone. If you require enhanced privacy, use a fresh wallet address dedicated to charitable giving.

7. Telegram bot

The Threeya Telegram bot processes your Telegram user ID, username, first and last name (as you have configured them in Telegram), language code and the messages you send to the bot. This data is stored to maintain conversation state, respond to commands, and route volunteer or project applications to the foundation. You may stop the bot at any time with /stop or by blocking it in Telegram; upon request we will delete the associated chat history, subject to the retention exceptions described below. Telegram Messenger itself is an independent controller of the underlying messaging service.

8. Cookies & analytics

We use strictly necessary cookies and local storage to keep you signed in, remember your preferences and secure sessions. If we enable analytics, it will be a privacy-preserving, cookie-less product or one that only runs after your consent, and you will be able to opt out via the cookie banner. We do not use advertising cookies or cross-site tracking.

9. Recipients & processors

We share personal data only with vetted service providers acting as processors under written agreements:

  • Hosting and database infrastructure (Lovable Cloud / Supabase, EU region where available).
  • AI inference providers routed through the Lovable AI Gateway.
  • Telegram Messenger (for delivery of bot messages).
  • Email delivery, payment and stablecoin on-ramp providers where applicable.
  • Independent verifiers who receive only the minimum data required to complete a check.
  • Auditors, legal, tax and regulatory authorities when required by law.

We do not sell personal data. We do not share personal data for third-party advertising.

10. International transfers

Some processors operate outside the European Economic Area (for example, in the United Kingdom, United States or Singapore). Where this is the case, transfers rely on an adequacy decision under Art. 45 GDPR or on Standard Contractual Clauses (Art. 46 GDPR) combined with supplementary technical measures such as encryption in transit and at rest. A copy of the relevant safeguards is available on request from privacy@threeya.com.

11. Retention

  • Donation and accounting records: 7 years (Estonian Accounting Act).
  • Project submissions and verifier files: duration of the project plus 3 years.
  • Telegram chat and AI conversation logs: up to 24 months, or until you request deletion.
  • Website server logs: 90 days.
  • Marketing consent: until you withdraw it, and no longer than 36 months of inactivity.
  • On-chain data: permanent by design and outside our control.

12. Security

We apply organisational and technical measures aligned with Art. 32 GDPR, including encryption in transit (TLS 1.2+), encryption at rest, row-level security in our database, least-privilege access, audit logging, secure secret management, multi-factor authentication for administrators and periodic reviews. Smart contract disbursements use multi-signature or milestone-gated release logic. No system is perfectly secure; if we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the Estonian Data Protection Inspectorate within 72 hours and inform affected users when required.

13. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data or completion of incomplete data.
  • Request erasure (“right to be forgotten”), subject to legal retention duties and technical limits of blockchain data.
  • Request restriction of processing or object to processing based on legitimate interests.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Request human review of automated decisions that produce significant effects on you.
  • Lodge a complaint with a supervisory authority (see §17).

To exercise any right, email privacy@threeya.com. We respond within one month and may extend by two additional months for complex requests (Art. 12 GDPR). We may ask you to confirm your identity before disclosing data.

14. Children

Threeya services are not directed to children under 16. We do not knowingly collect data from minors. If you believe a child has provided personal data, please contact us and we will delete it.

15. Donations & anti-money-laundering

Small, one-time crypto donations generally do not require identity verification. For donations above regulatory thresholds, recurring high-value contributions, or where transactions display risk indicators, we may be required to perform enhanced due diligence under Estonian and EU anti-money-laundering legislation, including collecting identification documents and source-of-funds information. We may refuse or return donations that we cannot lawfully accept and, where required, report suspicious activity to competent authorities.

16. Changes to this policy

We may update this policy to reflect legal, technical or operational changes. Material changes will be announced on this page and, where appropriate, via the Telegram channel or email at least 14 days before they take effect. The “Last updated” date above always indicates the current version.

17. Contact & complaints

For privacy questions or to exercise your rights:
SUPPEER CAPITAL OÜ · Wismari tn 32a, Tallinn 10136, Estonia
Email: privacy@threeya.com

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, www.aki.ee, or with the supervisory authority of your EU country of residence.

See also our Contact & legal page and our Transparency report.