1. Data controller
The data controller responsible for personal data processed through the Threeya website (threeya.com), the Threeya Telegram bot and related services is:
SUPPEER CAPITAL OÜ (registry code 17423420), trading as “Threeya Autonomous Foundation”, Wismari tn 32a, Tallinn 10136, Estonia. Contact: info@threeya.com.
A Data Protection Officer has not been formally appointed as processing does not meet the statutory thresholds of Art. 37 GDPR; privacy inquiries are handled by the controller at the address above.
2. Scope of this policy
This policy applies to anyone who interacts with Threeya, including website visitors, donors, applicants submitting humanitarian projects, individual and corporate verifiers, volunteers, Telegram bot users and members of our communication channels. It does not apply to third-party services we link to (blockchains, wallets, exchanges, social networks).
3. Data we collect
Depending on how you interact with us, we may collect the following categories of personal data:
- Identity & contact: name or handle, email, Telegram username, organisation, country, phone (only if you provide it).
- Project submissions: title, region, description, evidence, and contact details of the applicant.
- Verifier data: declared skills, coverage area, geolocated evidence (photos, timestamps, coordinates) submitted during milestone verification.
- Donation data: public wallet address, transaction hash, on-chain amount, token, network, timestamp; and, where you disclose it, name and email for receipts.
- Communications: messages you send to us, to the Telegram bot, or in response to our outreach, including AI-assisted chat history.
- Technical data: IP address, device and browser information, referrer, pages visited, approximate location derived from IP, error logs.
We do not intentionally collect special categories of data (Art. 9 GDPR). Please do not submit health, biometric, political, religious or similar information unless strictly necessary for a humanitarian case, in which case we process it based on your explicit consent or substantial public interest.
4. Purposes & legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Operating the website and Telegram bot | Art. 6(1)(b) — performance of a service you request |
| Processing donations and issuing receipts | Art. 6(1)(b) & (c) — contract and legal obligations |
| Evaluating project submissions and verifier signups | Art. 6(1)(b) — pre-contractual measures |
| Milestone verification and impact reporting | Art. 6(1)(f) — legitimate interest in transparent aid |
| AML / KYC where required by law | Art. 6(1)(c) — legal obligation |
| Security, fraud & abuse prevention | Art. 6(1)(f) — legitimate interest |
| Newsletters & optional marketing | Art. 6(1)(a) — consent (withdrawable at any time) |
| Compliance with lawful requests | Art. 6(1)(c) — legal obligation |
5. AI processing & automated decisions
Threeya operates an autonomous AI agent that scouts projects, drafts shortlists, generates summaries and answers questions through the Telegram bot. When you chat with the bot, your messages are transmitted to our AI provider (currently the Lovable AI Gateway, routing to foundational models such as Google Gemini) solely to generate a response. Prompts and completions are stored in our database to preserve conversation context and to improve service quality; we do not use them to train third-party foundation models.
No funding decision, verification outcome or exclusion produces legal or similarly significant effects on you without human review. Where the AI proposes shortlists, disbursements or risk flags, a human operator or verifier network confirms the outcome before funds move. You have the right to request human review of any automated output that affects you (Art. 22 GDPR).
6. Blockchain & on-chain data
Donations, treasury movements and milestone disbursements are recorded on public blockchains (e.g. Bitcoin, Ethereum, Solana and compatible networks). Data written to a public ledger is immutable, globally replicated and cannot be erased or rectified by us. We only publish pseudonymous data — wallet addresses, amounts, transaction hashes and milestone identifiers. We do not publish your name, email or IP address on-chain.
Before donating, please understand that on-chain transactions may be permanently linked to your wallet by anyone. If you require enhanced privacy, use a fresh wallet address dedicated to charitable giving.
7. Telegram bot
The Threeya Telegram bot processes your Telegram user ID, username, first and last name (as you have configured them in Telegram), language code and the messages you send to the bot. This data is stored to maintain conversation state, respond to commands, and route volunteer or project applications to the foundation. You may stop the bot at any time with /stop or by blocking it in Telegram; upon request we will delete the associated chat history, subject to the retention exceptions described below. Telegram Messenger itself is an independent controller of the underlying messaging service.
10. International transfers
Some processors operate outside the European Economic Area (for example, in the United Kingdom, United States or Singapore). Where this is the case, transfers rely on an adequacy decision under Art. 45 GDPR or on Standard Contractual Clauses (Art. 46 GDPR) combined with supplementary technical measures such as encryption in transit and at rest. A copy of the relevant safeguards is available on request from privacy@threeya.com.
11. Retention
- Donation and accounting records: 7 years (Estonian Accounting Act).
- Project submissions and verifier files: duration of the project plus 3 years.
- Telegram chat and AI conversation logs: up to 24 months, or until you request deletion.
- Website server logs: 90 days.
- Marketing consent: until you withdraw it, and no longer than 36 months of inactivity.
- On-chain data: permanent by design and outside our control.
12. Security
We apply organisational and technical measures aligned with Art. 32 GDPR, including encryption in transit (TLS 1.2+), encryption at rest, row-level security in our database, least-privilege access, audit logging, secure secret management, multi-factor authentication for administrators and periodic reviews. Smart contract disbursements use multi-signature or milestone-gated release logic. No system is perfectly secure; if we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the Estonian Data Protection Inspectorate within 72 hours and inform affected users when required.
13. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data or completion of incomplete data.
- Request erasure (“right to be forgotten”), subject to legal retention duties and technical limits of blockchain data.
- Request restriction of processing or object to processing based on legitimate interests.
- Receive your data in a portable, machine-readable format.
- Withdraw consent at any time, without affecting the lawfulness of prior processing.
- Request human review of automated decisions that produce significant effects on you.
- Lodge a complaint with a supervisory authority (see §17).
To exercise any right, email privacy@threeya.com. We respond within one month and may extend by two additional months for complex requests (Art. 12 GDPR). We may ask you to confirm your identity before disclosing data.
14. Children
Threeya services are not directed to children under 16. We do not knowingly collect data from minors. If you believe a child has provided personal data, please contact us and we will delete it.
15. Donations & anti-money-laundering
Small, one-time crypto donations generally do not require identity verification. For donations above regulatory thresholds, recurring high-value contributions, or where transactions display risk indicators, we may be required to perform enhanced due diligence under Estonian and EU anti-money-laundering legislation, including collecting identification documents and source-of-funds information. We may refuse or return donations that we cannot lawfully accept and, where required, report suspicious activity to competent authorities.
16. Changes to this policy
We may update this policy to reflect legal, technical or operational changes. Material changes will be announced on this page and, where appropriate, via the Telegram channel or email at least 14 days before they take effect. The “Last updated” date above always indicates the current version.
17. Contact & complaints
For privacy questions or to exercise your rights:
SUPPEER CAPITAL OÜ · Wismari tn 32a, Tallinn 10136, Estonia
Email: privacy@threeya.com
You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, www.aki.ee, or with the supervisory authority of your EU country of residence.
See also our Contact & legal page and our Transparency report.