Drips Privacy Policy

General information

As the operator of the Drips Web App (https://www.drips.network/app), and other *.drips.network/app instances, hereinafter " Drips Web App ") as well as other Drips websites (such as https://www.drips.network/, and any other *.drips.network domains, excluding the Drips Web App, hereinafter the " Drips Website "; collectively with Drips Web App referred to as the " Drips Services "), Public Goods Association (hereinafter the "Association" or "we") takes the protection of personal data very seriously. We treat personal data confidentially, in accordance with the statutory data protection regulations and on the basis of this privacy policy. The legal bases can be found particularly in the General Data Protection Regulation (GDPR), the Telecommunications Digital Services Data Protection Act (TDDDG) and the Federal Data Protection Act (BDSG).

The following services are available:

  • Visit of the Drips Services (Drips Website or Drips Web App)
  • Use of the 'Get in Touch form'
  • Use of the Drips Web App functions

When you use Drips Services, various personal data is processed depending on the type and scope of use. Personal data is information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly (e.g. by reference to an online identifier).

This privacy policy informs you in accordance with Art. 12 et seqq. GDPR about the processing of your personal data when you use Drips Services. In particular, it explains what personal data we collect and what we use it for. It also informs you how and for what purpose this is done, the legal basis for it, and what your rights are in relation to it.

This privacy policy expressly refers to the website-specific data processing processes as described under 1.1 when you visit Drips Services. Separate privacy policies apply to other data processing by the Association.

Controller

According to the GDPR, the controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

The controller for the data processing processes covered by this privacy policy, is, unless otherwise indicated, as follows:

Public Goods Association
Bahnhofstrasse 20
6300 Zug, Switzerland
E-Mail: privacy@drips.network

Purposes and legal bases of data processing

Visit of the Drips Services – server log files

For the purpose of the technical provision of the Drips Services, it is necessary for us to process certain information automatically transmitted by your browser so that the Drips Services can be displayed in your browser and you can use the Drips Services. This information (the "Access Data") is automatically collected by our host (see below section 5.3), each time you visit the Drips Services and automatically stored in so-called server log files. These are:

  • Browser type and browser version
  • Operating system used
  • Website from which the access is made (referrer URL)
  • Host name of the accessing computer
  • Date and time of access to which URL
  • IP address of the requesting computer

The processing of the aforementioned Access Data is necessary for technical reasons in order to provide a functional website and to ensure system security. This also applies to the processing of your IP address, which is necessary and, under further conditions, can at least theoretically enable an assignment to your person. In addition to the aforementioned purposes, we use server log files exclusively for the needs-based design and optimization of the Drips Services purely statistically and without drawing any conclusions about your person. This data is not merged with other data sources, nor is it analyzed for marketing purposes.

Art. 6 (1) sentence 1 lit. f GDPR serves as the legal basis for the temporary storage of Access Data. Our legitimate interest here is to be able to provide you with a technically functioning and user-friendly website and to ensure the security of our systems as well as optimizing our services.

Your IP address will be stored on Railway’s server for a maximum of 30 days for IT security purposes. Additionally, pseudonymized usage statistics derived from access logs, such as hit rates or visitor counts over time, are evaluated in Grafana dashboards. These statistics are non-identifiable and do not permit any conclusions about individual users. As such, they are not considered personal data and are retained only as long as necessary to improve and optimize the Drips Services. The storage period and deletion of your Access Data are further governed by Section 7 of this privacy policy.

Use of cookies and similar functions/technologies

We do not use our own so-called cookies and similar technologies on the Drips Services and neither do our service providers Railway and Grafana (see also below section 5.3); please note that when using the embedded Get In Touch form via Notion (see below section 3.3), that provider may set its own cookies under its sole responsibility. Cookies are small text files that are stored on your computer and saved by your browser. A cookie contains a characteristic string of characters that enables your browser to be uniquely identified when you return to the Drips Services.

Get In Touch form

On Drips Services, users may access a 'Get In Touch' form on various subpages (e.g. after selecting a use case such as 'Run a RetroPGF round', 'Fund entire ecosystems' or 'Discuss a funding program' or by using the general contact option). The form is provided via our service provider Notion to collect and store your provided data, solely for the purpose of responding to your inquiry.

If you contact us as part of an existing contractual relationship, make support requests or contact us in advance for information about our range of products and services, the data you provide will be processed for the purpose of processing and responding to your inquiries in accordance with Art. 6 (1) sentence 1 lit. b GDPR (legal basis). In all other cases, processing is based on our legitimate interest in and for the purpose of appropriately handling and responding to inquiries and improving communication with interested parties, in accordance with Art. 6 (1) sentence 1 lit. f GDPR.

To submit the form, certain information is required: name, email address, your message, and confirmation that we may respond to your inquiry via the provided contact details. This information is not legally or contractually required, but it is necessary to process your inquiry. Without it, we are unable to properly receive, assign, or respond to your inquiry, and therefore cannot accept it for submission in the first place. Any additional information you provide (such as your organization, role or Telegram handle) is voluntary and helps us tailor our response more effectively.

Please note that the processing of your data via Notion’s infrastructure is also subject to Notion’s own Privacy Policy and Cookie Policy, which are available on their website. We only have control and process the data you actively submit through the form. Any additional data processing performed by Notion (e.g. via cookies or usage analytics on their platform) is outside of our control.

The same applies if you contact us via the email address provided on Drips Services. In this case, we process the personal data you provide (e.g. your email address and message) on the same legal basis and for the same purposes as outlined above.

As a rule, we delete the personal data you provided via the contact form or by email once communication has been completed, unless statutory retention obligations apply, the data is required for the establishment, exercise or defense of legal claims, or further inquiries can reasonably be expected. The storage period and deletion of your provided data in this regard are further governed by Section 7 of this privacy policy.

Use of specific Drips Web App functions

Because certain of the Drips Web App functions are built on decentralized and immutable infrastructures, any information committed on-chain or to the InterPlanetary File System ("IPFS") becomes permanently public and cannot be deleted. We therefore process no more personal data than is technically necessary to provide the requested functionality.

Connecting and using a Web3 Wallet

On the Drips Web App, you may connect a Web3 wallet (e.g. MetaMask or another WalletConnect-compatible wallet) to access and use protocol features such as funding open-source projects, receiving donations, managing programmable funding flows, or participating in Retroactive Public Goods Funding rounds ("RPGF"). Connecting a wallet is technically comparable to identifying yourself via your blockchain address.

When connecting your wallet and interacting with the Drips Protocol, the following data may be processed or become visible:

  • Your wallet address on supported networks (Ethereum address or of other Ethereum-compatible chains such as OP Mainnet or Filecoin)
  • Transaction metadata such as token type used, transaction amounts, timestamp and recipients
  • Indicator whether you make a continuous or one-time donation

Additional data may be processed depending on the role-specific features you use, such as:

  • In the case of creating or managing Drip Lists: a list of GitHub repositories, wallet addresses, or other Drip Lists, each with assigned percentage allocations
  • In the case of receiving funds: verification of GitHub repository ownership
  • In the case of RPGF rounds: configuration data, application fields, or vote allocations (for full details, see Section 3.4b) below).

This data is disclosed by you through voluntary interaction with the protocol and is required to execute the intended functionalities (e.g. making donations, claiming or distributing funds, submitting applications, or managing voting rounds). The legal basis for processing is your contractual relationship with us or another party (Art. 6 (1) sentence 1 lit. b GDPR), where applicable, or our legitimate interest in operating a transparent, user-driven protocol (Art. 6 (1) sentence 1 lit. f GDPR).

All interactions with the Drips Protocol are written to public and immutable infrastructures, including blockchains (e.g. Ethereum-compatible networks such as OP Mainnet or Filecoin) and, where applicable, the IPFS. As a result, submitted data becomes publicly accessible and cannot be deleted due to the nature of these systems.

To improve performance and ensure availability, publicly available protocol data may additionally be indexed and mirrored by the Public Goods Association in a read-only database (hosted by a third-party infrastructure provider) to enable faster retrieval in the Drips Web App. This processing is carried out on the basis of our legitimate interest in providing a performant service (Art. 6 (1) sentence 1 lit. f GDPR

We do not store or process any personal data beyond what is technically required to enable your interactions with the protocol. Please note, however, that any data you publish on-chain (e.g. through transactions or public attestations) is visible to everyone and permanently accessible.

Additional role-specific protocol functions within the Drips Protocol

Depending on your role and interaction with the Drips Web App, additional categories of data may be processed in order to provide the respective protocol functionality and enable access to our services. This includes, for example, creating or managing funding flows, claiming open-source projects, participating in funding rounds, or reviewing applications. The legal basis for processing your data in these cases is either your contractual relationship with us or another party (Art. 6 (1) sentence 1 lit. b GDPR) or our legitimate interest in offering and maintaining the related protocol features (Art. 6 (1) sentence 1 lit. f GDPR).

As a project maintainer / funding recipient

If you claim a GitHub repository and receive funding via the Drips Protocol, we process your wallet address on supported networks and require proof-of-ownership of the repository (e.g. by committing a verification file to the repository). If you choose to forward received funds to dependencies, the related recipient addresses and share allocations (i.e. a list of downstream recipients such as wallets, Drip Lists, or repositories, each with a defined percentage) are also public. This data is processed solely to enable your participation and distribution of funds via the protocol.

As a Retroactive Public Goods Funding ("RPGF") round admin

If you initiate or manage an RPGF round, we process your wallet address on supported networks as well as the configuration data for the round, such as round name, descriptions, eligible voter addresses, optionally a list of additional wallet addresses to act as co-admins, and review decisions. This data is required to enable RPGF functionality. Most information is public, except the voter list, which is visible only to round admins and select platform maintainers for maintenance purposes.

As an RPGF applicant

If you submit an application for an RPGF round, we process your wallet address on supported networks, proof of project ownership (e.g. by committing a verification file to the relevant GitHub repository), and application form data (as defined by the round admin). Fields marked 'private' are stored off-chain, are visible only to round admins and designated platform maintainers, and may be deleted once the round concludes (see Section 7). Fields not marked as private are attested on-chain via the Ethereum Attestation Service and become publicly visible after approval; they are therefore immutable.

As an RPGF voter

If you participate in voting, your wallet address on supported networks and vote allocations are collected and stored. This information is only visible to round admins and selected platform maintainers and is not made public.

Deletion of off-chain data follows Section 7; however, public on-chain or IPFS data is due to its nature immutable.

Compliance with legal regulations

We also process your personal data in order to fulfill legal obligations that may apply to us in connection with our business activities. These include, in particular, retention periods under commercial, trade or tax law.

We process your personal data in accordance with Art. 6 (1) sentence 1 lit. c GDPR (legal basis) to fulfill a legal obligation to which we are subject.

Law enforcement

We also process your personal data in order to assert our rights and enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary for the prevention or prosecution of criminal offenses.

We process your personal data to protect our legitimate interests in accordance with Art. 6 (1) sentence 1 lit. f GDPR (legal basis), insofar as we assert legal claims or defend ourselves in legal disputes or we prevent or investigate criminal offenses (legitimate interest).

Consent-based data processing

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent.

The legal basis in this case is Art. 6 (1) sentence 1 lit. a GDPR.

Consent can be revoked at any time. Please note that the revocation only takes effect in the future, so processing up to that point is not affected.

Recipients of data

Within our company, access to your data is granted to those departments that need it to fulfill our contractual and legal obligations or to exercise our rights.

Service providers and vicarious agents employed by us (e.g. technical service providers, shipping companies, waste disposal companies) may also receive data for these purposes.

In some cases, the recipients receive your personal data as processors and are then strictly bound by our instructions when handling your personal data. These processors include the following companies in particular:

Hosting and technical service providers

  • Railway Corporation, 548 Market St PMB 68956, San Francisco, CA 94104, USA, certified under the Data Privacy Framework for hosting of the Drips Services.
  • Raintank Inc., dba Grafana Labs, 165 Broadway, 23rd Floor, New York, NY 10006, USA, certified under the Data Privacy Framework for pseudonymised telemetry dashboards.
  • Notion Labs, Inc., 548 Market St 74567, San Francisco, CA 94104, USA, certified under the Data Privacy Framework for hosting the Get In Touch form and possessing respective data.

Finally, in individual cases we transmit personal data to our consultants in legal or tax matters, whereby these recipients are generally already obliged to maintain special confidentiality and secrecy due to their professional status.

Data transfer to third countries

If necessary for our purposes, we may also transfer your data to recipients outside the European Economic Area ("Third Countries"). This is particularly the case in the context of contract processing or due to legal regulations.

We only transfer your data to recipients in Third Countries in accordance with the provisions of Chapter 5 of the GDPR, i.e. if it is ensured that the European Commission has adopted an adequacy decision pursuant to Art. 45 (1) GDPR, or appropriate safeguards within the meaning of Art. 46 (2) and (3) GDPR have been implemented, or a derogation pursuant to Art. 49 GDPR applies.

We use the EU Commission's standard contractual clauses for the transfer of personal data to third countries (SCC) to ensure an appropriate level of protection for the recipient of the data.

You have the option of accessing the SCC via the link provided or requesting a copy from the data protection officer.

Duration of data processing and deletion

We initially process your personal data for the duration for which the respective processing purpose - see above - requires corresponding processing.

Insofar as the processing is carried out for the performance of a contract, the processing period also includes the periods of initiation of a contract (pre-contractual legal relationship) and the performance of a contract (including any subsequent claims).

Insofar as the processing is carried out to safeguard our legitimate interests, the processing period includes the period until the processing purposes pursued are achieved.

If the processing is based on your consent, the processing period covers the period from the time you give your consent until the time you withdraw your consent or until the time the processing covered by the consent is completed.

In this respect, we would like to point out that even in the event of withdrawal of consent, further processing may be possible on the basis of other legal bases (Art. 17 (1) lit. b GDPR).

Even if the primary processing purposes have been achieved, further processing of your personal data may take place, in particular if this is necessary to fulfill a legal obligation and/or to protect our rights. This includes the following purposes in particular:

  • Fulfillment of statutory obligations, retention and documentation periods specified there are up to ten years.
  • Where longer retention is necessary to preserve evidence, we perform an annual review to determine whether the purpose still exists.
  • Preservation of evidence, taking into account the statute of limitations.

Social Media

In addition, we also use various social media services, some of which we have integrated directly on the Drips Services or websites, which we are represented on. Those services might process personal data. Further information on data processing can be found in the respective social media services' privacy policies. There you will also find further information on your rights and setting options to protect your personal data.

We use the following social media:

Data security

Personal data is protected by us by means of suitable technical and organizational measures in order to ensure an appropriate level of protection and to safeguard your personal rights. The measures taken serve, among other things, to prevent unauthorized access to the technical equipment used by us and to protect personal data from unauthorized access by third parties.

In particular, the Drips Services uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as the contact requests you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be intercepted by third parties.

Nevertheless, we would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is therefore not possible.

Rights of data subjects

Right to information

You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to obtain access to the personal data concerning you and the information pursuant to Art. 15 (1) lit. a-h GDPR. Where personal data concerning you are transferred to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer. Subject to the conditions set out in Art. 15 GDPR, you have the right to receive a copy of the personal data concerning you undergoing processing.

Right to rectification

You have the right to obtain from us without undue delay the rectification of personal data concerning you if it is inaccurate. Taking into account the purposes of the processing, you have the right to have incomplete personal data concerning you completed, including by means of providing a supplementary statement.

Right to erasure

You have the right to obtain from us the erasure of personal data concerning you without undue delay if one of the grounds listed in Art. 17 GDPR applies, e.g. if the data have been unlawfully processed.

Right to restriction of processing

Subject to the conditions set out in Art. 18 GDPR, you have the right to obtain from us restriction of processing.

Right to data portability

Subject to the conditions set out in Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us. In exercising your right to data portability, you have the right to have the personal data concerning you transmitted directly from us to another controller, where technically feasible.

Right to withdraw consent

If the data processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent, you can also choose, inter alia, the contact channel that you used when giving your consent.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Right of objection

Subject to the conditions set out in Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on lit. (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Subject to the conditions set out in Art. 21 GDPR, where personal data concerning you are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR you, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you.

Obligation to provide data

In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make the Drips Services without restriction or answer your inquiries to us.

Personal data that we do not necessarily require for the above-mentioned processing purposes is marked accordingly as voluntary information.

Automated decision-making/profiling

We do not use automated decision-making in the meaning of Art. 22 (1) GDPR or profiling (an automated analysis of your personal circumstances).

Validity and amendment of this privacy policy

This privacy policy is currently valid and effective as of July 5, 2025.

Due to the further development of the Drips Services or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. In this case, we will update this privacy policy accordingly.