(in force since March 1st, 2020)
Every day we make sure that the use of our exchange is comfortable and safe for you. For this reason, we provide you with important information about how the data collected during your registration and use of the exchange is processed.
Table of contents
- Who is the administrator and the data protection officer of your personal data.
- How and why we collect your data?
- On what basis we process your data?
- What are the consequences of not providing us with your personal data?
- Which of your data and how we share with other entities?
- How long do we keep your data?
- Your rights.
- How we protect your data.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), hereinafter also referred to as “GDPR”.
- DIRECTIVE (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (hereinafter referred as Directive),
- National provisions in force in Seychells
- In order to ensure the security of your personal data, we have ensured that all our employees are properly trained in the processing of personal data. In addition, we guarantee that our Company has adequate technical security and organizational measures to properly secure your data.
- Personal data we collect is processed in accordance with the law, only for specified, legally permitted purposes.
- In addition, we put our effort to make sure that the data collected by us is substantively correct and adequate in relation to the purposes for which it is processed and stored in a form that allows identification of persons to whom it relates, no longer than it is necessary to achieve the purpose of processing. We also maintain the security and confidentiality of the personal data collected.
- As the Administrator of your data, we assure you that we have implemented all the guidelines and procedures in accordance with GDPR. Detailed scope of the security measures implemented by us is included in our internal documentation, which includes, among other things, the Personal data protection policy and the Cybersecurity policy. Thanks to this, your personal data is processed in a reliable manner, and the security measures implemented by us allow for efficient enforcement of all rights to which you are entitled.
- We would like to inform you, that to the extent necessary for this purpose, we cooperate with the Data Protection Officer, i.e. Wojciech Karbowski, e-mail: firstname.lastname@example.org .
II. WHO IS THE ADMINISTRATOR AND THE DATA PROTECTION OFFICER OF YOUR PERSONAL DATA
- The Administrator of your personal data is SupaInvest Ltd [further also referred to as the Administrator] – a company established in the Republic of Seychells at Crystal Offices, OT Center, Victoria, Mahe, Seychelles; registered under the number 0219017
- We would like to inform you that, in order to take care of your personal data effectively we also appointed a Data Protection Officer to who you can turn with any questions or requests in all matters concerning your personal data. You can contact him at: email@example.com.
- If you have any questions, requests or complaints regarding the processing of your personal data by us, you can also contact us in writing at the address: Crystal Offices, OT Center, Victoria, Mahe, Seychelles. You can contact the Administrator via mail sending a letter to the address, via e-mail at firstname.lastname@example.org or sending a message in the tab “Contact” available on the Website.
- Questions, applications and complaints referred to in the preceding paragraphs should, in particular include:
- data relating to the person or persons concerned by the inquiry or request,
- the event which is the reason for sending a message to us,
- requests and legal grounds for demanding request,
- the expected manner of handling the matter.
III. HOW AND WHY WE COLLECT YOUR DATA
- Visiting and using our Website is associated with the need to collect and process your personal data.
- Please note, we process your personal data, in particular the data you provide us with directly when setting up and verifying your account on our Website (this is the data you enter on the forms provided by us and the data contained in the documents you send to us) and the data you generate using services offered by our Website (e.g. making purchase / sale transactions, placing sales offers, etc.).
- We need to collect such a wide range of information not only to be able to provide our services “technically”, but also to fulfil the binding legal provisions regarding the obligation to identify the client, to monitor, combat and assess the risks of fraud, money laundering, financing of terrorism. Therefore, if you do not provide the data requested during the registration and verification, or if the data proves to be false, or if you object to its processing, we will not be able to continue to provide you with our services.
- Due to the above-described obligations, in order to verify the accuracy of the data provided by you and to assess the risk of fraud, we also monitor your transaction history by analysing the course, volume, currency and type of transactions.
- If you express a wish to use additional services offered by us, we will process your data which we collected in order to provide our services, in compliance with their description contained in the Terms and Conditions or provided to you separately. These services may include among others: newsletter, contests, etc.
- As part of the operation of our Website, you may be asked to provide us with the following personal data:
- name – after you have created your user account, you will be asked to provide your name to identify yourself. Your name will also be essential if you wish to use our affiliate program. We will be pleased to know who is contacting us with the inquiry, so your name will be used when you use the contact form in the “Contact” tab on our Website.
- date of birth – users of our Website must be of legal age, age is one of the criteria for AML/CTF risk analysis, in accordance to this, once a user account is created, we ask you to provide us with your date of birth (or we take it from documents you provided), otherwise you will not be able to take full advantage of our Website.
- address and country of residence – in order to fully verify their identity, our users must provide their address and country of permanent residence, this requirement results directly from the provisions of the Directive,
- nationality – in order to gain full access to your user account, you will be asked to provide your nationality, this requirement results directly from the provisions of the Directive,
- phone number – in order to gain full access to your user account, you will be asked to provide your phone number and its direct verification, after providing your phone number we will send you an activation code, if you have become a subscriber of our newsletter distributed by phone, we will also send you commercial information once, twice a month, this is of course a voluntary option and at any time you can resign from it.
- information concerning the identity document (passport, identity card or driving license) – in order to verify your identity properly, we will ask you to provide us with a convenient identity document number with an indication of the date of issue and its expiry date, providing us with this information is necessary to carry out a proper process of confirming your identity, what is more, it will enable us to confirm your age, this requirement results directly from the provisions of the Directive,
- photo – in order to properly identify your image, we will ask you to send us your photo or video material, this requirement results directly from the provisions of the Directive,
- bank account number – in order to enable the withdrawal of your funds held in your user account, we will ask you to provide us with your bank account number, but that is not all, in order to fully verify whether your bank account number is yours in fact, we may ask you to send us a confirmation of your transaction from such account number, this may be a confirmation of a transfer made, e.g. an Internet fee or any other transaction of your choice, this requirement derives from the provisions of the Directive.
- e-mail address – in order to create an user account on our Website, we will ask you to provide your e-mail address, what is more, your e-mail address will be used when you contact us with an inquiry via a contact form or chat window located on our Website, in addition, if you become a subscriber to our newsletter, we will send you information related to our Website once/twice a week – this is a voluntary option and you resign at any time, your e-mail address will also be used when you decide to participate in our affiliate program.
- IP address (Internet Protocol) of your device – it is an unique number, assigned to devices on a computer network, such data may be used for technical, demographic (region from which the connection is made) statistical purposes, and to verify that you use our services in accordance with the Terms and Conditions (i.e. that the connection does not come from a country in which we do not provide our services),
- other data such as: request URL, domain name, device ID, browser type, browser language, number of clicks, amount of time spent on individual pages, date and time of using the Website, type and version of the operating system, screen resolution, data collected in the server logs, and other similar information to develop statistical data for the optimization of services rendered, including displaying content that complies with your preferences.
- Providing your personal data indicated in the preceding point is necessary in the following cases:
- to create a user account on our Website, which is voluntary, and to use the full functionality of it;
- all data provided to us for the purpose of setting up a user account may be used for the purposes of the affiliate program, the contests, provided that you have given us your consent and wish to participate,
- in order to respond to inquiries addressed to us via the contact form available in the “Contact” tab on our Website and the chat form in the event of consent to participate in contests organized by the Administrator; d) in order to provide the newsletter service, if you want to be informed on an ongoing basis what is up to date with us and what news we have prepared for you, you can become a subscriber to our newsletter, subscription is voluntary and you can unsubscribe from it at any time.
- Personal data are processed by our Company primarily in order to provide you with our services you order and any additional issues features within our Website. However, we would like to emphasize that as an Administrator we take care to observe the principle of minimizing and process only those categories of personal data that are necessary for us to achieve these goals.
- When you contact us in order to perform various activities or to obtain information (e.g. to submit a complaint) using the Website, telephone or e-mail, we will again require you to provide us with your personal data to confirm your identity and the possibility of return contact. This applies to the same personal information you previously provided. However, it may happen that due to the nature of your request, we will have to collect other data from you. Provision of the above data is not mandatory, but it is necessary to perform activities or obtain information that interests you. We will process the above-mentioned data in order to perform the actions requested by you or to provide you with the information that you requested – depending on which situation takes place.
IV. ON WHAT BASIS WE PROCESS YOUR DATA?
- Your personal data is always processed on one of the following legal basis:
- your consent – in the scope resulting from this consent e.g. newsletter subscription, consent is voluntary and the consent to the processing of personal data can be withdrawn at any time, we enforce this basis if other grounds for the processing of your personal data do not apply, e.g. concluded contract or legal obligation;
- an agreement concluded between us (regarding keeping an account on our Website, performing a purchase / sale transaction, settlements, sending a Newsletter, mailing) – in the scope necessary for its implementation;
- taking action on request, before concluding a contract – if you asked us a question before creating a user account, we do not need additional consent to contact you back and answer your questions;
- legal obligation, i.e. an obligation arising from legal acts – in the scope necessary to comply with the binding provisions; e) our legally legitimate interest.
- If we process your personal data on the basis of the consent referred to in point 1 a) above, the data you provide is used only for the purposes covered by your consent. On this basis, we will primarily carry out information and marketing campaigns. Remember that at any time you can change your mind and withdraw your consent – just send us an e-mail to: email@example.com. Please note, however, that this does not always involve the deletion of your personal data. We may still process your personal data if it is necessary, e.g. if we have another legal basis for processing your personal data (concluded contract) or if we have a legitimate legal obligation to do so.
- We will also process your data to execute the agreement we entered into with you (primarily as a result of registration on and acceptance of the Terms and Conditions for an account on our Website) to be able to properly provide you with the services you want.
- Whether you have given us your consent for the processing of your personal data or we are bound with you by a contract, we will also have to process your data due to the need to comply with our legal obligations. These will be situations in which, for example, we must store data resulting from transactions made for tax and accounting reasons; as well as situations where we are obliged to verify and analyse your data (including your actions taken on the Website) in accordance with applicable anti-money laundering and terrorist financing regulations.
- Please, remember that although you did not give us your express consent, we are obliged to make your personal data available to state authorities, i.e. tax authorities, law enforcement authorities and other entities properly authorized to do so in accordance with applicable law.
- Based on our legitimate interest, we will process your data for the purpose of claiming our rights and defending ourselves against claims, for evidentiary and archival purposes. On the same basis, we will also process your personal data collected automatically on the Website in order to ensure the security of the session, quality of the session and provide you with all the functions of the Website. On this basis, we will also process your personal data for analytical purposes, which will involve the examination and analysis of traffic on our Website.
V. WHAT ARE THE CONSEQUENCES OF NOT PROVIDING US WITH YOUR DATA?
- In the case of registration and verification of an account, we process only the data without which the agreement concluded with you cannot be executed for “technical” reasons or for legal reasons. Not providing us with the required data will result in the fact that we will not be able to set up or keep your account, let alone carry out transactions within it.
- Giving us your consent to the processing of your personal data is voluntary. If you do not give us your consent (or withdraw it), then we will not take any actions that a given consent applies to.
VI. WHICH OF YOUR DATA AND HOW WE SHARE WITH OTHER ENTITIES?
- You should be aware that as long as we do not share your personal data without your express consent, your personal data may be entrusted to other entities for processing. This is because without such entrustment of your personal data, our company would not be able to conduct its business and provide services to you through our Website.
- Processing entities means companies we cooperate with in running our business activity.
- We conclude an appropriate personal data processing outsourcing agreement with the processor, thus guaranteeing that the processor processes your data solely for our purposes, to the extent and for the purposes indicated therein.
- First of all, we entrust your personal data for processing to such entities as:
- entities involved in the sending messages and SMS messages – to send messages for which you have given your consent by phone or e-mail;
- entities providing hosting services for the website on which our Website is located – so that you can use our Website, create a user account, contact us in case of any questions;
- entities providing IT services for the website where our Website is located – if necessary, thanks to which our Website, and first of all your user account, can function efficiently, in this way we also remove all types of failures, defects, technical interruptions in the functioning of our Website;
- entities providing banking services – your order to deposit or withdraw funds requires entrusting your data to a bank;
- postal, courier and freight service providers – for the delivery of parcels – if you choose to participate in our contest or affiliate program, it is necessary for you to receive the prize;
- entities providing accounting services – in order to keep the accounting books of our company;
- entities verifying the authenticity of your documents that you provided to us – in order to carry out a procedure of proper identification of your identity;
- entities assessing the risk of fraud – in order to assess that risk;
- entities that provide other services to us that are necessary for the day-to-day operation of the Website.
- Sharing your personal data we make sure that the entities we cooperate with ensure the implementation of technical and organizational measures and process them in accordance with applicable regulations, including the provisions of the GDPR.
- Your personal data will not be transferred to third countries or international organizations in the meaning of GDPR regulations. In that case, you will be informed in advance and the Administrator undertakes to apply appropriate security measures in accordance with the GDPR.
- Some of the entities providing services to us have servers located outside of Seychells, but in each case they are located in the countries within the European Union and they ensure proper protection of your data in accordance with EU regulations.
VII. HOW LONG DO WE KEEP YOUR DATA?
- We store and process your data only as long as it is necessary for the purpose for which it was obtained.
- You should be aware that your personal data may be processed by us for a longer period than indicated above. This is due to the obligations imposed on us and specific legal provisions.
- If the basis for processing your data is:
- your consent – this period lasts until you withdraw your consent or until the expiry of your consent (e.g. when the consent concerned a service that we no longer provide), if further processing of your personal data does not impose any obligation on us or does not result from specific legal regulations;
- the need to execute an agreement – Please remember that not always the period of processing your data lasts as long as the parties are bound by the concluded contract, due to the obligations imposed on us by specific legal provisions, e.g. the obligation to keep accounting books and records may be extended accordingly.
- legal obligation – Your personal data will be processed for as long as we are under a legal obligation to do so in accordance with specific legal provisions;
- pursuit of a legitimate interest – until the interest persists.
- Please, note that the basis for processing your personal data for a certain period of time is primarily due to special regulations. Therefore, even though you withdraw your consent, the contract that linked us will be terminated or simply expire, in some cases we are still required to process your personal data.
- For example:
- data provided for account registration on the Website will be stored for as long as your account will be kept – that is, until you do not cancel it or request it to be closed, unless further processing of your personal data is necessary to comply with a legal obligation;
- data provided for the Newsletter or other mailing to be sent will be kept until your consent for their delivery is valid;
- if you gave consent to our other information activities about our offer – your data necessary for performing such activities will be kept until you withdraw your consent.
- Due to the fact that our services, among others are subject to regulations of the Directive, we are obliged to keep for at least five years from the end of our economic relations with you (i.e. from the final closing and settlement of the account), including:
- copies of documents and information obtained in connection with the verification of your identity;
- copies of documents and information being the basis for assessing the risk of fraud in relation to your transactions;
- evidence confirming transaction and transaction records necessary to identify transactions.
- The retention period of your data required by law may be subject to change as the applicable law changes.
- After the indicated time periods expire, your personal data will be deleted or anonymized in a way that prevents the data from being attributed to you.
VIII. YOUR RIGHTS
- data of the person or persons concerned by the request or question,
- the event which is the reason for sending a message to us,
- your requests and the legal basis for its requests,
- the expected manner of handling the matter. This will help us to respond more efficiently to your questions and requests.
- Due to the processing of your data by us, you have:
- the right to request access to your personal data – both the data you shared with us and which we are processing, as well as the data generated in the course of our cooperation (e.g. history of transactions);
- the right to request immediate correction or upgrading of your personal data by us, if it is incorrect;
- the right to complete incomplete personal data, including through presentation of an additional statement (considering the purposes of processing);
- the right to immediately delete your data (“the right to be forgotten”); – in such a case we will delete your data immediately (however, we will keep the data we must keep in compliance with the law);
- the right to request processing restrictions;
- the right to receive data you provided to us in a structured commonly used format suitable for machine reading and to send it to another administrator;
- the right to the right to transfer your personal data – you may demand that we transfer your data to another administrator of your choice, we may satisfy your request if you have given us your consent to the processing of your personal data,
- the right to object to the processing of your personal data for the needs of direct marketing which causes that we will cease to process your data for the purposes of direct marketing;
- the right to object due to causes related to your particular situation, if your personal data is processed based on a legally justified interest. However, we will keep processing your personal data in the necessary scope if there is a particular justified reason for that for us – we will inform you about this in such a case;
- if the basis for the processing of your personal data is your consent, you will have the right to withdraw such consent at any time. Withdrawal of your consent does not affect compliance with the law of processing of your personal data by us carried our based on the consent before its withdrawal.
- Filing a complaint to the supervisory body – If you feel that the processing of your personal data by us violates the law, you can file a complaint to the supervisory body that deals with the protection of personal data.
- You can submit a statement regarding the exercise of any of your rights mentioned above, write to us: Crystal Offices, OT Center, Victoria, Mahe, Seychelles, e-mail address: firstname.lastname@example.org or email@example.com, or by „contact” tab on our Website.
- Withdrawing your consent or objecting to the processing of data, if you do not formulate any other objections, will affect all our services and Websites and the entities entrusted with the processing of your data.
- If you feel that the processing of your personal data by us violates the law, you can file a complaint to the supervisory body that deals with the protection of personal data.
- Profiling involves automated processing of personal data allowing the assessment of personal factors of a natural person, and in particular analysing or forecasting aspects related to the economic situation, personal preferences or interests, credibility or behaviour of the data subject.
- On our Website we process your personal data, including your activities on the Website, to assess the possibility of offering you our services. Our profiling boils down to two aspects:
- determining your preferences and needs in order to better adapt the Website to your needs;
- verifying the accuracy of the information provided by you and estimating the risk of money laundering or terrorist financing in order to fulfil the obligations imposed on us by the Directive of the European Parliament and of the Council (EU) No. 2015/849 of 20 May 2015.
- Based on our profiling, in accordance with our internal procedures for estimating the risk of money laundering or terrorist financing, we evaluate which transactions you have commissioned we can carry out, and what information we are forced to obtain from you to fulfil our obligations of due diligence in the prevention of fraud in accordance with the Directive referred to above.
- Each time the results of profiling are analysed by our employees or external entities from the AML/CTF sector before deciding whether we can provide you with a given service and it is up to them to make the final decision on this matter.
- Cookies are small text information in the form of text files, sent by the server and saved on a device of the person visiting the Website (e.g. on the hard drive of the computer, laptop or on the smartphone’s memory card – depending on which device you use). Detailed information about cookies as well as the history of their creation can be found among others here.
- The Administrator may process data contained in Cookies when users use the Website for the following purposes:
- identification of users as logged in to the Website and showing that they are logged in;
- remembering data from completed forms, surveys or login data to the Website;
- adjusting the content of the Website to individual preferences of users (e.g. regarding colours, font size, page layout) and optimization of the use of the Website;
- keeping anonymous statistics presenting how the Website is used;
- displaying individualized advertisements for the Website user, according to preferences;
- better optimization of the functioning of the Website.
- By saving cookies, the device records the activity of the Website user and it is thanks to this that the Website, displayed by the user is individualized, according to his preferences.
- As a standard, most web browsers available on the market accept cookies by default. Everyone has the possibility to define the terms of using cookies through their own browser’s settings. This means that you can, for example, partially restrict (e.g. temporarily) or completely disable the option of saving cookies – in the latter case, however, it may affect some of the Website’s functionalities (for example, it may not be possible to pass the sales offer path due the failure to remember data during the subsequent stapes of submitting offers).
- Detailed information on changing cookies settings and their removal in the most popular web browsers is available in the help section of the web browser and on the following pages (just click on the link):
- Internet Explorer
- The Administrator also processes anonymized operational data related to the use of the Website (so-called logs, domain) to generate statistics helpful in administering the Website. For this purpose, we use services of third parties. Data processed by these entities is aggregate and anonymous, i.e. it does not contain features identifying visitors of the Website.
XI. HOW WE SECURE YOUR DATA
- We ensure an optimal range of organizational measures in a manner that ensures its proper protection, in particular:
- secure the possibility of collecting, copying and disclosing personal data to unauthorized persons;
- protect personal data, databases and devices on which personal data are processed from loss, damage or destruction.
- We store, use and transmit your data in a manner that ensures its proper protection, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical and organizational measures.
- We have implemented a number of security measures to ensure that your information will not be lost, used or changed. Our data security measures include, among others: PCI scanning, encryption, pseudonymization, data backup, regular testing, measuring and assessing the effectiveness of security measures used, restrictions on access to internal data and strict physical controls of access to buildings and files.
- Access to data processed by us is carried out through an internal network, secured by our certificates and keys, thus excluding third party access “from outside” as well as “our” unauthorized persons.
- In order to secure your data, we have developed and are constantly improving our own original script that encrypts data.
- When we store your data on internal servers, we do it through entities that guarantee security of the infrastructure offered (PCI-DSS certification, ISO / IEC 27001 certification, SOC 1 TYPE II and SOC 2 TYPE II certificates, etc.), who have a good opinion, and their services are used by other entities processing personal data of special importance. For this reason, the servers used by us are located in several places in Europe (some of them are located in ……….).
- Regardless of the above, please remember that it is impossible to guarantee 100% secure data transmission over the Internet or electronic data storage methods. Therefore, we ask that you also take reasonable precautions to protect your personal data. If you suspect that your personal information has been compromised, in particular the account or password information has been disclosed, contact us immediately.
- Detailed IT solutions protecting your data are confidential, making it difficult to break them.