Privacy Policy

Last Updated:

16 January 2024

PLEASE READ THE ENTIRE PRIVACY POLICY AND ALSO OUR RISK WARNING AND TERMS AND CONDITIONS CAREFULLY.

About this Privacy Policy

Protecting our website visitors’ and clients' privacy is an essential priority at Bitpace (“we” or “us” or “our”), and we are committed to maintaining strong and meaningful privacy protections. The privacy of your information is a significant responsibility, and we value the trust you place in us.

In particular, we would like to inform you hereby of the nature, scope and purpose of the personal data we collect, use and process via our website https://www.bitpace.com/, our sandbox environment and our services. Furthermore, we would like to inform you about the personal data-related rights to which the corresponding data subject is entitled.

This Privacy Policy is provided in line with the requirements of privacy laws such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), as well as the applicable local legislation in Bulgaria and Lithuania.

When referring to “you” or “your”, we mean separately and collectively any visitor or user of this website or the sandbox environment or user of our services as a data subject, as well (if the context allows doing so) as any merchant or partner that is employing or receiving services from such a user.

You can find the contact details of the competent supervisory authority for data protection in each jurisdiction part of the European Economic Area (“EEA”) at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Acceptance to this Privacy Policy

By accessing and using our website, sandbox environment and/or our services, you hereby declare your acceptance of the terms of this Privacy Policy.

If you are acting on behalf of a merchant or a partner, when you provide us with personal data of related persons to that merchant or partner, such as shareholders, directors, employees, authorised representatives or users, contractors, end-customers, or any other related natural person (“related persons”), you declare that you have the right or you are authorised to do so and, when you are so required by applicable privacy laws you should have made them aware of this Privacy Policy.

Unless we otherwise agree with you in writing, if you do not consent to any part of the present Privacy Policy, please do not use our website, sandbox environment and our services.

Who we are

Unless otherwise specified, the following companies (each trading as Bitpace) act as joint-controllers with regards to the processing of your personal information as described in this Privacy Policy:

SG Veteris Estonia OÜ, a private limited company, incorporated in Estonia (registry code 16564979) with a registered office at Harju maakond, Tallinn, Kesklinna linnaosa, Raua tn 36, 10120, Estonia; registered as a Virtual Assets Service Provider (“VASP”) by the Financial Intelligence Unit (FIU) in Estonia, licence number FVT000552;
SG Veteris Europe EOOD, a private limited company, incorporated in Bulgaria (company number UIC 206635600) with a registered address at Evropark building, 40 Tsarigradsko Shose Blvd., 2nd floor, 1750 Sofia, Bulgaria; registered as a crypto-asset business by the National Revenue Agency (NRA) in Bulgaria;
UAB “SG Veteris Lithuania”, a private limited company, incorporated in Lithuania (registration number 305940990) with a registered office at Eišiškių Sodų 18-oji g. 11, Vilnius, Lithuania; registered as a VASP in the legal entities registry supervised by the Financial Crime Investigation Service (FCIS) in Lithuania.

Please note that we may also act as a data processor, for instance, in relation to personal data that you (as our merchant or partner) require us to process.

If you are a merchant or a partner, the Bitpace entity that enter into a merchant agreement or partner agreement (or similar) with you will be the sole personal data controller. Additionally, we may enter into a data processing agreement or addendum (“DPA”) with you. Such DPA will establish which Bitpace entity is the controller or processor, in addition to the personal data we will process and the purposes of such processing. In case of discrepancy between any provision of this Privacy Policy and the DPA, the provision of the DPA will prevail.

How to contact us

Any data subject may, at any time, contact us and our Data Protection Officer via the email below with all questions and suggestions concerning privacy and data protection.

Address: Please refer to each registered entity address above.

Email: [email protected]

Managing your information preferences

You can review, correct, update, or change your personal information (or if you are a merchant or a partner – the information of your related persons) that you have provided to us, opt-out or opt-in (as applicable) of receiving certain emails by changing the relevant settings in your account (if technically available) or by emailing us at [email protected]. However, please note that the deletion of your personal information might be executed only in the cases where certain conditions (as per the applicable laws) are satisfied (e.g. after the retention period has elapsed).

You can unsubscribe from receiving marketing emails from us; however, you cannot opt-out from receiving emails related to the status or maintenance of your account. If you have questions or concerns regarding this Privacy Policy, please email us at [email protected].

Definitions

In this Privacy Policy, we use the following defined terms: Personal Data is any information relating to an identified or identifiable natural person; Data Subject is any identified or identifiable natural person; Processing is any operation or set of operations that is performed on personal data or sets of personal data; Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person; Controller the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.

Information we may collect automatically through cookies and other technologies

While browsing or using some of the functionalities on our website, as well as by using cookies, we collect personal data. We may collect information about the products or services you looked at or searched for and this website’s functions you used, including time spent and other statistical information. Certain types of information may be received automatically, such as whenever you interact with the website or use our services. This information does not necessarily reveal your personal identity directly but may include information about the specific device you are using, such as device ID, operating system, web browser (such as Chrome, Firefox, Safari, or Internet Explorer) and your IP address/MAC address/device identifier.

For example, we automatically receive and record information on our server logs from your browser, including how you came to and used the services; your IP address; device type and unique device identification numbers; device event information (such as browser type, browser language, the date and time of your request and referral URL), broad geographic location (e.g. country or city-level location) and other technical data collected through cookies, pixel tags and other similar technologies that uniquely identify your browser. How your device has interacted with our website, including pages accessed and links clicked, may be automatically collected. Bitpace may use identifiers to recognise you when you arrive at the website via an external link, such as a link appearing on a third-party site.

Please refer to our Cookie Policy for additional information on how to manage our use of cookies.

What personal data we collect

We collect personal data about you and, when you are a merchant or a partner, about related people to you (such as beneficial owners, directors, authorised representatives of the merchants or our partners or other data subjects related to such businesses).

Amongst others, the personal data that we may collect includes:

When you register on our website and create an account: full name, your business name, your email address, and country for the registration.
When you submit a general inquiry on our website: full name, email address and any other personal data you may have added in the message box.
With regards to related persons personal identification information: full name, date of birth, photograph, full colour copies of national ID, phone number, email address, national ID number and postal address.
When processing a cryptoasset payment for the merchant: (i) related person of a merchant that is dealing with the merchant’s transaction, such as user details of the related person for signing in on Bitpace; or (ii) merchant’s end-customer: email address, Internet Protocol (IP) address, wallet address (as long as they can be linked to and individual and considered personal data). Please note that the merchant end-customer’s full name may be passed by the merchant to us, but is not mandatory for processing the transaction (it can be left blank).
With regards to relationship details: relationship with the merchant or partner in regard to the related persons, business information (role, capacity or title), business contact details.
When completing our application form: non-personal data for the merchants or partners, such as legal name, trading name, company registration number, registered address, operational address, country and date of incorporation, business type, etc. However, our application form also requires information about individuals related to the merchant or partner such as, (i) primary contact name, phone and email address; (ii) shareholders/beneficial owners, directors, authorised signatories’ full name, date of birth, nationality, residential address, position, percentage of ownership (if individual shareholder/beneficial owner).
While onboarding or dealings with you, including through completing due diligence, when administering transactions and carrying out reviews, when contacting us, when using the website or applications, and from publicly available sources or third parties: national identity card details, passport numbers, driver's licence details and/or photographic identification cards, and utility bills of the merchant’s or partner’s related persons, source of wealth of beneficial owner(s).
While tracking transaction history: coin transaction history, transaction amount and wallet addresses.
With regards to online trackers (all visitors and users): browser name, version and fingerprint, IP address and geolocation, should you choose to enable these following our Cookie Policy as laid above.

We also collect other information you choose to provide our personnel or support team, including while reacting to our social media posts where you mention or address Bitpace (or its services).

Bitpace collects personal data directly from the merchant or partner and related persons and from other sources described below:

We will check our own records for information about (i) any accounts belonging to the merchant or partner or any associated businesses and (ii) the merchant's or partner’s shareholders who might or might not be beneficial owners of the businesses.
We may carry out searches using financial crime prevention agencies for information relating to the merchant's or partner’s business and related persons.
We may search publicly available sources, such as media stories, companies’ registries and other public registries or records for information relating to the merchant’s or partner's business and related persons.

We would also like to highlight that some of the information that we may collect might fall into special categories of personal data (also known as sensitive personal data). For example, the client due diligence checks we carry out may reveal political opinions or information about criminal convictions or offences of the merchant or partner and the persons related to them. In addition, if incorrect information is provided or fraud is suspected, we will record this. We may also pass this information to financial crime prevention agencies, where it may be accessed by law enforcement agencies globally.

Why do we collect and process your data: the legal basis for doing so

We must have a legal basis to collect and process personal data. We collect and process personal data only on the grounds allowed by the GDPR. We reassure you herewith that we will use personal data only for lawful purposes such as (i) identity verification; (ii) mitigation of financial and business risk; (iii) detection, investigation, assessment, monitoring and prevention of fraud and other crime; (iv) compliance with anti-money laundering, counterterrorism financing, anti-bribery and corruption and similar laws; (v) legitimate business needs.

See the summary below (other sections of this Privacy Policy or separate agreements with you may also contain other purposes and legal basis).

Purpose	For providing and improving our services We will mainly use the information to provide the services you have requested from us. For user authentication, management and administration of services and monitoring and reporting to develop and improve our services.
Legal Basis	For the performance of a contract If you use our contact form or register as a user on our website (you are accepting our Terms and Conditions), or if we enter into a merchant or other separate agreement with a merchant or a partner, we may process personal data to perform our contractual obligations. We process such data on these grounds when we execute transactions requested by our clients. Namely, we process data for the purposes of transaction processing, registering of trades, monitoring and analysis activities to develop and manage our products and services, to name but a few. For the purposes of performing a contract, we may also transfer the necessary personal data to third parties (such as, but not limited to, banks and payment processors). Legitimate interest Where it is in our legitimate interests to ensure that our services are well-managed, and their quality is improved so that our clients are provided with a high standard of service to protect our business interests and the interests of our clients.anything

Purpose

For providing and improving our services
We will mainly use the information to provide the services you have requested from us. For user authentication, management and administration of services and monitoring and reporting to develop and improve our services.

Legal Basis

For the performance of a contract
If you use our contact form or register as a user on our website (you are accepting our Terms and Conditions), or if we enter into a merchant or other separate agreement with a merchant or a partner, we may process personal data to perform our contractual obligations. We process such data on these grounds when we execute transactions requested by our clients. Namely, we process data for the purposes of transaction processing, registering of trades, monitoring and analysis activities to develop and manage our products and services, to name but a few. For the purposes of performing a contract, we may also transfer the necessary personal data to third parties (such as, but not limited to, banks and payment processors).

Legitimate interest
Where it is in our legitimate interests to ensure that our services are well-managed, and their quality is improved so that our clients are provided with a high standard of service to protect our business interests and the interests of our clients.anything

Purpose	For transaction processing We will use certain personal data for the purposes of providing our specific services related to cryptoassets transactions. For the merchants and us to identify a transaction or for us to be able to block transactions from sanctioned jurisdictions. For example, merchants-related persons’ (that perform a transaction on behalf of the merchant) signing in details on Bitpace’s platform; or merchants’ end-customers email address, IP address, payment information and wallet addresses).
Legal Basis	Legal obligations Where the law requires this (e.g. anti-money laundering and terrorist financing regulations). Legitimate interest Where it is in our legitimate interest to develop, build, implement and run business models and systems which protect our business interests and provide our clients with a high standard of service.

Purpose

For transaction processing
We will use certain personal data for the purposes of providing our specific services related to cryptoassets transactions. For the merchants and us to identify a transaction or for us to be able to block transactions from sanctioned jurisdictions. For example, merchants-related persons’ (that perform a transaction on behalf of the merchant) signing in details on Bitpace’s platform; or merchants’ end-customers email address, IP address, payment information and wallet addresses).

Legal Basis

Legal obligations
Where the law requires this (e.g. anti-money laundering and terrorist financing regulations).

Legitimate interest
Where it is in our legitimate interest to develop, build, implement and run business models and systems which protect our business interests and provide our clients with a high standard of service.

Purpose

To comply with applicable laws such as anti-money laundering, counter-terrorism financing laws financial crime/fraud prevention
We will use personal data for undertaking client due diligence checks for the prevention and detection of financial and other crimes and undertaking checks, including on merchants’ and partners’ related parties, in relation to identity verification (e.g., via a copy of an ID card, driving licence or utility bill), application checks, anti-money laundering, counter-terrorism financing, compliance and risk screening and for preventing illicit or fraudulent behaviour on our website, sandbox environment or when providing our service, as we are obligated by applicable laws. We need also to perform ongoing monitoring of and investigate personal data and financial data that are related to users' accounts. For the same purpose, if the merchant or partner is required by applicable laws to perform due diligence on their end customers, we may request for the merchant or partner to share such due diligence with us.

Legal Basis

Legal obligations
Where the law requires this (e.g. anti-money laundering and terrorist financing regulations).

Legitimate interest
Where it is in our legitimate interest to prevent and investigate fraud, money laundering and other crimes and to verify the client's identity in order to protect our business and to comply with laws that apply to us.

Purpose	To cooperate with authorities We may process personal data in cases when we are requested to do so by official public authorities or for the purposes of legal proceedings for disputes, fraudulent activities, etc.
Legal Basis	Legal obligations Where the law requires this (e.g. anti-money laundering and terrorist financing regulations).

Purpose	To exercise our legal rights We may use personal data where it is necessary to do so, for example to detect, prevent and respond to fraud or other violations of law, for legal and dispute management purposes, and for debt collection and recoveries purposes.
Legal Basis	Legal obligations Where the law requires this (e.g. anti-money laundering and terrorist financing regulations). Legitimate interest Where it is in our legitimate interest to prevent and investigate fraud, money laundering and other crimes and to verify the client's identity in order to protect our business and to comply with laws that apply to us.

Purpose	To keep in touch We use some personal data to contact you and respond to your inquiries. We send important notifications to your email address, such as transaction-related information, verification requests/statuses, security-related warnings/requests, as well as general technical and administrative information such as maintenance, downtimes and software update notifications.
Legal Basis	For the performance of a contract Where we are obliged by a contract to provide you certain notices in relation to the performance of such a contract. Legitimate interest Where it is our legitimate interest to provide information about our business and services that we believe would benefit or inform our clients.

Purpose	To send marketing communication our merchants We may use personal data to send advertisements and offers to our business customers. We may send direct marketing messages to companies or their representatives promoting our products and services. We will, at all times, provide the option to “opt-out” of receiving such messages and we will respect your choice and stop sending marketing messages. Please note that if you are already our customer, we may still continue sending you other communications necessary for the provision of our services and maintaining our relationship with you.
Legal Basis	Legitimate interest Where it is in our legitimate commercial interest to send marketing communication. Recipients of any marketing communications may tell us at any time if they wish to change their contact preferences for this purpose (e.g., opt-out, unsubscribe, preferred communication channels changes).

Purpose

To send marketing communication our merchants
We may use personal data to send advertisements and offers to our business customers. We may send direct marketing messages to companies or their representatives promoting our products and services. We will, at all times, provide the option to “opt-out” of receiving such messages and we will respect your choice and stop sending marketing messages. Please note that if you are already our customer, we may still continue sending you other communications necessary for the provision of our services and maintaining our relationship with you.

Legal Basis

Legitimate interest
Where it is in our legitimate commercial interest to send marketing communication. Recipients of any marketing communications may tell us at any time if they wish to change their contact preferences for this purpose (e.g., opt-out, unsubscribe, preferred communication channels changes).

Purpose	To offer you exciting deals We may also use personal data to provide advertisements for our offers. In case you sign up for our newsletter, you will receive our promotional emails. We can also use your information to communicate with you. If you express your explicit consent, your data will be used to provide information about promotions and other information related to our services.
Legal Basis	Consent Where we have your permission to do so (e.g., opt-in, subscribe, via email). Recipients of any marketing communications may tell us at any time if they wish to change their contact preferences for this purpose (e.g., opt-out, unsubscribe, preferred communication channels changes).

Purpose	To share your information For example, your corporate email address, in a secure format, with social media and third-party digital platforms so we can tell you about our products and services.
Legal Basis	Consent Where we have your permission to do so. Legitimate interest Where it is our legitimate interest to use social media companies and third-party digital platforms to share information with you about our products or services that may be relevant and beneficial to you. You can at any time object to the processing of your information in such a manner based on our legitimate interest.

Please also consider that:

Where we process special categories of personal data, we will usually do so on the basis that it is necessary for reasons of substantial public interest or to establish, exercise or defend any legal claims. In any case, we will carry out the processing in accordance with applicable laws.
We process personal data for closely related purposes, such as payment processing and financial account management, contract management, website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance.
We store the information in the corresponding account based on the legitimate interest that both Bitpace and our clients have. We process this information to provide you with our services or to answer your queries. We also store personal data for the purposes of civil legal proceedings and administrative and criminal investigations to comply with the laws applicable to us globally.
Where you have presented to us any additional personal data (by including it in your written requests, by presenting it through documents that you have applied in your requests or by any other means), that personal data will be processed on the grounds of your consent. You can withdraw your consent at any time by writing a short email to: [email protected].
When we process personal data to meet our legitimate interests, we put in place robust safeguards to ensure that data subjects’ privacy is protected and to ensure that our legitimate interests do not override the data subjects’ interests or fundamental rights and freedoms.

Automated data processing and profiling

We use profiling and analytics to understand how individuals use our services for product development and business intelligence purposes. These analytics help us understand and improve our services and better serve our clients. We also use analytics for security and anti-fraud purposes. We will not make automated decisions about you that may significantly affect you unless (i) the decision is necessary as part of a contract that we have with you, (ii) we have your explicit consent, or (iii) we are required by law to use the technology.

While providing services on our website, we do not use mechanisms or algorithms for automated processing of your personal data or decision-making without human intervention (except that we may perform automated processing as a part of Know Your Customer (KYC)/Know Your Business (KYB) and enhanced due diligence verification procedures).

What are your rights, and how to exercise them

The GDPR grants the data subjects a number of individual rights. Please be aware that those rights are not absolute and may not apply in certain circumstances. For ease of reference, we provide below a non-exhaustive summary of the data subject’s rights. For further details, we suggest visiting http://www.aki.ee/, https://www.cpdp.bg/; and/or https://vdai.lrv.lt/

Information or confirmation as to whether or not personal data concerning you are being processed. Access information about, for instance, but not limited to, the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed.

Rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement/documents.

Erasure (to be forgotten) of personal data concerning yourself in certain circumstances. This right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. Please note that when we are required by law to process certain personal data, then the right to erasure will not apply to such data, e.g. when we are obligated by law to retain the personal data for a certain period of time. We would like to clarify also that the right to be forgotten so apply that the erasure will be fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten. This signifies that we will put the backup data ‘beyond use’, even if it cannot be immediately overwritten (the backup is simply held on our systems until it is replaced in line with an established schedule).

Restriction of processing in certain circumstances. This is an alternative to requesting the erasure of your data, where for instance (but not limited to), the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead unless this proves impossible or involves disproportionate effort.

Data portability of the personal data as long as the processing is based on consent or on a contract, and the processing is carried out by automated means. This right allows data subjects to obtain and reuse their personal data for their own purposes across different services, from one IT environment to another, in a safe and secure way, without affecting its usability.

Object the processing of personal data. For instance (but not limited to), the data subject has the right to object, at any time, to the processing of personal data concerning them for marketing purposes; however, if the data subject is objecting to other uses, we can refuse to comply with the objection but only if we can prove we have a strong reason to continue processing your data that overrides your objection. In particular, the data subject has the right to object at any time the processing on the basis of legitimate interest, in which case Bitpace shall no longer process the personal data unless Bitpace demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Avoid automated decision-making (with no human involvement), such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and data subjects are permitted to challenge and request a review of the processing if they believe such rules are not being followed.

Withdraw data protection consent to the processing of your personal data at any time and we will cease the processing of the relevant information. However, please bear in mind that consent is only one of several lawful grounds for personal data processing, so exercising this right means that there is no other legal basis in place.

Information on action taken within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

Information in case of a data breach that is likely to result in a high risk to the rights and freedoms of the data subject.

If a data subject wishes to avail themselves of any of the above rights, they may, at any time, contact us (albeit where/if technically possible, the data subject may be able to help themselves directly).

Our contact details for exercising your rights are:

Additionally, data subjects have the right to lodge a complaint with the competent supervisory authority and before the competent courts if the data subject considers that the processing of their personal data is in breach of the provisions of the applicable privacy laws, including the present Privacy Policy.

Please note that you can log a complaint before the competent supervisory authority. You can find the contact details of the competent authorities in the EEA at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

The details for the Estonian competent supervisory authority for data protection are:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Tatari 39, 10134 Tallinn Tel. +372 6828 712 Email: [email protected] Website: http://www.aki.ee/

The details for the Bulgarian competent supervisory authority for data protection are:

Commission for Personal Data Protection 2, Prof. Tsvetan Lazarov blvd. 1592 Sofia Tel. +359 2 915 3580 +359 2 915 3548 Fax +359 2 915 3525 Email: [email protected] Website: https://www.cpdp.bg/

The details for the Lithuanian competent supervisory authority for data protection are:

State Data Protection Inspectorate L. Sapiegos str. 17 LT-10312 Vilnius Tel. +370 5 271 2804 +370 5 279 1445 Fax +370 5 261 9494 Email: [email protected] Website: https://vdai.lrv.lt/

We kindly ask you to send your complaint to [email protected] first and await our official response to your complaint, shall you decide to further escalate it to the competent supervisory authority(-ies).

For how long do we keep your personal data

We retain your personal data for the minimum period required to comply with the purposes set out by this Privacy Policy unless we are obligated by law and/or have the right to retain it for a longer period.

We will retain personal data to enable us to:

Maintain business records for analysis and/or audit purposes.
Comply with record retention requirements under the law (for example, as required under legislation concerning the prevention, detection and investigation of money laundering and terrorist financing).
Defend or bring any existing or potential legal claims.
Deal with any future complaints regarding the services we have delivered.

Except otherwise expressed or required by applicable laws, please also note that we generally apply the following storage periods:

All data is stored in its original format for a period of ten (10) years on server(s) of Bitpace in the manner created;
Five (5) years after the date a business relationship ends or the date a transaction is completed, for records that contain personal data that we had processed in order to comply with anti-money laundering and counter-terrorism financing laws (however, as noted in this Privacy Policy we may retain this records for longer periods);
No less than twelve (12) months after the collection and processing of data, related to geographical IP location, date, time, and duration of a website session of the person transferred to the Bitpace’s gateway to complete a transaction;
Two (2) years after the date when you have contacted us via any communication channel we support and have provided any personal data.

We will retain personal data after those times if we are required to do so to comply with the law in the cases of outstanding claims or complaints that will reasonably require personal data to be retained, or for regulatory or technical reasons. Where we retain this data, we will continue to make sure that the data subjects’ privacy is protected.

Please bear in mind that, in certain circumstances, for instance, when we are obligated to retain personal data for a prescribed period of time or when we require to retain the data for the establishment, exercise or defence of legal claims, we do not have the right to erase the data prior to the end of the prescribed retention period, even if we have received such a request from you.

If you have consented to receive information about products and services (including such by other companies and organisations), which we believe you are interested in, we will process your contact details until you decide to withdraw your consent.

How and why we may share or transfer personal data to third parties, third countries and international organisations

Where necessary we may provide (share or transfer) personal data about you:

To other members of our group, including internal service companies and to other group companies and entities with whom the merchant or partner has a relationship;
to anyone as a result of any restructure, sale or acquisition or to anyone to whom we transfer or may transfer our rights;
if we are required, requested or permitted to do so by law, regulation, court order, or supervisory, regulatory or similar authority;
for international payments where we are required to send details of the payee and the beneficiary with the payment, and to overseas regulators and authorities in connection with their legitimate duties;
to our trusted partners (as long as this is necessary for the services we use, for example, payment aggregators, technical support of our website/platform, managing our Customer Support Centre and communication channels, such as our online chat platform, etc.), whose adherence to the highest data security and privacy standards is assured on our end. Namely, we are in contractual relationships with those companies, guaranteeing the provided personal data is processed exclusively and as strictly necessary for the provision of their services to us.

Please bear in mind that the data transferred is limited to the purpose for which it is transferred. By adhering to that notion, we give access to information to third parties only after a detailed documentation review and only if they meet the requirements of the applicable regulatory regime. This review carefully addresses the competence of each third party as well as technical and organisational data protection measures.

Because we operate as part of a global business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we are located).

If your personal data is transferred outside the EEA to a country whose data protection standards are not deemed to be adequate, we do ensure that other measures guarantee data protection. The safeguards will include the use of contractual terms approved by the European Commission and/or other appropriate safeguards to ensure that personal data is sent and received in accordance with applicable laws.

Further information about the safeguards used by Bitpace can be obtained from our Data Protection Officer via email to [email protected].

How do we protect your information

We take all the necessary measures to ensure the confidentiality of personal data and any other confidential information provided to us that is not personal data. We will comply with our obligations of confidentiality and establish and maintain adequate security measures to safeguard confidential information from unauthorised access or use.

We have put in place technical and organisational measures that meet the GDPR requirements and require third-party service providers that we use to do the same. We take reasonable technical and organisational measures to prevent the loss, misuse, or erasure of your personal information. We store all personal information we are provided with on our password-protected servers. All electronic financial transactions concluded through our website are protected by encryption technology. When you use a form on our website to send us data, this transmission goes exclusively through an encrypted TLS connection. Your information is stored and encrypted using the SSL/TLS certificate on the website.

We cannot bear responsibility for third-party sites that the website has a link to or for their policies. If you click on a link to a third-party site, please read the privacy policy/notice of the named site carefully and choose whether it is appropriate to use it.

The implemented technical and organisational measures to ensure that processing is carried out in accordance with the GDPR that we have in place include, but are not limited to:

pseudonymisation of personal data (when practicable);
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

These measures are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.

Changes to this Privacy Policy

PLEASE RETAIN A COPY OF THIS PRIVACY POLICY FOR YOUR RECORDS AND CHECK THIS WEBSITE FREQUENTLY FOR ANY CHANGES.

We reserve the right to make changes to this Privacy Policy from time to time, so please check back periodically for changes. You will be able to see that changes have been made by consulting the last updated version and date posted at the top of this Privacy Policy.

If we elect to use or disclose your personal data in a manner that is materially different from that stated in this Privacy Policy at the time we collected that information from you, we will give you a choice regarding such use or disclosure by appropriate means, which may include use of an opt-out mechanism. Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on the merchants’ or partners’ related persons, we will give reasonable advance notice to such merchants or partners.