Introduction

As part of our daily business operations, we collect personal information from our clients and prospective clients in order to provide them with our products and services, and ensure that we can meet their needs when providing these products and services, as well as when providing them with any respective information.

Your privacy is of utmost importance to us, and it is our policy to safeguard and respect the confidentiality of information and the privacy of individuals. This Privacy Notice sets out how Cryppo UAB products and services (“the Company”, “We”, “Us”, and the the “Cryppo Exchange” or “Exchange”), collects, uses and manages the personal information we receive from you, or a third party, in connection with our provision of services to you or which we collect from your use of our services and/or our website. The Privacy Notice also informs you of your rights with respect to the processing of your personal information.

Our Privacy Notice is reviewed regularly to ensure that any new obligations and technologies, as well as any changes to our business operations and practices are taken into consideration, as well as that it remains abreast of the changing regulatory environment. Any personal information we hold will be governed by our most recent Privacy Notice.

Please note that if you are an employee of the Company, a contractor to the Company or a third-party provider, your personal information will be used in connection with your employment contract or your contractual relationship, whichever applies.

This Privacy Notice applies to the processing activities performed by Cryppo UAB to the personal information of its clients and its potential clients and website visitors.

We may amend this Privacy Notice at any time by posting the amended version on this site including the effective date of the amended version. We will announce any material changes to this Privacy Notice on our website.

Definitions

2.1 As used herein, the following terms are defined as follows:

2.1.1 “Digital Asset” is a digital representation of value (also referred to as “cryptocurrency,” “virtual currency,” “digital currency,” “crypto token,” “crypto asset,” or “digital commodity”), such as bitcoin, USDT or other, which is based on the cryptographic protocol of a computer network that may be (i) centralized or decentralized, (ii) closed or open-source, and (iii) used as a medium of exchange and/or store of value.

2.1.2 “Cryppo Account” means a user-accessible account offered via the Cryppo Exchange Services where Digital Assets are stored.

2.1.3 “Cryppo Exchange Services” means Cryppo-branded websites, applications, services, or tools operated by Cryppo UAB company.

2.1.4 “We,” and “Us” refers to Cryppo UAB.

2.1.5 “Personal Information” or “Personal Data” or “your data” refers to any information relating to you, as an identified or identifiable natural person, including your name, an identification number, location data, or an online identifier or to one or more factors specific to the physical, economic, cultural or social identity of you as a natural person.

Your Data Controller

Our products and services are provided through Cryppo UAB.

You are contracting with Cryppo UAB, where the verification platform is Sumsub.

The Company you are contracting with is your Data Controller, and is responsible for the collection, use, disclosure, retention and protection of your personal information in accordance with our global privacy standards, this Privacy Notice, as well as any applicable national laws. The Company uses encryption to protect your information and store decryption keys in separate systems. We process and retain your personal information on our servers in multiple data center locations, including the European Union.

How do we protect personal information?

The Company respects the privacy of any users who access its website, and it is therefore committed to taking all reasonable steps to safeguard any existing or prospective clients, applicants and website visitors.

The Company keeps any personal data of its clients and its potential clients in accordance with the applicable privacy and data protection laws and regulations.

We have the necessary and appropriate technical and organizational measures and procedures in place to ensure that your information remains secure at all times. We regularly train and raise awareness for all our employees to the importance of maintaining, safeguarding and respecting your personal information and privacy. We regard breaches of individuals’ privacy very seriously and will impose appropriate disciplinary measures, including dismissal from employment. We have also appointed a Company’s Data Protection Officer, to ensure that our Company manages and processes your personal information in compliance with the applicable privacy and data protection laws and regulations, and in accordance with this Privacy Notice.

The personal information that you provide us with when applying to open an account, applying for a role within the Company, or when using our website, is classified as registered information, which is protected in several ways. You can access your registered information after logging in to your account by entering your username and the password that you have selected. It is your responsibility to make sure that your password is only known to you and not disclosed to anyone else. Registered information is securely stored in a safe location, and only authorised personnel have access to it via a username and password. All personal information is transferred to the Company over a secure connection, and thus all reasonable measures are taken to prevent unauthorised parties from viewing any such information. Personal information provided to the Company that does not classify as registered information is also kept in a safe environment and accessible by authorised personnel only through username and password.

Information we may collect about you

In order to open an account with us, you must first complete and submit a “create account” form to us by completing the required information. By completing this form, you are requested to disclose personal information in order to enable the Company to assess your application and comply with the relevant laws (including their regulations).

The information that we collect from you is as follows:

• Name of the Customer;
• Customer's personal identification code or registry code. In the absence of a personal identification code, date and place of birth;
• Country of residence or domicile of the Client;
• Customer's contact address;
• Customer's telephone number;
• Customer's e-mail address;
• Customer's field of activity;
• The same information about the Client's representative as about the individual Client;
• he basis for the right of representation of the Client's representative;
• the Client's confirmation that he / she, in the case of a legal entity, his / her Actual Beneficiary and his / her representative, is not a Person with a State Background;
• in the case of a natural person, the Client's confirmation that he or she is the Actual Beneficiary and in the case of a legal entity, information on the ownership and control structure of the Client and the Actual Beneficiary.

When establishing a Customer Relationship, the Company shall collect at least the following documents about the Customer:

• a copy / photograph of the identity document (facial image) used by the natural person's Client or the legal person's Client's representative in the course of identification;
• in the case of a legal person, a printout of the registry card and / or a documentary confirmation confirming the continued operation of the legal person;
• in the case of a legal entity, inquiries about related parties indicated by the Client;
• if an authorized representative is used, the corresponding power of attorney. At the request of the Company, the Client with a foreign residence or his / her representative must submit a notarised or equivalent document certifying his / her authority, which is legalized or certified with a certificate (apostille) replacing legalization, unless otherwise provided by an international agreement.

Other Personal Information or commercial and/or identification information – Whatever information we, in our sole discretion, deem necessary to comply with our legal obligations under various anti-money laundering (AML) obligations, such as under the European Union’s 4th AML Directive and the U.S. Bank Secrecy Act (BSA).

If the person is a foreign citizen, a valid travel document (e.g. passport), in addition to the digital identity document issued in the Republic of Lithuania or another high-reliability e-identification system entered in the e-identification and e-identification system of Regulation (EU) No 910/2014 of the European Parliament and of the Council, repealing the list published in the Official Journal of the European Union pursuant to Article 9 of Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73–114).

Personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with.

Information we receive about you from other sources.

We obtain information about you in a number of ways through your use of our services, including through any of our websites, the account opening process, webinar sign-up forms, event subscribing, news and updates subscribing, and from information provided in the course of on-going support service communications. We also receive information about you from third parties such as your payment providers and through publicly available sources. For example:

• The banks you use to transfer money to us will provide us with your basic personal information, such as your name and address, as well as your financial information such as your bank account details;
• Your business partners may provide us with your name and address, as well as financial information;
• Advertising networks, analytics providers and search information providers may provide us with anonymized or de-identified information about you, such as confirming how you found our website;
• Credit reference agencies do not provide us with any personal information about you, but may be used to corroborate the information you have provided to us.

General principles for the processing of personal data

Processing Personal Data is a broad concept under the GDPR

The GDPR governs how the Personal Data of individuals may be processed by organizations. “Personal Data” and “processing” are frequently used terms in the legislation, and understanding their particular meanings under the GDPR illuminates the true reach of this law:

Personal Data is any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own or in combination with other pieces of information to identify a person. Personal Data is not just a person’s name or e-mail address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of Personal Data are given a higher level of data protection because of their sensitive nature and are not processed. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about a person’s sex life or sexual orientation, and criminal record information (including Personal Data about criminal offenses, or alleged offenses).

Processing Personal Data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. In practical terms, this means any process that stores or consults Personal Data is considered processing.

Principle of legality:

• The company ensures that personal data is processed fairly and lawfully.
• The legal basis for the processing of an employee's personal data is an obligation arising from law or the employee's express consent. Employees have the right to make inquiries about the processing of their personal data.
• The legal bases for processing the customer's personal data are set out in the privacy policy on the Company's website.

Principle of purpose:

• The company processes personal data purposefully. Personal data shall only be processed to the extent necessary to achieve the purpose of the processing. if the consent of the Employee and / or the Client has been obtained for this purpose or if the admissibility of processing arises from legislation.
• The undertaking shall, at the request of the competent law enforcement or supervisory authority, provide information, documents and oral or written explanations on the relevant facts.

The principle of minimum:

• The Company processes the personal data of the Employees only to the extent that enables the purpose required for the processing to be achieved. Neither the employee nor the customer is obliged to provide the Company with more personal data than is necessary to achieve the purposes of data collection.

Data quality principle:

• The personal data processed must be relevant, complete and necessary for the purposes for which they are processed.
• The company regularly inspects the data carriers containing personal data in order to determine whether there is a continuing need to store the collected data. The company ensures that the data collected is correct and corrects or deletes outdated and unnecessary personal data.

Principle of security:

• The company shall implement appropriate organizational and technological security measures to protect the personal data collected against unauthorized processing, disclosure or destruction.
• Access to personal data is guaranteed only to authorized persons.

• Disclosure of your personal information

The Company will not disclose any of its clients’ confidential information to a third party, except: (a) to the extent that it is required to do so pursuant to any applicable laws, rules or regulations; (b) if there is a duty to disclose; (c) if our legitimate business interests require disclosure; (d) in line with our Terms of Service; (e) at your request or with your consent or to those described in this Privacy Notice. The Company will endeavour to make such disclosures on a “need-to-know” basis, unless otherwise instructed by a regulatory authority. Under such circumstances, the Company will notify the third party regarding the confidential nature of any such information.

As part of using your personal information for the purposes set out above, the Company may disclose your personal information to the following:

• Any members of the Company, which means that they may receive such information;
• Any of our service providers and business partners, for business purposes, such as specialist advisors who have been contracted to provide us with administrative, financial, legal, tax, compliance, insurance, IT, debt-recovery, analytics, research or other services;

If the Company discloses your personal information to service providers and business partners, in order to perform the services requested by clients, such providers and partners may store your personal information within their own systems in order to comply with their legal and other obligations.

We require that service providers and business partners who process personal information to acknowledge the confidentiality of this information, undertake to respect any client’s right to privacy and comply with all relevant privacy and data protection laws and this Privacy Notice.

Where we store your personal data

Our operations are supported by a network of computers, servers, and other infrastructure and information technology, including, but not limited to, third-party service providers. We and our third-party service providers and business partners store and process your personal data in the European Union.

The Company shall keep documents and records in a manner that allows for an exhaustive and immediate response to inquiries from the FIU or other supervisory authorities, investigative bodies or courts as required by law, including whether the Company has or has had a business relationship with the person named in the inquiry. is or was the nature of that relationship.

Transfers of personal information outside of the European Union Area (EU)

We may transfer your personal information outside the EU to other Company subsidiaries, service providers and business partners (i.e Data Processors) who are engaged on our behalf. Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. To the extent that we transfer your personal information outside of the EU, we will ensure that the transfer is lawful and that Data Processors in third countries are obliged to comply with the European Union (EU) General Data Protection Act 2016. If transfers of personal information are processed in the US, we may in some cases rely on standard contractual clauses.

A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor. Art. 44 of GDPR.

Transfers of Personal Information outside of your country

By using our products and services, you consent to your Personal Data being transferred to other countries, including countries that have differing levels of privacy and data protection laws than your country. In all such transfers, we will protect your personal information as described in this Privacy Notice, and ensure that appropriate information sharing contractual agreements are in place.

Privacy when using digital assets and blockchains

Your funding of bitcoin, USDT and other Digital Assets, may be recorded on a public blockchain. Public blockchains are distributed ledgers, intended to immutably record transactions across wide networks of computer systems. Many blockchains are open to forensic analysis which can lead to deanonymization and the unintentional revelation of private financial information, especially when blockchain data is combined with other data.

Because blockchains are decentralized or third-party networks which are not controlled or operated by Cryppo UAB, we are not able to erase, modify, or alter personal data from such networks.

Data Retention

Safeguarding the privacy of your personal information is of utmost importance to us, whether you interact with us personally, by phone, by email, over the internet or any other electronic medium. We will hold personal information, for as long as we have a business relationship with you, in secure computer storage facilities, and we take the necessary measures to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure.

When we consider that personal information is no longer necessary for the purpose for which it was collected, we will remove any details that will identify you or we will securely destroy the records. However, we may need to maintain records for a significant period of time (after you cease being our client). For example, we are subject to certain anti-money laundering laws which require us to retain the following, for a period of 5 years after our business relationship with you has ended.

• A copy of the records we used in order to comply with our client due diligence obligations;
• Supporting evidence and records of transactions with you and your relationship with us.

Also, the personal information we hold in the form of a recorded information, by telephone, electronically or otherwise, will be held in line with local regulatory requirements (i.e. 5 years after our business relationship with you has ended or longer if you have legitimate interests (such as handling a dispute with you)). If you have opted out of receiving marketing communications we will hold your details on our suppression list so that we know you do not want to receive these communications.

This personal data retention policy applies to all processors and managers of data related to the Company (documents, copies of identity documents, Instructions, employment contracts, etc.). Based on the purposes of the data processing and the legal basis, the term of data retention is set out in the Company's data register.

Cookies

When you use our products and services, we may make use of the standard practice of placing tiny data files called cookies, flash cookies, pixel tags, or other tracking tools (herein, “Cookies”) on your computer or other devices used when engaging with us. We use Cookies to (i) help us recognize you as a customer, collect information about your use of our products and services, to better customize our services and content for you, and to collect information about your computer or other access devices to ensure our compliance with our BSA and AML obligations.

Your rights regarding your personal information

The rights that are available to you in relation to the personal information we hold about you are outlined below.

Information Access

If you ask us, we will confirm whether we are processing your personal information and, if so, what information we process and, if requested, provide you with a copy of that information within 30 days from the date of your request.

Rectification

It is important to us that your personal information is up to date. We will take all reasonable steps to make sure that your personal information remains accurate, complete and up-to-date. If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified.

You may inform us at any time that your personal details have changed by emailing us at info@cryppo.com. The Company will change your personal information in accordance with your instructions. To proceed with such requests, in some cases we may need supporting documents from you as proof i.e. personal information that we are required to keep for regulatory or other legal purposes.

Erasure

You can ask us to delete or remove your personal information in certain circumstances such as if we no longer need it, provided that we have no legal obligation to retain that data. Such requests will be subject to the contract that you have with us, and to any retention limits we are required to comply with in accordance with applicable laws and regulations.

Processing restrictions

You can ask us to block or suppress the processing of your personal information in certain circumstances such as if you contest the accuracy of that personal information or object to us processing it. It will not stop us from storing your personal information. We will inform you before we decide not to agree with any requested restriction.

Data portability

In certain circumstances you might have the right, to obtain personal information you have provided us with (in a structured, commonly used and machine-readable format) and to re-use it elsewhere or ask us to transfer this to a third party of your choice.

Objection

You can ask us to stop processing your personal information, and we will do so, if we are:

• Relying on our own or someone else’s legitimate interests to process your personal information except if we can demonstrate compelling legal grounds for the processing;
• Processing your personal information for direct marketing; or
• Processing your personal information for research unless we reasonably believe such processing is necessary or prudent for the performance of a task carried out in the public interest (such as by a regulatory or enforcement agency).

Automated decision-making and profiling

If we have made a decision about you based solely on an automated process (e.g. through automatic profiling) that affects your ability to access our products and services or has another significant effect on you, you can request not to be subject to such a decision unless we can demonstrate to you that such decision is necessary for entering into, or the performance of, a contract between you and us. Even if a decision is necessary for entering into or performing a contract, you may contest the decision and require human intervention. We may not be able to offer our products or services to you, if we agree to such a request (i.e. end our relationship with you).

Changes to this Privacy Notice

Our Privacy Notice is reviewed regularly to ensure that any new obligations and technologies, as well as any changes to our business operations and practices are taken into consideration, as well as that it remains abreast of the changing regulatory environment. Any personal information we hold will be governed by our most recent Privacy Notice.

If we decide to change our Privacy Notice, we will post those changes to this Privacy Notice and other places we deem appropriate.

Our products and services are not available to children

Our products and services are not directed to persons under the age of 18, hereinafter “Children”, “Child” and we do not knowingly collect personal information from Children. If we learn that we have inadvertently gathered personal information from a Child, we will take legally permissible measures to remove that information from our records. The Company will require the user to close his or her account and will not allow the use of our products and services. If you are a parent or guardian of a Child, and you become aware that a Child has provided personal information to us, please contact us at info@cryppo.com and you may request to exercise your applicable access, rectification, cancellation, and/or objection rights.

Contact Information

Any questions, complaints, comments and requests regarding this Privacy Notice are welcome and should be addressed to support@cryppo.com .

Data Protection Authorities

If you are not satisfied with our response to your complaint, you have the right to submit a complaint with our Support Team or Legal Department by:

Email: info@cryppo.com

Phone number: +393335749386

Address: Perkūnkiemio g. 13-91, 12114, Vilnius, Republic of Lithuania

‍