Legal Privacy Policy

Privacy Policy

Welcome to Our Privacy Policy!

We value and respect your privacy, and we are committed to transparently communicating how we handle your Personal Data.

Your privacy is of paramount importance to FintechX OÜ, located at Pärnu mnt 31, 10119 Tallinn, Estonia, with company number 14424637 (referred to as Kriptomat, “we,” and “us“) which operates the website www.kriptomat.io (the “Website”) and Kriptomat application (both together referred as the “Website”).

We are a data controller of your personal data, meaning we determine the purposes and means of the processing when you visit our Website, our application, and/or use our Services,

This Privacy Policy (the “Policy”) provides information to whom it applies, grounds for data processing, data processing description, regulatory requirements and specifics, and other information to transparently and comprehensively inform you about all aspects of privacy, including your limitations and rights.

If this Policy does not meet your needs, we kindly ask you not to use our Service. By continuing to visit our Website it will be considered that you accept this Policy. As a user of our Services, you will be informed about this Policy when registering. If you do not accept it, you will not be able to register and/or use our Services. Should you have any questions please reach out to our legal team at [email protected] or our data privacy officer at [email protected].

This Privacy Policy may be revised, modified, updated, or supplemented at any time, without prior notice, at our sole discretion. When we make changes to this Privacy Policy, we will notify all users on our Website, and make the amended Privacy Policy available on our Website. By further using our Services it will be considered you accept with the implied changes.

This privacy policy is an integral part of Kriptomat Terms of Service and is of informative nature.

Definitions

To help you understand this Privacy Policy, we have provided definitions for some of the terms used throughout the document:

Account: Your personalised interface on the Kriptomat platform, allowing you to access our Services.

Adverse Media: Negative news or information about an individual or entity that may indicate involvement in criminal activity or other risks.

Blockchain: A decentralised digital ledger that records transactions across a network of computers.

CCO: Chief Compliance Officer, the person responsible for ensuring that Kriptomat complies with relevant laws and regulations.

Cookies: Small text files placed on your device by websites to improve your experience and collect information about your usage.

Crypto Asset: A digital representation of value that uses cryptography for security and operates on a blockchain.

Data Controller: The entity (in this case, Kriptomat) that determines the purposes and means of processing your personal data.

Data Processor: A third-party entity that processes personal data on behalf of Kriptomat.

Data Region: A set of data centres located within a defined geographical area where user data is stored.

Data Subject: An identified or identifiable natural person (individual) to whom Personal Data relates and who has registered him/herself via the Website.

DPO: Data Protection Officer, the person responsible for overseeing Kriptomat’s data protection practices and ensuring compliance with GDPR.

EEA: The European Economic Area, which consists of the European Union member states plus Iceland, Liechtenstein, and Norway.

Estonian AML Act: National legislation transposing the EU’s anti-money laundering directives, which requires specific data retention and reporting obligations for financial institutions.

FIU: Financial Intelligence Unit, the Estonian authority responsible for combating money laundering and terrorist financing.

Fiat Currency: A government-issued currency, such as the euro or US dollar.

GDPR: The General Data Protection Regulation, the legal framework for data protection in the European Union.

Identity Verification (KYC) Process: The process of verifying the identity of a customer to comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations.

Kriptomat, We, Our: FintechX OÜ, the company operating the Kriptomat platform and providing the Services.

KYC: Know Your Customer, the process of verifying the identity of our customers to comply with anti-money laundering regulations.

Legitimate Interest: A lawful basis for processing Personal Data when it is necessary for the purposes of the legitimate interests pursued by Kriptomat or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject.

MiCAR: The Markets in Crypto-Assets Regulation, a new EU regulation expected to come into force in 2024, which will impact data protection in the crypto sector.

Personal Data: Any information that can be used to directly or indirectly identify you as an individual. This includes your name, email address, identification documents, transaction history, and other information you provide while using our Services.

Politically Exposed Person (PEP): An individual who holds a prominent public function or has been entrusted with a prominent public position.

Processing: Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

Sanctions List: A list of individuals or entities subject to restrictions or prohibitions due to their involvement in activities such as terrorism, money laundering, or human rights abuses.

Services: The services provided by Kriptomat, include the exchange of crypto assets for fiat currency or other crypto assets, the provision of a crypto-asset wallet, and crypto-asset transfer services.

Transaction Monitoring: The process of monitoring customer transactions to detect and prevent suspicious activity that may be indicative of money laundering or other financial crimes.

Travel Rule: A regulatory requirement that obliges us to share specific information about crypto-asset transfers with other service providers.

User, You: Refers to you as a user of Kriptomat’s services.

Website: The Kriptomat website and mobile application through which our Services are provided.

1. What is Personal Data?

Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and similar, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

As we receive personal identification data, such as ID documents, as well as certain economic data, it is important for you to understand how we treat your data and the purposes for which we process it.

Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Through this Policy, we aim to inform you about how we process the personal data collected through our website and application. This includes details about the personal data we collect, the reasons for collecting it, the legal grounds for the collection, how we use and disclose it, your choices, and your obligations and rights considering privacy matters.

2. Contact Information

If you have any questions concerning this Policy or the processing of your personal data, you can contact our Data Protection Officer via the email [email protected].

3. Validity and Termination

By confirming “I confirm that I am at least 18 years old and I agree to the User Agreement and accept the Privacy Policy” during the registration process button you confirm you accept to this Policy which is mandatory for using our Services and becoming our customer.

This Policy applies to you either as an individual user or as a legal or authorised representative, or ultimate beneficial owner (and altogether “User”, and/or “You”).

In the scope of solely visiting the Website, our Cooky Policy applies to all Website visitors. Our Cooky Policy includes information on the different types of cookies we are using and your active consent will be required for all non-essential cookies. We use cookies and other tracking technologies to ensure the Website and our application are working smoothly, and for other purposes, for example, to improve or enhance user experience, for marketing or analytical purposes, and similar.

This policy is valid for as long as you use our Services, and ceases to be valid when you stop using our Services.

Since we are subjected to AML legislation, we have certain reporting and data retention obligations even after the termination of the business relationship with you, and some of your rights (e.g. to deletion) may also be limited.

4. About us

Kriptomat is a crypto asset service provider, providing its business based on a termless license, issued by the Estonian Ministry of Finance, Financial Intelligence Unit (“FIU”), No. FVT000310 for the provision of the following services (the “Services”):

Providing services for exchanging crypto assets against a fiat currency;
Providing services for exchanging crypto assets against other crypto assets;
Providing a crypto asset wallet service;
Providing a crypto asset transfer service.

Services are provided through our Website www.kriptomat.io or mobile app (the “Services”).

Any information received from you within using our Services is treated as confidential. All information is stored securely and is accessed by authorised personnel only. We implement and maintain appropriate technical, security, and organisational measures to protect personal data against unauthorised or unlawful use, and against accidental loss, destruction, damage, theft, or disclosure.

5. Legal grounds for collecting personal data

We process your Personal Data on the following grounds:

Processing is necessary for the performance of Services and entering into a business relationship with us;
To assure compliance with legal obligations to which we are subject, especially, but not exclusively, anti-money laundering and counter-terrorist financing legislation;
We have a legitimate interest;
You have given consent to the processing of your personal data for specific purposes.

We collect your Personal data

Directly from you during the registration and identification verification process (know-your-customer process), or when using our Services, and by communicating with you;
From third-party sources (e.g. automatic data extraction regarding political exposure, reputation, sanctions …)
By automatic collection when using our Services (device information, IP address, location detection,

Upon processing Personal Data we follow the following principles:

legality and fairness – personal data are processed legally and fairly;
purposefulness – personal data are collected for specified, explicit, and legitimate purposes and they shall not be processed in any manner that is incompatible with these purposes;
quality – personal data must be adequate and appropriate and must not be excessive given the purposes of the data processing;
accuracy – personal data must be accurate and, if necessary, kept up to date;
retention – personal data are retained in the format that enables identification of the data subject until this is necessary for the achievement of the purpose for which the personal data is processed;
security – personal data are processed in a manner that ensures appropriate security thereof, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

6. Personal data processing for Website visitors

This section applies if you are visiting our Services as well as if you are a user of our Services in the scope of collecting personal data when visiting our Website.

We may collect, record, and analyze information about our Website Visitors, the breakdown of the collected personal data, information on the purpose, and other important information on the processing of personal data collected during your Website visit.

Personal data	Your IP addressgeographical location browser type and version operating system referral sourcelength of visitpage views, and website navigation paths information about the timing, frequency, and pattern of using the Websitepersonal data that was voluntarily and with your consent given to us through our Website’s forms, such as when you sign up for information and newsletters. The source of the usage data is our analytics tracking system.
Purpose of processing personal data	analysing the use of the Website and improving users’ experience, performance, and future developmentcommunicating with Website visitorscustomize contentshow ads on other websitesimprove our Website by analyzing how visitors navigate the Website
Legal basis	Our legitimate interest in monitoring and improving our Website and Services and/or your consent
Sharing and storing personal data	We may also share information with service vendors or contractors to provide a requested service or transaction or to analyze the Visitor behaviour on its website.

The source of the usage data is our analytics tracking system.

You can unsubscribe from the newsletter anytime by clicking the unsubscribe button at the bottom of the email. You can also send us an e-mail to [email protected] and ask us to unsubscribe you or contact our customer support team via our Website directly.

If you provide us with your social media details, we may retrieve publicly available information about you from social media. We use such information for a better user experience, enabling a user to make a login to our Website with the user’s Facebook profile.

Cookies

Cookies are files (small pieces of data) sent by web servers to web browsers that are downloaded to users` hard disks, serving to improve their experience and ensure the website and apps are working smoothly to provide you with the functionalities you need (necessary cookies) or select. Cookies cannot be used to run programs or deliver viruses to your computer. By using our Website, you agree to the placement of cookies on your device. If you choose not to accept our cookies, we cannot guarantee that your experience will be as fulfilling as it would otherwise be. We may also place cookies from third parties for functional and marketing purposes. The use of cookies is widespread and benefits the Website user. For further information, see our Cookie Policy.

Links to other websites

Our Website may contain links to other websites, such as (but not limited to) Facebook, Linkedin, Github, Twitter, and other third-party websites. If you click on such a link, you will be directed to that site. Note, that these external sites are not operated by us. We strongly advise you to review the Privacy Policy of the third-party websites that you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Geographical location of collection and storing Personal Data

We may share such information with service vendors or contractors to analyze the Visitor behaviour on the Website.

Our Website runs on servers in European data regions. Our “Data Region” is a set of data centres located within a defined geographical area where user data is stored. Personal data is not transmitted to other Data Regions. For our Website visitors, all visitors’ personal data are located in the European Data Region, and all Personal Data is processed in the EEA. Automatically collected data (Google Analytics) by third parties may be stored outside the EU.

Third-party Plugins

In addition to that, Website visitors can also sign up to Disqus, or log in with Facebook, Twitter, or Google and share their likes and comments. We use plugins and are not considered as a primary controller of the personal data. The primary controllers are Facebook, X, Google, and Disqus.

With respect to operations involving the collection and disclosure of data, we can be considered as a joint controller with Facebook, Instagram, Google, and Disqus with respect to the collection and transmission of certain personal data of visitors to their websites.

7. Personal data processing breakdown for users of our Services

Personal data we collect during registration

The first step in becoming our client is registering – creating an account. During the registration, you provide us with the following personal data:

Name and Surname
Email address
Password (you create during the registration process)
Account actions activity log
IP address
Mobile phone number

Our services are not intended for children under 18 and we do not knowingly collect data from minors.

Legal grounds for personal data processing:

The Personal Data are obtained on the grounds of entering into a business relationship with us.

Personal data we collect during Identity Verification Processes

To be able to use our Services you are required to complete our identity verification process during which you provide us with the following Personal Data:

Colour photo of a personal ID document and ID document details
Full name and address
Account actions activity log
Date of birth
Country and Place of Birth
Nationality
Picture or Liveness video (biometric data)
Device IP address
Account actions activity log
Background screening check data performed by background check providers (outcome data from screening for identification with Politically Exposed Persons, their Relative and Close Associates, Persons and Entities of Special Interest, persons on Sanction list and Watshlist, Adverse Media)
Data from Client Information Questionnaire(among others the purpose of opening an account with us, estimated transaction value per certain period, source of funds.)

Legal grounds for Personal Data processing:

The Personal Data are obtained to ensure compliance with legal requirements.

Personal data we collect for account set-up, management purposes, and providing various features within the account

In the scope of account set-up, account management, and providing various services/features within the account (such as price alert notification, auto buy and auto sell feature, vault, intelligent portfolios, and others as offered by Kripomat from time to time), we process the following personal data:

IP Address
Email address
Logging into the Account
Two-factor authentication management
Account functionality management (updating information, disabling and re-enabling account features
Account Termination
New device detection and new device confirmation process
Password reset

Legal grounds for personal data processing:

The personal data are obtained on the grounds of providing our contractual obligations.

Personal data we collect for transaction implementation & monitoring

In the framework of transaction implementation, either deposit and withdraw of fiat or crypto assets, and purchase or sell of crypto assets, we process the following Personal Data subject to the type of payment and transaction:

Name and surname
Bank account information
Your dedicated Account reference number
Deposit and withdrawal crypto wallet address
Transaction details
Credit card data (credit card holder name, credit card number, expiry date, CVC Code)
ID confirmation photo (selfie photo in which you confirm you do not cooperate with third parties and that you are making the transaction on your initiative)
Data from the Client Information Questionnaire
Transaction information, including information obtained with Blockchain analytic transaction monitoring tools (Blockchain transaction reports)
Computer or mobile device information (IP address, operating system, browser type, settings)
Information on the geolocation
Background check (managed through background check providers, ongoing monitoring)
ID device detection and new device detection
Remote access detection data
Birth date and age
ID document, validity
Address
Source of income information (EDD check)

Under the scope of monitoring, we process your personal data in the following way:

Data exchange with payment service providers
Withdrawal address whitelisting and blacklisting
Email address
Sending and receiving information from counterparty exchanges (travel rule)
Sending your full name or crypto wallet address to our blockchain analytical transaction monitoring partners for fraud prevention purposes (reporting fraud-related information for prevention and identification)
On-going monitoring for background checks, ID document validity

Legal grounds for personal data processing:

The personal data are obtained on the grounds of providing our contractual obligations and compliance with legal obligations.

Personal data we collect and process for Travel Rule

Following the Travel Rule, we are required to pass on the following information to the next crypto asset service provider: originator name, type (individual person or legal entity, transaction identified, and residential address.

Legal grounds for personal data processing:

The personal data are obtained on a legal basis.

Personal data we collect for providing customer support and managing complaints

Under the scope of customer support and complaint management, we process data as required based on your support request or complaint, and thus we may process any personal data obtained from you based on a legal basis of providing contractual or legal obligations.

Personal data we collect for internal control, fraud prevention, Internal and external audit

Following regulatory requirements as well as internal policies, we may process your personal data for the implementation of control measures, internal and external audits, and prevention of fraud and financial crime, and is based on legal requirements or legitimate interest. As part of an audit, we may do sample checks, in which case we might access your data on a random basis with the purpose of internal control or external audit.

Under the scope above the following personal data are processed:

Name and Surname
Address
Country
Transaction data
Device ID
Information on the crypto portfolio held with us
Login data
All the data obtained during the know-your-customer process and ongoing monitoring
Transaction monitoring data
Computer or mobile device information (IP address, operating system, browser type, settings)
Information on the geolocation
ID device detection and new device detection
Remote access detection data

Reporting to competent authorities and providing information based on disclosure requests

We are required to submit reports on suspicious transactions to the competent financial authority, as well as provide regular or ad-hoc reports as required by competent authorities. Further, we receive disclosure requests from law enforcement authorities and lawyers or others based on the power of authority.

In the scope of the above the following Personal Data may be processed subject to individual reporting requirements or disclosure requests:

Name and surname
Email address
Date of birth
Nationality
Phone number
Selfies photo provided during the onboarding process
Copy of ID document
Bank account details
Deposit and withdrawal crypto wallet address
All the data obtained during the identification process
Transaction data

Legal grounds for personal data processing:

The personal data are obtained to ensure compliance with legal requirements.

Direct Communication

We may contact you directly via email or in-app push notifications to update you about our products and services, either for promotional/marketing, informative, or security purposes. We may do that either based on legitimate interest or based on your consent.

At any time you can opt out by clicking on the “unsubscribe button” available at the bottom of every email.

In the scope of the above the following Personal Data may be processed:

Name and surname
Country of residence
Email address
Information on your account activity
Transaction information
Information about the Crypto portfolio held in your Kriptomat account
Device information

Legal grounds for personal data processing:

The personal data are obtained based on legitimate interest or consent.

Internal Analytics

To provide you with the best user experience and evaluate our services we are processing your data, where possible your data is pseudomized.

Legal grounds for personal data processing:

The personal data are obtained based on legitimate interests or consent.

Personal data we process based on your consent

In cases where we do not have a legal basis for processing personal data, we will ask for your explicit consent, which shall be collected via our Website. Kindly note that any consent will be entirely voluntary. However, if you do not grant the requested consent to the processing of your Personal Data, the use of this website may not be possible or may be limited.

In some cases disclosure of your personal data is requested from third parties, in such a case such consent is actively required to be given by you for that specific purpose and you can always revoke it. However, all such personal data is processed by those third parties in accordance with their Privacy Policy.

Contractual obligation as the basis for processing personal data

In case you wish to use certain services or products offered by third parties, your personal data may be processed on a contractual basis, namely, data will be processed in the course of implementing contractual obligations and for the purpose of delivering the agreed services.

This includes transactions via banks and other financial institutions, and they might require disclosure of personal data involved in the transaction.

8. Disclosing your personal data

We may disclose your data to the processors of personal data that are performing services on our behalf and that includes processing with personal data.

We cooperate with the following processors of personal data:

Companies performing know-your-customer verification processes, background checks, and adverse media checks;
Companies performing transaction monitoring services;
Companies performing payment processing (card acquiring, banking partners, payment orchestration)
Cloud service providers;
IT maintenance service providers;
Customer Support Software solution providers and other companies providing technical solutions, which involve the processing of Personal Data;
Audit service providers in the scope of implementing audit services.

9. Retention and deletion of Personal Information

This Policy aligns with GDPR, MiCAR, and Estonian AML Act requirements, detailing the types of personal data subject to retention and deletion and the processes involved. We will not retain data longer than is necessary to fulfil the purposes for which it was obtained or as required by applicable laws.

You can request the deletion of their personal data through specified channels such as email [email protected] or customer support platforms. The DPO will verify the identity of the requester and process the request within regulatory timeframes, typically 10 working days. Communication regarding the status of the request will be provided to the client, including reasons for any delays or partial deletions due to legal obligations.

Data Retention Periods

The Company retains personal data only as long as necessary for the purposes for which it was collected, to comply with legal obligations, or to fulfil legitimate business interests. The retention periods for different categories of data are as follows:

• KYC Data: Retained for 5 years following the termination of the business relationship or until the resolution of any ongoing legal proceedings, whichever is longer.

• Transactional Data: Retained for 10 years, aligning with the maximum statutory limitation period under Estonian law, plus an additional buffer period of 3 months.

• Technical and Operational Data: Retained for 5 years following the end of the business relationship.

• Marketing Data: Retained for 2 years for inactive clients and promptly deleted upon withdrawal of consent.

Data Deletion Process

The Company will implement a process to ensure that all personal data is automatically deleted upon reaching the end of the specified data retention period. This automation will help ensure compliance with data protection regulations and minimise the risk of retaining data longer than necessary.

10. Location of your personal data

All Personal Data, which will be collected and processed within the KYC procedure are stored on servers in European data regions.

Our services are provided in accordance with AML regulations, meaning you will not be able to delete it or invoke the right to be forgotten. Your data are encrypted, meaning they are coded (anonymized).

You acknowledge and expressly accept that by the nature of the blockchain technology, it is not possible to delete personal data from the blockchain and invoke the right to be forgotten. You also agree that by the nature of the technology, it is not possible to keep personal data within the EU borders.

Information shared through our support channel is stored outside EU, in the United States of America in accordance with requirements applicable to the transfer of data to third countries.

11. Security of Personal Information

We use a variety of security measures to ensure the confidentiality, integrity, availability, and privacy of your Personal Information and to protect your Personal Information from loss, theft, unauthorised access, misuse, alteration, or destruction. These security measures include, among others:

Password-protected directories and databases.
Secure Sockets Layered (SSL) technology to ensure that your information is fully encrypted and sent across the Internet securely.
Vulnerability Scanning to protect our servers from hackers and other vulnerabilities actively.
Regular penetration testing.
Secure coding principles.
Encryption of sensitive data during transfer and at rest.
2-factor authentication.
Logging of activities performed in the platform.
Access controls and
other measures to mitigate risks identified during the risk assessment process.

All financially sensitive and/or credit information is transmitted via SSL technology and encrypted in our database. Only authorized KRIPTOMAT personnel are permitted access to your Personal Information, and this personnel is required to treat the information as highly confidential. The security measures will be reviewed regularly in light of new and relevant legal and technical developments.

12. Access right to your personal information

You have the right to access your Personal Information to correct, update, and block inaccurate and/or incorrect data. To exercise this right, contact us at [email protected].

13. Data Protection Authorities

Country	Name	Website	Email
Estonia	Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)	https://www.aki.ee/en	[email protected]
France	Commission Nationale de l’Informatique et des Libertés (CNIL)	https://www.cnil.fr/en	[email protected]
Greece	Hellenic Data Protection Authority	https://www.dpa.gr/	[email protected]
Spain	Agencia Española de Protección de Datos (AEPD)	https://www.aepd.es/	[email protected]
Poland	Urząd Ochrony Danych Osobowych (UODO)	https://uodo.gov.pl/en	[email protected]
Croatia	Agencija za zaštitu osobnih podataka (AZOP)	https://azop.hr/	[email protected]

Last update: 16 July 2024

Previous update: 20 June 2022