Cryptus OÜ Privacy Policy

Cryptus provides virtual currency wallet service, service of exchanging a virtual currency against a fiat money and service of exchanging a virtual currency against another virtual currency (“Services”). While using our Services or communicating with us in any other way, the controller of your personal data is Cryptus OÜ (Sakala 16a-8, Tallinn, Estonia; registry code 14417867) (“Cryptus” or “we”).

The purpose of this privacy policy is to explain what we are doing to protect and respect your privacy. It describes how we collect, use, and protect your personal data and what are your rights regarding the use of your personal data.

We may update this privacy policy from time to time. When we do and when required by law, we will communicate the changes to you. The latest version of this privacy policy is always accessible on our website.

If you have any questions about your personal data or this privacy policy, please contact our data protection officer at support@cryptus.io.

How and what kind of personal data we collect?

The GDPR applies to “personal data” meaning any information relating to an identifiable person who can be directly or indirectly identified. This privacy policy covers all personal data that you voluntarily submit to us and that we obtain from our partners or public databases or collect automatically.

We collect personal data to provide you with our Services. The personal data we require from you is either obligatory under law or it relevant for specified purposes. If certain personal data is not required under applicable law, it is your choice whether you would like to share this information with us. However, we may not be able to serve you as effectively or offer you all of our Services when you do choose not to share certain information with us.

We may collect the following types of information:

  • Personal identification information: name, age, date of birth, nationality, gender, signature, utility bills, visual images, phone number, home address, and/or email.
  • Formal identification information: copy and details of your personal identification document (national identity card, passport, driver’s licence, visa information).
  • Financial information: bank account details, transaction history.
  • Transaction information: information about the transaction you make using our Services (name of the recipient, the amount, timestamp).
  • Employment information: occupation, location of office.
  • Online identifiers: Geo location/tracking details, browser fingerprint, OS, browser name and version, and/or personal IP addresses.
  • Usage data: Survey responses, information provided to our support team, public social networking posts, authentication data, security questions, user ID, click-stream data and other data collected via cookies and similar technologies.

We collect your personal data mainly in the following ways:

  • data you provide in the registration form;
  • data generated by you when using our Services (for example, if you exchange currencies);
  • information that we receive from third parties;
  • information that we gather from publicly available sources;
  • automatically collected data (cookies, browser data etc.).
How we use your personal data?

We use the collected information to create, develop, provide, maintain, protect, and improve our Services, content and advertising, and for loss prevention and anti-fraud purposes. Any processing of personal data must be justified. We may use this information in the following ways under the applicable legal basis:

  1. Legal obligations

    Our Services are subject to laws and regulations requiring us to collect and use your personal identification information, formal identification information, financial information, transaction information, employment information, online identifiers, and/or usage data in certain ways.

    We must identify and verify customers using our Services in order to comply with anti-money laundering and terrorist financing laws across jurisdictions. In addition, we use third parties to verify your identity by comparing the personal information you provided against third-party databases and public records. We may require you to provide additional information which we may use in collaboration with service providers acting on our behalf to verify your identity or address, and/or to manage risk as required under applicable law.

  2. Performance of contract

    We process your personal data where it is necessary to enter into a contract with you for the provision of our Services or to perform our obligations under that contract.

    Processing of your personal data for the performance of a contract is necessary to assess and process applications for Services and to provide and administer Services throughout your relationship with us, including opening, setting up or closing your accounts; collecting and issuing all necessary documentation; executing your instructions; processing transactions, including transferring money between accounts; making payments to third parties; resolving any queries or discrepancies and administering any changes.

    We also process your personal data to provide you with customer service and communicate with you regarding the provision of Services.

  3. Legitimate Interest

    Legitimate Interest We may process your information where it is in our legitimate interests do so as an organisation and without prejudicing your interests or fundamental rights and freedoms.

    We may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business.

    We also process your personal information to better understand the way you use our Services and to provide a personalised experience. We use such information to customise, measure, and improve our Services and the content and layout of our website and applications, and to develop new services.

    Our interest as a business is to ensure that we provide you with the most appropriate products and services. For this purpose, we might process your information to send you relevant marketing information based on our Services that you have used. Based on your communication preferences, we may send you marketing communications to inform you about our events or our partner events; to deliver targeted marketing; and to provide you with promotional offers based on your communication preferences. We use information about your usage of our Services and your contact information to provide marketing communications. You can opt-out of our marketing communications at any time.

How do we share your personal data with third parties?

We may employ the services of other parties for dealing with certain processes necessary for the operation of the Services. The providers of such services have access to certain personal data provided by you. Any personal data used by such parties is used only to the extent required by them to perform the services that we request. Any use for other purposes is strictly prohibited. We will never sell or rent your personal data.

  • We share your information with third party identity verification services, such as Veriff, in order to prevent fraud. These service providers usually process your picture, video image and copy of your identification document.
  • We may share your information with service providers under contract who help with parts of our business operations such as bill collection, marketing, and technology services. Our contracts require these service providers to only use your information in connection with the services they perform for us and prohibit them from selling your information to anyone else.
  • We share your information with financial institutions with which we partner to process payments you have authorised.
  • We may share your information with law enforcement, officials, or other third parties when we are compelled to do so by under law, or when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of applicable policies.
How do we use cookies?

Cookies are small files which are stored on a user's computer. Cookies are sent to your browser from the website and stored on your computer's hard drive. Like many websites, we also use "cookies" to collect information. We use cookies to collect data that helps us to track site usage and browsing behaviour, improve how our website performs, mitigate risks, enhance security and help prevent fraud. We also use cookies on our website to collect user interface data and time zone data.

How do we protect your personal data?

We strive to protect your information from unauthorised access, use, or disclosure. We use a variety of physical, technical and administrative measures designed to protect our systems and your personal data.

For example, we use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our rooms and files, and we authorise access to personal information only for those employees who require it to fulfil their job responsibilities.

How long do we store your personal data?

We will store your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting obligations or to resolve disputes.

According to applicable law, we have an obligation to store your personal data which is necessary for identification and verification of persons to comply with anti-money laundering and terrorist financing laws no less than five years after termination of the customer relationship. This term may be extended on the basis of a precept of the competent supervisory authority up to ten years. We have an obligation to keep the data regarding your transactions no less than seven years for bookkeeping.

What are your rights concerning your personal data?

You have the following rights which can be exercised by contacting our data protection officer at support@cryptus.io.

The right to access your data

You have the right to access your personal data in our use at any time and ask us to provide you a copy of your personal data. You are also entitled to receive information regarding data processing objectives and retention periods.

The right to correct your data

You may always request us to rectify or update any of your personal data that is inaccurate. Your right to access and rectification shall only be limited where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.

The right to be forgotten

You have the right to request erasure of your personal data that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing that you previously consented, but later withdraw such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. If we have made your personal information public and are obliged to erase the personal information, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other parties that are processing your personal information that you have requested the erasure of any links to, or copy or replication of your personal information. The above is subject to limitations by relevant data protection laws.

The right to object

Where the processing of your personal information is based on consent, contract or legitimate interests you may restrict or object, at any time, to the processing of your personal information as permitted by applicable law. We can continue to process your personal information if it is necessary for the defence of legal claims, or for any other exceptions permitted by applicable law.

The right to data portability

If we process your personal data based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal data in a structured, commonly used and machine-readable format, and to have us transfer your personal data directly to another “controller”, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. A “controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your personal data.

The right to restrict processing of your personal data

You have the right to restrict processing your personal data where one of the following applies:

(a) You contest the accuracy of your personal data that we processed. In such instances, we will restrict processing during the period necessary for us to verify the accuracy of your personal data.

(b) The processing is unlawful and you oppose the erasure of your personal data and request the restriction of its use instead.

(c) We no longer need your personal data for the purposes of the processing, but it is required by you to establish, exercise or defence of legal claims.

Restricted personal information shall only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if the restriction is lifted.

The right to lodge a complaint

If you feel that your personal data has been processed in a way that does not comply with the GDPR or other applicable laws, you have a specific right to lodge a complaint. If you wish to raise a complaint on how we have handled your personal information, you can contact our data protection officer who will investigate the matter. We hope that we can address any concerns you may have, but you can always contact the relevant data protection authority. In Estonia, the relevant data protection authority is the Estonian Data Protection Inspectorate.