This Privacy Policy for Cryptus platform is adopted by OpenGate Technology OÜ (Estonian company, registry code 14417867, address Narva mnt 7b, 10117 Tallinn, Estonia, e-mail info@cryptus.io, phone no (+372) 635 5108) (Cryptus, we, us and our). Cryptus is the owner and operator of the website at https://cryptus.io/, its subdomains (Web Site), and the web-based Cryptus platform, including the software, databases, interfaces, associated media, documentation, updates, new releases and other components or materials incorporated therein or integrated therewith (hereinafter collectively the Platform).

Unless otherwise defined in this Privacy Policy, the terms used in Privacy Policy are used in the meaning given to them in Cryptus Terms and Conditions, available at https://cryptus.io/terms.html and/or in the meaning given to them in Article 4 of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

As this Privacy Policy sets out the principles of processing your personal data by Cryptus when you use our Platform, please read the Privacy Policy carefully.

If you have any questions about how we process your personal data or if you wish to submit an application for exercising your rights related to processing your personal data, please contact us through the contact information provided in the section "Contacts" below.

1. DEFINITIONS
“Personal data” Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of such a record as the name, personal identification code, place of location information or network identifier, or on the basis of one or more physical, physiological, genetic, mental, economic, cultural or social identities.
“Data subject” or “User” Natural peson who uses Cryptus Services or whose personal data is processed by Cryptus.
“Processing” Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data controller” Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Privacy Policy, Cryptus is the data controller of its Clients' personal data.
“Data Processor” Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Services” Any services provided by Cryptus via our Platform from time to time, including digital currency wallet service, service of exchanging digital currency against fiat currency and service of exchanging digital currency against another digital currency offered by Cryptus.
2. WHY WE PROCESS PERSONAL DATA AND WHAT PERSONAL DATA DO WE PROCESS?
  1. When you have opted to use our Platform, we need to process your personal data to enable the Services to you via our Platform.
  2. Cryptus uses a two-step registration process and the types of data we process and collect about you depend on the registration process.
  3. During the first step, we ask and process personal data that we need to create and register the User account for you for using our Services. During this first step we ask you to submit us the following data:
    1. general personal information: first name; last name;
    2. contact information: email address (which will also be your username for using Cryptus Platform) and password.
  4. During the second step, we ask and process personal data that we need to complete the registration and that we are required to process in order to provide you the Services according to applicable laws, including pursuant to applicable money laundering and terrorist financing prevention regulations. During this first step we ask you to submit us the following data:
    1. general personal information: client type (natural person/legal person); gender, personal identification code, date of birth, legal capacity, nationality, citizenship;
    2. contact details: such as address, email address, telephone number;
    3. identity document details: name of the document (for example, passport/ID card/driver’s license, etc), issuing country, document number, expiry date;
    4. facial recognition data and biometric data: photos, videos and sound recording, photographs taken from you and your document and/or video and sound recording, biometrical data, such as facial identifiers, provided that processing of such data is necessary during verification process of your identity.
  5. During your use of the Platform and the Services, we might also process following data about you regarding which the exact types of data we process depend on how exactly you use the Services and Platform:
    1. transaction data: date or period and a description of the substance of the transaction(s) made by you via our Platform; details of your bank / payment institution, payment cards and details of payment instruments you have used and disclosed on the Platform in the course of using the Services;
    2. business relationship data: information on the circumstances of termination of a business relationship in connection with the impossibility of application of the due diligence measures, if applicable; information on refusal to establish a business relationship or make an occasional transaction, if applicable; the circumstances of a waiver to establish a business relationship or make a transaction, including an occasional transaction, on the initiative of the person participating in the transaction, the person using an official service or the customer where the waiver is related to the application of due diligence measures by Cryptus; information serving as the basis for the duty to report in case of suspicion of money laundering and terrorist financing under the applicable law.
    3. technical data: technical information we need in order to identify the User and prevent the use of the Services and Platform for malicious and illegal purposes, including your IP address, network and device time zone difference, network and communication service provider’s location difference, network and browser time zone difference, browser status, SDK emulator usage, jailbroke device usage, virtual media device usage, VPN usage, data center usage, etc.
  6. For more detailed information on the exact categories of personal data processed by Cryptus about you, please contact us using the contact details provided below in Section “Contacts”.
3. WHAT IS THE LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA?
  1. We process your personal data to provide Services to you (please read Cryptus Terms and Conditions). Legal basis for such data processing is GDPR Article 6-1-(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  2. We also process your personal data when processing is necessary for compliance with a legal obligation to which Cryptus is subject to. Legal basis for such data processing is GDPR art 6-1-(c). For example, we are required to comply with is Estonian Money Laundering and Terrorist Financing Prevention Act (MLTFPA), primarily Sections 46, 47 and 49 of the MLTFPA, and with applicable accounting legislation.
  3. In certain specific situations we might also process your personal data where processing your personal data is necessary for the purpose of our legitimate interests pursued by us. Legal basis for such data processing is GDPR Article 6-1-(f). In such a case we shall ensure that processing is proportionate and that we have carried out legitimate interest impact assessment. For example, for the purpose of our legitimate interest we analyze how our Services and Platform are used by our customers so we can provide better service. For the purpose of our legitimate interest we might also process personal data to operate, manage and improve our Platform and/or our business; contact you to respond to your requests or enquiries; ensuring the security of the Platform and our systems and networks; prevent, investigate or provide notice of fraud, physical harm, financial loss, unlawful or criminal activity, or unauthorized access to or use of personal data, the Platform or our data systems; or to enforce our Terms and Conditions.
  4. In certain specific situations we may also process your personal data based on your consent. Legal basis for such data processing is GDPR Article 6-1-(a). In those situations, we process your personal data on the terms as provided in the consent that you have granted to us.
4. WHEN DO WE SHARE YOUR PERSONAL DATA?
  1. To the extent this is necessary for the provision of our Services, we may share your personal data with certain third parties.
  2. We may share and disclose personal data about you (a) if we are required or permitted to do so by law or legal process, for example due to a court order or a request from a law enforcement agency, (b) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, (c) in connection with an investigation of suspected or actual fraudulent or other illegal activity, and (d) in conjunction with (i) the making, management, or disposition of any of our investments, (ii) business continuity, or (iii) to successors in interest or entities that acquire all or part of our business in connection to a corporate sale, merger, reorganization, dissolution or similar event.
  3. We may share your personal data with service providers that perform Services (or part of the Services) on our behalf such as IT service providers, analytics providers or hosting providers. In accordance with applicable law, we have entered into legally binding agreements requiring them to use or disclose personal data only as necessary to perform services on our behalf or, where permitted by law, to comply with applicable legal requirements. At the moment of adopting this Privacy Policy, we use the following core service providers:
    1. Veriff identity verification platform provided by Veriff OÜ (registered in Estonia, company code 12932944, registered address Niine st 11, Tallinn 10414, Estonia). Privacy Policy adopted by Veriff OÜ is available at https://www.veriff.com/privacy-policy;
    2. Microsoft Azure cloud server provided by Microsoft Corporation, registered in US. Privacy Statement adopted by Microsoft Corporation is available at https://privacy.microsoft.com/en-us/PrivacyStatement.
  4. We may also transfer your personal data to third countries, i.e. countries outside the EU/EEA area, for the purposes explained in this Privacy Policy. When transferring your personal data to third countries, we will ensure that the transfer is subject to appropriate safeguards under GDPR and that your rights are protected, meaning that:
    1. the country to which the personal data will be transferred has been granted an adequacy decision by the European Commission; or
    2. we have put in place other appropriate safeguards in respect of the transfer, for example the EU Model Contracts.
  5. You may request a copy of the safeguards that we have put in place in respect of transfers of personal data by contacting via contact details provided below in Section “Contacts”.
5. HOW LONG IS YOUR PERSONAL DATA RETAINED?
  1. Cryptus does not retain personal data longer than it is necessary for the purposes of processing personal data or pursuant to applicable law.
  2. Personal data related to the use of our Platform can be retained during the term of the contract and based on our legitimate interest pursuant to Article 6 (1) (f) of the GDPR until the end of the statutory limitation periods under applicable law. Accordingly, as a general rule Cryptus retains your personal data as long as it is necessary for the provision of the Services during the term of the contract concluded between you and Cryptus and for 3 years after the term of the contract. In this regard, as a general rule, if you have not used our Platform for 3 years (you have not logged in to your profile on our Platform for 3 years), your profile and all personal data therein will be deleted, unless we are permitted or required to retain your data during longer period.
  3. Also, pursuant to statutory law, Cryptus is required to retain certain personal data about you during the retention periods as provided by applicable law. In this regard, pursuant to Estonian Accounting Act, we retain accounting documents for 7 years. Pursuant to Estonian Money Laundering and Terrorist Financing Prevention Act, we retain the originals or copies of the documents collected for the purpose of identification of persons and verification of submitted information as well as the documents serving as the basis for the establishment of a business relationship for no less than 5 years after the termination of the respective business relationship with you in which regard the data was collected.
  4. For more detailed information on the exact retention periods for your personal data processed by Cryptus, please contact us using the contact details provided below in Section “Contacts”.
6. HOW DO WE PROTECT YOUR PERSONAL DATA?
  1. To protect your personal data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction, we use appropriate technical and organizational measures that comply with applicable laws. These measures include but are not limited to the implementation of appropriate computer security systems, protection of paper and electronic format files by technical and logical means, controlling and limiting access to documents, retaining log files, etc.
7. COOKIES
  1. Our Platform uses cookies. This section incorporates our cookie policy (the Cookie Policy) that applies when you use Platform.
  2. Cookies are small data files stored on your hard drive by a website. Cookies help us monitor and improve the functionality and usage of our Platform and your experience on Platform. We can use cookies to see which areas and features are popular and to count visits to our Platform to recognize you as a returning visitor and to tailor your experience of the Platform according to your preferences. We may also use cookies for targeting or advertising purposes.
  3. We use following type of cookies on our Platform:
    1. Strictly necessary cookies, that are essential in order to enable you to move around and navigate on Platform and use the features of Platform.
    2. Functional cookies, that record information about choices you have made and allow to tailor Platform. Functionality cookies remember choices you make such as language preference, country location, or other online settings and provide personalized or enhanced features that you select, so that next time you visit you won’t have to enter all this information again.
    3. Statistics cookies, that record information about the way our Platform is used, to acquire knowledge on how often our Platform is visited, where on our Platform our visitors spend the most time, how often they interact with a page or part of a page, this allows us to make the structure, navigation, and content of our Platform as user-friendly as possible.
    4. Advertising cookies, to help measure the delivery and the performance of advertising campaigns and limit the number of times you see an advert. Third-party targeted advertising cookies may be placed on your device by third-party advertisers, ad networks, data exchanges, marketing analytics and other service providers.
  4. The specific cookies that Platform uses are the following:
    Name Purpose Retention period
    _ga Registers a unique ID that is used to generate statistical data on how the visitor uses the website 2 years
    _gat Used by Google Analytics to throttle request rate 1 day
    _gid Registers a unique ID that is used to generate statistical data on how the visitor uses the web site 1 day
    _hjid Sets a unique ID for the session. This allows the web site to obtain data on visitor behaviour for statistical purposes 1 year
    _hjid Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes Persistent
    _fbp Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers 3 months
    _hjIncludedInSample Determines if the user's navigation should be registered in a certain statistical place holder. Session
    ads/ga-audiences Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites Session
    cid Optimises ad display based on the user's movement combined and various advertiser bids for displaying user ads 2 months
    fr Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers 3 months
    tr Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers Session
    uid Registers a unique user ID that recognises the user's browser when visiting web sites that use the same ad network. The purpose is to optimise display of ads based on the user's movements and various ad providers' bids for displaying user ads 2 months
    _hjTLDTest To check whether user’s browser has cookies enabled Session
  5. You can delete or block cookies on Platform through your browser settings at any time. However, some cookies might be necessary for the functionality of Platform. Therefore, you understand that when blocking or deleting the cookies some features of Platform might not function correctly.
  6. For more general information about cookies including the difference between session and persistent cookies please see www.allaboutcookies.org.
  7. We also use of widgets for social media which allows users access content on different social media platforms (among others: Facebook, Instagram, YouTube, LinkedIn). To better understand how and what information is collected via social media and what cookies are used by such third party, please see the current privacy policy for each of the social platforms respectively.
  8. In case you have any question concerning Cookie Policy, please contact us using the contact details provided below in Section “Contacts”.
8. YOUR RIGHTS
  1. Cryptus is dedicated ensuring that all data subject rights arising under applicable law are always guaranteed to you. In particular, any data subject has:
    1. the right to access the personal data that Cryptus processes about you, including to request confirmation of whether we process personal data relating to you and, if so, to request a copy of that personal data;
    2. the right to request that Cryptus rectifies or updates any inaccurate, incomplete or outdates personal data about you;
    3. the right to request Cryptus to erases your personal data and/or restricts of processing of your personal data if we do not have valid legal basis for processing;
    4. the right to receive your processed personal data in a structured, commonly used and machine-readable format and have the right to transmit your personal data to another controller;
    5. the right to object to certain of our data processing, such as for direct marketing purposes;
    6. where you have given us consent to process your personal data, to withdraw your consent.
  2. If you believe that your rights have been infringed, you may contact and lodge a complaint to the supervisory authority applicable for your jurisdiction (in Estonia: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), address Tatari 39 10134 Tallinn, phone +372 6828 712, email: info@aki.ee, website: http://www.aki.ee/). Contact details for data protection supervisory authorities in other EU member states are available at https://edpb.europa.eu/about-edpb/board/members_en.
9. GOVERNING LAW AND JURISDICTION
  1. This Privacy Policy shall be governed by the laws of the Republic of Estonia. Any disputes arising from these Privacy Policy shall be settled in the Harju County Court in the Republic of Estonia, unless you have a right to turn to the court of your residence pursuant to statutory law.
10. CONTACTs
  1. If you have any questions about this Privacy Policy or Cookie Policy or if you have any concerns about how we use your personal or if you want to exercise your rights as described above, you may contact us via e-mail or in writing using the following contact information:

Company name: OpenGate Technology OÜ
Phone: +372 635-51-08
E-mail address: info@cryptus.io
Address: Narva Road 7B, 10117 Tallinn Estonia