1. GENERAL
Guaranteeing the security of your assets as well as your personal data is of paramount importance to us at CryptoUnity.
This Privacy Policy (“Policy”) outlines how CU Ltd. (“CryptoUnity” or “we”) are collecting, using, disclosing, or otherwise processing your Personal Data and what kind of rights you have and how you can exercise them. The Policy supplements the Terms of Service of the CryptoUnity and CU Ltd., where you have opened your Account.
The processing of Personal Data is performed in accordance with privacy rights and regulations following the General Data Protection Regulation (GDPR), together with the Slovenian Laws on personal data.
You are required to acknowledge and accept this Policy during the registration process. This will not be considered as consent for certain purposes of processing, which will be obtained independently.
CryptoUnity is not responsible for and shall have no liability whatsoever in connection with such third party’s processing of your information. We encourage you to review the privacy policies posted on those websites, applications, and services.
If you started registration for use of our products and services (created CryptoUnity Account) and you are using them, this Policy is applicable to you, regardless of if you are Individual User or an Individual whose Personal Data is processed within the scope of activity of legal entity (e.g. authorized representatives, ultimate beneficial owners) (“Corporate User”).
Term “User” refers to both Corporate Users and Individual Users.
In certain cases, this Policy is related also to those who browse through the website (e.g. information with regards to the use of Cookies) or their personal data is otherwise processed.
This privacy policy explains how CryptoUnity processes information that can be used to directly or indirectly identify an individual (“Personal Data”) collected through the use of its website and platform.
Any information stored on CryptoUnity platform is treated as confidential. All information is stored securely and is accessed by authorized personnel only. CryptoUnity implements and maintains appropriate technical, security, and organizational measures to protect Personal Data against unauthorized or unlawful processing and use, and against accidental loss, destruction, damage, theft, or disclosure.
This policy applies where we are acting as a data controller with respect to the personal data of our website visitors and service users; in other words, where we determine the purposes and means of the processing of that personal data. CU Ltd. processes Personal Data as a Controller. CU Ltd. which you entered an agreement with when using CryptoUnity Services, will be the Controller for your data. The data of Users, who performed an onboarding process, the Data shall be processed by a third party Processor (Sum and Substance). There will also be third-party users of personal data, as described in the Section 2 of this policy.
We will also ask you to agree to our use of Cookies in accordance with the Cookies Policy when you first visit our website.
Our website incorporates strict privacy controls which will have an impact on how we will process your personal data. By using the privacy controls, you can specify whether you would like to receive direct marketing communications and limit the publication of your information.
2. COLLECTION AND USE OF INFORMATION
CryptoUnity collects Personal Data:
a) Directly from you: for example, during the registration and onboarding, or when executing transactions or using our services, and when you communicate with us; and
b) By automatic collection, when you are using our services and it relates to certain computer, device, or browser information (e.g., IP address, device information); and
c) From third-party sources (e.g. reputational, financial information, and business activities of our Corporate Users).
You can find details about which Personal Data is processed and for which purpose and what is our legal basis for processing your Personal Data in this section.
We might modify this section when required, to ensure transparency or compliance with applicable legal and technical changes.
2.1. Registration of individual users
You need to create an Account prior to using the services provided by CryptoUnity, which includes:
- Confirming email and creating a password
- Providing relevant Personal Data; and
- Exchange of email communication.
If you are younger than 18 years or reside in countries where we do not offer exchange services, you will not be able to register, however, you will be able to use the educational part of our app. While this is automated decision-making, an objection is not possible since this is a condition for usage of our crypto exchange services.
In the registration process, we collect the following personal data:
- Email address,
- Password.
LEGAL BASIS for obtaining this information is Contract / Agreement to negotiate a contract.
2.2. Onboarding process
Anti-money laundering and counter-terrorist financing legislation (“AML”) requires us to perform Customer Due Diligence (KYC) prior to establishing a business relationship with you. For this purpose:
- You will need to provide us with certain Personal Data and documentation to verify your identity,
- We will perform screening through online tools and crossmatch this data with data we hold for the purposes of compliance with AML (e.g. reputational information, financial information and business activities of corporate customers screening),
- We might initiate contact with you to finalize the onboarding or verification (e.g. to request additional documents from you).
Similar AML requirements exist for individuals acting on behalf of Corporate Users (directors, ultimate beneficial owners, authorized representatives etc.).
The Users Data will be collected and processed by a third party – Sum and Substance, Ltd, with its registered office at Suite 1, 5 Percy Street, Fitzrovia, London, England, W1T 1DG (hereinafter Sum and Substance), who is a trusted partner of CryptoUnity for collecting and processing Users data on behalf of CryptoUnity. Sum and Substance is an experienced identity verification company that will process Personal Data for the purposes of the necessary KYC/AML procedures. Sum and Substance will obtain and process all the above-stated Personal Data, run KYC/AML procedures, and ensure compliance with the relevant AML legislation.
In the onboarding process, we collect the following personal data:
- Name,
- Surname,
- Address,
- Date of Birth,
- Country of residence,
- Nationality,
- Phone number,
- KYC Questionnaire Answers
- Verification Documents
- ID Documents & information
- Picture / Videos (biometric data)
- Reports by background check providers
- IP address.
Scope of the Personal Data depends on the nature of individual and AML requirements for specific entities and risk factors.
LEGAL BASIS for obtaining this information is Compliance with legal obligations provided by the laws.
2.3. Account Management & Updates
We will process certain Personal Data for the purpose of providing you with certain functionalities of your Account within the scope of provision of our services, including, but not limited to:
- Logging into the Account.
- Management of two factor authentication (“2FA”): setting, resetting, and removing 2FA.
- Forgotten password reset.
- Modification/deletion of data upon your request.
- Freezing your Account.
- Closing your Account.
- Deceased User Procedure.
For certain actions we might also require you to identify yourself, to prevent unauthorized access.
In these processes, we collect the following personal data:
- Email address,
- password,
- 2FA Key,
- IP Address,
- Data you wish to modify, depending on the operations you wish to conduct,
- ID document.
LEGAL BASIS for obtaining this information is Contract (enabling functionalities of your account).
2.4. Transaction management
You can conduct various transactions through your Account, including:
- Deposit/withdraw fiat or crypto assets.
- Trade with crypto (purchase and sell).
Performing transactions require the processing of certain Personal Data, otherwise, the transaction cannot be conducted. In the event our services are accessed by you via our partner, we may share with such partner additional information related to your request, as may be required to perform the service within the scope of the agreement between us and such partner.
In these processes, we collect the following personal data:
- Name,
- Surname,
- Transaction information,
- Bank Account information,
- Withdrawal/Deposit Address Information
- Quote Preview Information, Quote, Account Balance, Transaction History – This information is shared with our partner through which you utilize our services.
LEGAL BASIS for obtaining this information is Contract (enabling functionalities of your account).
2.5. Transaction & Account Monitoring
AML requires us to conduct ongoing due diligence, including the scrutiny of your transactions, for example, to ensure consistency with the information you have provided us with during onboarding/verification.
For these purposes, we:
- Have an internal monitoring system, based on which manual review may be requested,
- May whitelist withdrawal addresses,
- Apply what are known as ‘travel rule’ requirements by sending and receiving information from counterparty exchanges about you. Before sending crypto transfer to another exchange, we advise you to read their Privacy Policy to understand how they process your Personal Data.
- Monitoring Blockchain Transactions,
- Sharing certain information with banks through whom you have conducted a fiat transaction.
- In addition to the above, we may require additional information or an explanation from you to comply with AML requirements.
In these processes, we collect the following personal data:
- Name,
- Surname,
- Address,
- Country of birth,
- Country of residence,
- Nationality,
- KYC Questionnaire Answers,
- Occupation,
- Verification Documents,
- ID Documents & information,
- Picture / Videos (biometric data),
- Reports by background check providers,
- Blockchain Transactions Reports,
- Computer or mobile device information (IP Address, operating system, network system, browser type, and settings)
- Geolocation Information,
- Website usage information,
- Transaction information.
The scope of Personal Data collected or processed for this purpose depends on your activity, applicable AML requirements, and other factors.
LEGAL BASIS for obtaining this information is Compliance with legal obligations provided by the laws.
2.6. Transaction & Price Alerts/Notifications
If you choose to receive transaction & price alerts or notifications about:
- Crypto or fiat withdrawals and deposits,
- Performed transactions,
- Price Alerts,
you give us consent to inform you about the requested information through SMS or email communication (based on your preferences). You can change your consent settings or price information at any time.
In this process, we collect the following personal data:
- Email,
- Phone number,
- Transaction information,
- Price setting Alert Information.
LEGAL BASIS for obtaining this information is Consent.
2.7. Complaints & Customer Support
At any time, you can initiate communication with us through any appropriate means of communication (email, support tickets, social media, etc.) and we will process relevant Personal Data, the scope of which depends on your request, including for potential preparation of any documents requested by you.
For certain actions we might also require you to identify yourself to prevent unauthorized access.
In this process, we collect the following personal data:
- Any Personal Data processed by CryptoUnity.
LEGAL BASIS for obtaining this information is Contract or Legal obligation.
2.8. Know Your Customer (KYC)
If you plan to use certain CryptoUnity services, it might be required that we share or receive your Personal Data with CryptoUnity’s third-party providers of services (e.g. KYC providers). Such sharing will be made solely for the purposes of due diligence within the scope of AML requirements for the use of such a product or service.
You will be notified about any such sharing before you start to use the relevant CryptoUnity Service in the applicable Terms of Service and will also receive a reference to that counterparty privacy notice, explaining how the counterparty will process your Personal Data as an independent Processor or Controller.
In this process, we collect the following personal data:
- Name
- Surname
- Address
- Country of Birth
- Place of Birth
- Date of Birth
- Country of Residence
- Nationality
- KYC Questionnaire Answers
- IP Address
- Occupation
- Verification Documents
- Contact Details
- ID Documents & information
- Picture / Videos (biometric data)
- Reports by background check providers
LEGAL BASIS for obtaining this information is Contract.
2.9. Direct Marketing Communication (Email and Push Notifications)
We have a legitimate interest to promote our company, products, services or share other relevant information about us. For this purpose we will send you emails or share pop-up messages (which may be shown only when you are signed to your Account) with news, updates, promotions, market trends, or information about our new products and services. The processing will involve segmentation and analytics of whether you have seen/opened or acted on our direct marketing communication.
- You can object to this processing, by clicking on “unsubscribe link” which is included in every email communication.
- In some cases we might send you direct marketing communications based on explicit consent you provide to us.
- Push notifications will be sent only if you granted us with explicit consent during the registration process, which can be at any time changed in the Account settings.
- Third party offers and some other communications from us will be sent only if you have given us explicit consent, which can be at any time changed in the Account settings.
Not all communication from us is direct marketing communication. This means communications may be for other purposes and can be conducted based on another legal basis. This means you will receive the communication regardless of whether you objected to the processing, or we don’t have valid consent.
In this process, we collect the following personal data:
- Name
- Surname
- Email Address
- Usage/Activity Information
- Country of Residence
- Transaction Information
- Information about held assets
- Device information
LEGAL BASIS for obtaining this information is a Legitimate Interest or Consent.
2.10. Internal Analytics
We are constantly trying to improve our products and services and for this purpose, we are processing certain Personal Data. Whenever possible, the analysis is prepared based on pseudonymized data, to ensure your privacy is respected.
In this process, we collect the following personal data:
- Name
- Surname
- Email Address
- Usage/Activity Information
- Country of Residence
- Transaction Information
- Information about held assets
- Device information
LEGAL BASIS for obtaining this information is a Legitimate Interest or Consent.
2.11. Control Operations
We may process your Personal Data for the purpose of prevention of fraud and financial crime, which includes the development and improvement of our anti-fraud systems, preventing, detecting, investigating, and prosecuting security threats, fraud, financial crimes, misconduct, or other illegal or malicious activity and meeting our legal responsibilities.
No additional data is collected. The scope of processing depends on the applicable requirements.
LEGAL BASIS for obtaining this information is a Legitimate Reason or Legal Obligation.
2.12. Ensuring & maintaining security
We are constantly trying to implement security measures for the protection of our systems, your Personal Data, and any assets you might have stored for us. For this purpose, we are required to process certain Personal Data, which is limited to what is required.
For this purpose, we collect the following personal data:
- Computer or mobile device information (IP Address, operating system, network system, browser type, and settings)
- Geolocation Information
- Website usage information
- Any other data which might be required in specific cases
LEGAL BASIS for obtaining this information is a Legitimate Interest to protect the information and assets.
2.13. Reporting to authorities
We are subject to various legal obligations to report to the relevant authority’s information required within the scope of ongoing/periodical reporting or ad hoc requests received by such authorities. The scope of Personal Data depends on the requested information by the authority.
For this purpose, we collect the following personal data:
- Name
- Surname
- Customer Due Diligence Information
- Usage/Activity Information
- Transaction Information
- Information about held assets
- Other data requested by the Authority
LEGAL BASIS for obtaining this information is Compliance with Legal Obligation or Legitimate Interest – in case the request is not mandatory, but we decide to share the information regardless upon proper evaluation of the information.
2.14. Pursuing, defending or assisting in any claims, litigation or other proceedings
In certain cases, CryptoUnity may be required to process your Personal Data for the purposes of pursuing, defending, or assisting in any claim, litigation or other proceedings related to you and such data might be disclosed to external lawyers, courts, or other administrative bodies.
For this purpose, we collect the following personal data:
- Name
- Surname
- Customer Due Diligence Information
- Usage/Activity Information
- Transaction Information
- Communication Information
- Other data required by specific proceedings
LEGAL BASIS for obtaining this information is a Legitimate interest to pursue, define or assist in claims, litigation or other proceedings.
2.15. Corporate Governance
We are adjusting strategies based on regulatory and business requirements and processing of your Personal Data might be considered within this scope in the following cases:
- In the event of a different onboarding strategy, we might change the onboarding CU Ltd company and thus transfer your Personal Data. In case this happens, we will notify you beforehand. The provisions of this Policy will continue to apply.
- In case of asset transfer to another company, sale, merger, or other corporate acquisition, Customers are important business assets, and such business transactions might also result in the transfer of your Personal Data, or making this information available to prospective business partners/buyers. We will inform you of any major corporate changes.
No additional data is collected if this happens.
LEGAL BASIS for obtaining this information is a Legitimate interest.
2.16. Website Visitors and collection of Visitors Data
If you are a Visitor to our website only, and not a User of our Services or the CryptoUnity Services otherwise, then this section is relevant for you.
CryptoUnity may collect, record, and analyze information of Visitors to its website. The usage data may include your
- Email,
- IP address and use cookies,
- geographical location,
- browser type and version,
- operating system,
- referral source,
- length of visit,
- page views and website navigation paths,
- information about the timing, frequency, and pattern of your service use.
The source of the usage data is our analytics tracking system. This usage data may be processed for the purposes of analyzing the use of the website and services and improving users’ experience, performance, and future development of the service.
Furthermore, CryptoUnity may collect and process Personal Data that you voluntarily and with your consent give to us in our website’s forms, such as when you sign up for information and newsletters. You can unsubscribe from the newsletter by opening the CryptoUnity Email, that you received, and clicking “unsubscribe” at the bottom of the page. You can also send us an Email to info@cryptounity.org and ask us to unsubscribe you.
If you provide us with your social media details, CryptoUnity may retrieve publicly available information about you from social media. CryptoUnity uses such information for a better user experience.
LEGAL BASIS for obtaining this information is our legitimate interest in monitoring and improving our website and services or your Consent.
3. LINKS TO OTHER WEBSITES
Our website may contain links to other websites, such as (but not limited to) Facebook, Slack, Linkedin, Github, Twitter, and other third-party websites. If you click on such a link, you will be directed to that site.
Note, that these external sites are not operated by CryptoUnity. We strongly advise you to review the Privacy Policy of the third-party websites that you visit. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
4. GEOGRAPHICAL LOCATION OF COLLECTION AND STORING PERSONAL DATA
The website CryptoUnity runs on servers in European data regions.
A CryptoUnity “Data Region” is a set of data centers located within a defined geographical area where User data is stored. Personal Data is not transmitted to other Data Regions. For CryptoUnity website visitors, all Personal Data of visitors are located in CryptoUnity European Data Region, all Personal Data is processed in the EEA.
5. THIRD-PARTY PLUGINS
In addition to that, visitors of the CryptoUnity website can also sign up to or log in with Facebook, Twitter, or Google and share their likes and comments. CryptoUnity is using plugins and is not considered as a primary controller of the personal data. The primary controllers are Facebook, Twitter, Google, and other such sites.
In respect of operations involving the collection and disclosure of the data, CryptoUnity can be considered as a joint controller with Facebook, Instagram, Google, and Disqus in respect of the collection and transmission of certain personal data of visitors to its website.
6. RETENTION AND DELETION OF PERSONAL INFORMATION
CryptoUnity will not retain data longer than is necessary to fulfill the purposes for which it was obtained for or as required by applicable laws or regulations. When a user’s account is terminated or expired, the Personal Data collected through the platform will be deleted, as required by applicable law unless the law provides that the data collected must be stored for a certain period of time.
Every user or visitor can invoke the right to be forgotten at any time. Users and visitors can request a list of his or her personal data. In case you wish to obtain such data send an Email to info@cryptounity.org. You will receive the list within one month from receiving your request.
7. ACCEPTANCE OF THESE CONDITIONS
All Visitors of our website and users of CryptoUnity Services must carefully read this document and agree to its contents. If someone does not agree with this Privacy Policy, they should refrain from using our website and platform.
We reserve the right to change this Policy as necessity dictates or with the change of our Services. Users will be promptly informed of any such changes to these conditions. By using our website and platform for buying, selling, and storing assets, you agree with the changes.
This privacy policy is an integral part of the Terms of Service for CryptoUnity Services and Website.
In case of a change in the types or purpose or processing procedure of your personal data, CryptoUnity will ask for your consent if required by EU and national regulations.
8. SECURITY OF PERSONAL INFORMATION
We use a variety of security measures to ensure the confidentiality, integrity, availability, and privacy of your Personal Information and to protect your Personal Information from loss, theft, unauthorized access, misuse, alteration, or destruction. These security measures include, among others:
- Password-protected directories and databases.
- Secure Sockets Layered (SSL) technology to ensure that your information is fully encrypted and sent across the Internet securely.
- Vulnerability Scanning to actively protect our servers from hackers and other vulnerabilities.
- Regular penetration testing.
- Secure coding principles.
- Encryption of sensitive data during transfer and at rest.
- 2-factor authentication.
- Logging of activities performed on the platform.
- Access controls and
- other measures to mitigate risks identified during the risk assessment process.
All financially sensitive and/or credit information is transmitted via SSL technology and encrypted in our database. Only authorized CU LTD. personnel are permitted access to your Personal Information, and this personnel is required to treat the information as highly confidential. The security measures will be reviewed regularly in light of new and relevant legal and technical developments.
9. ACCESS RIGHT TO YOUR PERSONAL INFORMATION
You have the right to access your Personal Information to correct, update, and block inaccurate and/or incorrect data. To exercise this right, contact us at Email info@cryptounity.org.
10. INFORMATION, COMPLAINTS AND CONTACT
If you have any further questions regarding the data CryptoUnity collects, or how we use it, then please feel free to contact us by Email at: info@cryptounity.org or in writing at: CU d.o.o., Kotnikova 5, 1000 Ljubljana.
You have a right to lodge a complaint with supervisory authority, to enforce your rights, as specified above. You can find out how to do this at the Slovenian Data Protection Office https://www.ip-rs.si or the inspectorate or European Data Protection Supervisor https://edps.europa.eu/.
11. UPDATES OF THIS POLICY
This Privacy Policy may be revised, modified, updated, and/or supplemented at any time, without prior notice, at the sole discretion of CryptoUnity. When we make changes to this Privacy Policy, we will notify all users on our website, and make the amended Privacy Policy available on our website.
Last update: 15 May 2024
Previous update: 31.3.2022