In force from 2020-07-07
Change has appointed a data protection officer, who can be reached via email@example.com. All of the inquiries and complaints concerning the processing of personal data should be addressed to said email address.
1.1. Change is to be considered a data controller in respect of personal data collected and processed in respect of providing Services to you.
1.4. Generally personal data is collected directly from you, and from the information and documents you have provided. However, in order to comply with the legal obligations personal data is also collected from other sources, e.g. from third parties and public sources.
2.1. We are processing the following categories of personal data:
2.1.1. identification data, e.g. your photo, name, date and place of birth, address;
2.1.2. identity document data, e.g. photo of the document, number and validity;
2.1.3. contact data, e.g. phone number, email address;
2.1.4. financial data, e.g. ownership and source of funds;
2.1.5. transaction data, e.g. transaction sums, counter-parties, bank account and card number(s) and account holders;
2.1.6. other data used for performing customer due diligence measures and to prevent fraud, e.g. media coverage, occupation and connection to other persons, and location; and
2.1.7. correspondence between you and us.
3.1. In general we are processing your personal data for the performance of or entering into a contract with you, i.e. personal data is processed for the purposes of providing the services. Without processing personal data, we would be unable to provide services to you.
3.2. The purposes for which we are processing personal data are the following:
3.2.1. fulfilling a contractual obligation, e.g. executing your transaction orders and ensuring the safety of your assets;
3.2.2. fulfilling a legal obligation, e.g. ensuring the security of accessing the Account and the transactions and using the data for accounting and reporting purposes;
3.2.3. public interest, e.g. by performing necessary acts in order to prevent money laundering and the financing of terrorism and thus to ensure the proper identity verification;
3.2.4. sending informative and promotional notifications, or collecting, processing storing and disclosing personal information, e.g. name and contact information, with our partners in order to conduct campaigns and ship the rewards, under a revocable consent received from you; and
3.2.5. our legitimate interest to prevent fraud and to improve our products and services, as well as to promote the launch and usage of new functionalities and features and to illustrate the benefits and possibilities of cryptocurrencies and investing, e.g. by identifying concurrently used app versions and by sending promotional content regarding new features and products, and to conduct campaigns, including in co-operation with third-parties, and ship the rewards.
3.3. For entering into and for the performance of the contractual agreement between you and us and for public interests, Change is applying certain automated decision-making methods to assess your capability, suitability, behaviour and reputation, whether to enter into or to continue a contractual relationship. The aforesaid assessment is accompanied by human-intervention by an employee of Change, who will perform the final assessment.
3.4. For entering into and for the performance of a legal obligation Indexa is obliged to assess your capability, suitability, behaviour, reputation and financial situation, whether to enter into or to continue a contractual relationship with you, in which case the personal data is processed by Change as a data processor on behalf of Indexa.
4.1. Your personal data is being processed by the following categories of data recipients:
4.1.1. our employees responsible for specific tasks regarding the Services;
4.1.2. data processors who help us with providing the services, e.g. service providers for the maintenance of our IT-systems and for fulfilling our legal obligations;
4.1.3. third parties to whom we are required to transfer data under applicable legislation, e.g. relevant state institutions and sector-specific authorities.
4.3. We are not responsible for the actions and processing activities of any third parties. Third parties are considered to be separate data controllers, whose services can be procured by concluding separate agreements with them. Third parties may transfer your personal data to Third Countries and process it for independent purposes.
4.4. Certain activities may result in the transferring of personal data to Third Countries, meaning countries located outside the EU/EEA, and to countries in relation to which the EU Commission has not issued an adequacy decision, e.g. the US. For ensuring that your personal data is protected, we have committed to applying appropriate safeguards in the form of concluding relevant data processing agreements, standard data protection clauses adopted by the European Commission for the transfers and/or ensuring that the third-parties are participants in the Privacy Shield frameworks. In case you wish to know more about the safeguards and obtain a relevant copy of them, please contact us using the details specified above.
4.5. We shall maintain the confidentiality of all information of which we become aware on the basis of the relationship with you, including information concerning you and the Payment Account and Payment Transactions thereof, unless the right or obligation to disclose information arises from legislation.
4.6. We shall be released from the obligation to maintain confidentiality to the extent that you have granted consent to the disclosure of information in writing or in the Apps or our Website or to the extent a disclosure of confidential information is allowed or required under applicable laws and/or mandatory orders by regulatory authorities.
5.1. Your personal data is generally retained as long as you are using the Services. After you have stopped using the Services and your Account has been closed, your personal data shall be retained as long as any claims can be presented on the basis of such data under applicable legislation.
5.2. Certain data, e.g. data obtained for the purposes of the fulfilment of obligations related to anti-money laundering and terrorist financing prevention, or data necessary for accounting purposes, shall be retained as required under applicable legislation and industry standards. Generally, respectively at least for 5 or 7 years since the date of closing the Account, but not longer than 10 years.
5.3. We shall immediately terminate processing the data that is processed under your consent, if the consent is revoked, and the processing of personal data under legitimate interest, if you have declared objection to such processing.
6.1. You, as a data subject, are, at any time, entitled to exercise the following rights:
6.1.1. The right to request the correction of your personal data;
6.1.2. The right to request access to your personal data;
6.1.3. The right to request the erasure of your personal data;
6.1.4. The right to withdraw the consent on which the processing is based;
6.1.5. The right to request the restriction of processing your personal data;
6.1.6. The right to object to the processing of your personal data;
6.1.7. The right to exercise data portability in cases where such data has been provided by you for the performance of or entering into a contractual relationship by accepting the Terms or under the consent; and