Last updated: April 1st, 2022
For the purposes of GDPR, BC Bitcoin is the data controller of the Personal Data we process. We determine the means and purpose for which the data is processed, and, on some occasions, we may instruct third parties and suppliers to assist us in providing our Services to you. They are known as data processors or sub-processors and we ensure they handle your Personal Data responsibly when we do so.
We have appointed a Data Protection Officer (“DPO”) who is ultimately responsible for overseeing BC Bitcoin’s regulatory compliance with data protection laws and ensuring we meet our data controller obligations with our processing activities in general. If you have any questions, you may contact our DPO at any time using the details set out below.
Full Name of DPO: Mark Lemon
3. Personal Data
3.1. Personal Data means any information about an individual from which that person can be identified. It does not apply to data where the risk of identification has been removed forever and cannot be matched to an identifiable person (“Anonymised Data”).
In the course of your relationship with us we may collect and process various kinds of Personal Data about you including:
3.1.1. Identity Data: Full name, date of birth, age, nationality, gender, jurisdiction of residence, signature, photographs, and video identification. We may additionally collect documentation (and information contained therein) during our KYC (Know your Customer) verification process including the copy of your Proof of Identity and Proof of Address.
3.1.2. Contact Data: Contact number (telephone or mobile or both), home address and email address
3.1.3. Financial Data: Your bank account and payment details.
3.1.4. Transaction Data: the type of cryptoassets involved, the order volume, price, value, the recipient wallet address.
3.1.5. Technical and Usage Data: Geographical location details, operating system (OS), browser name and version, IP addresses, your login data, data collected via cookies, analytic tools and similar technologies such as navigation to site, device type, device interaction with site, and other technological unique identifiers received through these technologies.
3.1.6. Source of Funds/Wealth and source of coins Data: This includes information and documents that you provide us to suffice our Financial Crime Prevention Obligations as stated in our Terms and Conditions.
3.2. Personal Data does not include information relating to a legal person (for example, a company or other legal entity). In that regard, information such as a company name, its company number, registered address does not amount to Personal Data in terms of GDPR.
4. How your Personal Data is Used
4.1. Our purpose for collecting and processing your Personal Data is to provide you with a secure, smooth and legally compliant service. We use Personal Data to operate, deliver, improve our Services and meet our legal and regulatory Data Controller obligations. We may process your Personal Data in the following ways:
4.1.1. To provide Services - To provide our Services such as buying, selling, swapping, depositing or withdrawing cryptoassets;
4.1.2. To maintain legal and regulatory compliance - The use of our Services is subject to laws and regulations which require us to collect and process your Personal Data. We may collect and process your Personal Data to establish and verify your identity and meet our Financial Crime Prevention Obligations;
4.1.3. To enforce compliance with our Terms and Conditions – we actively monitor account usage to prevent and mitigate any potentially prohibited or illegal activities;
4.1.4. To amalgamate statistical data – Providing anonymised statistical data to third parties;.
4.1.5. To provide customer service - We will process your Personal Data to respond to disputes, troubleshooting and general inquiries;
4.1.6. To invite you to write a review based on your experience using our Services;
4.1.7. To ensure quality control - Processing of Personal Data is necessary for our quality control checks to prevent issues and interruptions with our Services and to fulfil our obligations to you;
4.1.8. To ensure network and information security - We process your Personal Data to comply with applicable security laws and regulations for the security of our Services;
4.1.9. To combat threats such as spam, malware or hacks;
4.1.10. To help us with our research and development – we may use analytical data gathered from our Website to understand, customise, measure and improve our Services and content along with development of new services; and
4.1.11. To engage in marketing activities - Depending on your communicated preferences (opt in/opt out), we may send you marketing communications such as newsletters to keep you updated of any events or promotional offers.
4.2. Your Personal Data will not be used for any purpose other than those stated above without your explicit consent.
5. Disclosure and Sharing of Personal Data
5.1. We may need to disclose or share your Personal Data to the following categories of third parties:
5.1.1. Banks and financial institutions;
5.1.2. Payment processing service providers;
5.1.3. Third-party outsourced service providers who provide identity verification service to us; and
5.1.4. Our other service providers including but not limited to marketing providers, technology platforms and IT support;
5.1.5. Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way and for the same purposes as set out in this Policy; and
5.1.6. Other third parties with your express consent or instruction to do so.
5.2. We reserve the right to disclose your Personal Data with any third party if it is required to meet our legal or regulatory obligations.
6. How we Protect and Store Personal Data
6.1. We understand the importance of protecting our customers' privacy and as such, our IT systems and procedures have been designed for the safety and security of our Users and Customers. We have implemented appropriate technical and organisational measures to protect the security of your Personal Data whilst it is in our care, considering the nature, scope, context and purpose of the processing and the risks involved in processing.
6.2. We use standard safeguards such as firewalls, device encryption, data encryption and Multi-Factor Authentication (MFA) to only allow our verified operators to have access to any Personal Data. Our security measures are reviewed regularly, in conjunction with new applicable technology and legislative or regulatory updates.
6.3. We enforce physical access controls to all our buildings and files, authorising access to Personal Data only to those employees who truly require it to fulfil their job responsibilities.
6.4. We may process part or all your Personal Data with our service providers. We perform due diligence on all our suppliers before engaging, and enter into a written agreement with them, imposing on them data processor obligations under GDPR.
6.5. Whilst we cannot guarantee the security or confidentiality of information you transmit to us or receive from us via the Internet or wireless connection including Email, Online Chat, Phone, we take all reasonable measures to ensure our system is risk-free.
6.6. If you have reason to believe that your data has been unlawfully or accidentally disclosed to an unauthorised third party, please contact us without delay.
7. Your legal rights
7.1. Under the GDPR, you have eight (8) data subject rights you may exercise regarding how your data is processed by organisations. Not all of the rights are absolute, and may be denied when required by law, however, we will always take your requests seriously. If you wish to exercise any of your rights, please contact us. Please, note that there are statutory timelines in place for our handling of these requests which is usually one calendar month. We reserve the right to verify your identity before you can exercise your rights.
7.2. You have the right to:
7.2.1. Request access to your Personal Data (data subject access request). This enables you to receive a copy of the Personal Data we hold about you and confirmation to check that we are lawfully processing it. Your rights to your Personal Data are not absolute and may be denied when required by law;
7.2.2. Request correction or rectification of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected or updated, though we may need to verify the accuracy of the new data you provide to us;
7.2.4. Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) or consent as a lawful basis and you wish to object to that particular processing on the grounds that you feel it impacts on your fundamental rights and freedoms you have the right to object to this processing, including but not limited to the use of your Personal Data for direct marketing purposes.
7.2.5. Request restriction of processing of your Personal Data in certain circumstances according to the GDPR;
7.2.6. The right to data portability: Under GDPR, in certain circumstances, you may request that we provide your Personal Data to you in a structured, commonly used and machine-readable format and have it transferred to another provider of the same or similar services to us. Where this right is applicable, we will comply with such transfer as far as it is technically feasible.
7.2.7. Withdraw consent at any time where we are relying on consent to process your Personal Data. This will not however affect the lawfulness of any processing which we carried out before you withdraw your consent. Any processing activities that are not based on your consent will remain unaffected by the withdrawal of consent;
7.2.8. To file a complaint with the supervisory authority. In Lithuania, the relevant supervisory authority for data protection issues is the State Data Protection Inspectorate
7.3. You will not normally have to pay a fee to exercise your data subject rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in the above circumstances.
8. Retention of Personal Data
8.1. We retain your Personal Data for as long as we have a justified reason. Whilst you are our Customer, we will process your Personal Data to provide our Services to you. After our relationship ends, we will continue to retain the necessary categories of data as required for us to demonstrate our compliance with our legal or regulatory obligations. We must retain your Personal Data for a certain period of time which cannot be longer than 7 years after ending our relationship with you (unless a longer period is required by other applicable laws).
8.2. Upon the expiry of the seven-year period referred to in paragraph 8.1, we will securely delete and destroy all Personal Data we retain about you unless:
8.2.1. We are required to retain your Personal Data by, or under, any enactment, or for the purposes of any court proceedings; or
8.2.2. We have reasonable grounds for believing that your Personal Data needs to be retained for the purpose of legal proceedings.
9. Anonymised Data
9.1. Some information collected is anonymised so that it is no longer associated with an individual and their Personal Data (“Anonymised Data”). Anonymised Data will be derived from your Personal Data but is not considered Personal Data as this data does not directly or indirectly reveal your identity.
10. Website Links
11. Children’s Personal Data
11.1. We do not knowingly request or collect any Personal Data from any persons under the age of 18. If a user submits Personal Data to us and is suspected of being younger than 18 years of age, we will immediately cease to offer Services and terminate all access upon discovery. Please notify us immediately if you know of any user under the age of 18 using our Website or Services.
12. International Transfers of Personal Data
12.1. In some circumstances, we may process your data outside the EEA by engaging sub-processors who are based outside the EEA. We do so only on very strict purposes, including:
12.1.1. Enable your use of our Services;
12.1.2. Fulfil our contractual obligations to you or exercise our contractual obligations against you;
12.1.3. Comply with our legal or regulatory obligations;
12.1.4. To enable our service providers to provide services to us as per our mutual contractual obligations and rights; or
12.1.5. Assert, file or exercise a legal claim.
12.2. Where we do need to transfer your Personal Data outside Lithuania, we will ensure a similar degree of protection is afforded to that Personal Data. If the country of destination for the Personal Data is outside of the EEA and is not a country of adequacy, we will adopt appropriate safeguards to protect that Personal Data, known as Standard Contractual Clauses (controller to processor).
14. Complaints Handling
14.1. If you are unhappy with our processing of your data, or you believe that our processing activities infringe upon Data Protection Laws and data subject rights, we encourage you to first contact our Data Protection Officer in writing. Based on the merits of the complaint case, an investigation will be initiated by our team. The Data Protection Officer will inform you of the progress and the outcome of your complaint within a reasonable period. If the issue cannot be resolved informally between you and our Data Protection Officer, you have the right to lodge a complaint with your country/member state’s supervisory authority or Data Protection Authority (DPA) for data protection. For Lithuania, this is the State Data Protection Inspectorate (www.vdai.lrv.lt). For European citizens, please see a list of Supervisory Authorities across EU member states .
15. How to Contact us