Privacy Policy

With this privacy policy we inform you which personal data we receive and for which purpose the data is processed when you use the Custody Wallet. Furthermore, we inform you about how we handle your personal data when you contact us. We also inform you about your rights as a data subject.

1. Responsible person/contact

With this privacy policy we inform you which personal data we receive and for which purpose the data is processed when you use the Custody Wallet. Furthermore, we inform you about how we handle your personal data when you contact us. We also inform you about your rights as a data subject. 

2. Data protection officer

You can reach our data protection officer at info@eprivacy.eu ePrivacy GmbH, located at Grosse Bleichen 21, 20354 Hamburg, Germany.

3. Subject of data protection

The subject of data protection is personal data. According to Section 4 No. 1 GDPR, this is all information relating to an identified or identifiable natural person; this includes, for example, names or identification numbers.

4. Data processing during your use of the Blockchain-Wallet

To enable you to use the Custody Wallet, we receive your account and KYC data such as your name, address, e-mail address or password (encrypted) and your transaction data. We process this data to identify you as a user of a Custody Wallet, to open a Custody Wallet and to process transactions. The data processing is based on the legal basis of Section 6 para. 1 lit. b GDPR.
We also process this data if we are obliged to do so by regulatory or money laundering regulations. In this respect, the processing is based on the legal basis of Section 6 para. 1 lit. c GDPR.

5. Requests

If you send us an inquiry, we will process the information you provide for the purpose of processing and answering your inquiry, Section 6 para. 1 lit. b GDPR.

6. Transfer of data

In principle, your personal data will only be passed on without your prior consent in the following cases:

6.1. If it is necessary to investigate illegal use of our services or legal prosecution, personal data will be forwarded to the law enforcement authorities and, if necessary, to harmed third parties. However, this only happens if there are specific indications of illegal or abusive behavior. A transfer can also take place if this serves to enforce terms of use or other agreements. We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement authorities, authorities that investigate administrative offences that are subject to fines and the tax authorities.

The disclosure of such data is based on our legitimate interest in combating abuse, prosecuting criminal offences and securing, asserting and enforcing claims and that your rights and interests in the protection of your personal data do not outweigh, Section 6 para. 1 lit. f GDPR or due to a legal obligation under Section 6 para. 1 lit. c GDPR.

6.2. We are responsible for the provision of services to contractually associated external service providers or processors according to Section 28 GDPR. In such cases, personal data is passed on to these processors in order to enable them to continue processing. These processors are carefully selected by us and regularly checked to ensure that your rights and freedoms are protected. The processors may only use the data for the purposes specified by us and process them in accordance with our instructions.

Processing outside of the European Economic Area only takes place under the conditions of Section 44 et seq. GDPR.

In detail we use the following processors:

● For data storage we use the "Google Cloud" and "GSuite" service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For Google Cloud we use the server capacities in Amsterdam, Netherlands and Frankfurt, Germany. For GSuite we use the server capacities in Europe.

● We also use hosting services provided by Cloudflare, Inc. 101 Townsend St, San Francisco, CA 94107, USA. The transfer of personal data to recipients outside the European Economic Area is based on standard data protection clauses of the Commission in accordance with Section 46 para. 2 lit. b GDPR. A copy of the standard data protection clauses used can be found at https://www.cloudflare.com/cloudflare_customer_SCCs.pdf.

● For the anti-money laundering review, we work with IVXS UK Limited (“ComplyAdvantage”), 90 Long Acre, 4th Floor, London, England, WC2E 9RA, United Kingdom.

7. Deletion of data

Unless otherwise stated, we will delete or anonymize your personal data as soon as it is no longer required for the purposes for which we collected or used it according to the preceding paragraphs. We also keep your data if we are obliged to do so for legal reasons or if the data is required for longer due to criminal prosecution or to secure, assert or enforce legal claims. If
data has to be stored for legal reasons, its processing will be restricted. The data is then no longer available for further use.

8. Your rights as a data subject

8.1. Right of providing information 

You have the right to request information from us at any time about the personal data relating to you processed by us to the extent and under the conditions of Art. 15 GDPR and Section 34 BDSG. To do this, you can send an application by post or email to the address given above. 

8.2. Right to correct faulty data 

You have the right to request the correction of your personal data without delay if it is incorrect. To do this, please use the contact addresses given above. 

8.3. Right of deletion 

You have the right to request that we delete your personal data under the conditions described in Section 17 GDPR and Section 35 BDSG. In particular, these requirements provide for a right to erasure if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, as well as in cases of unlawful processing, the existence of an objection or the existence of an obligation to erase under Union law or the law of the member state to which we are subject. 

8.4. Right to restriction of processing 

You have the right to demand that we restrict processing in accordance with Section 18 GDPR. This right exists in particular if the correctness of the personal data is disputed between the user and us, for the period that requires checking the correctness and in the event that the user requests restricted processing instead of deletion with an existing right to deletion; also in the event that the data is no longer required for the purposes we are pursuing, but the user needs it to assert, exercise or defend legal claims and if the successful exercise of an objection between us and the user is still disputed. In order to assert your above right, please use the contact addresses given above. 

8.5. Right to data portability 

You have the right to receive the personal data relating to you that you have provided to us in a structured, common, machine-readable format in accordance with Art. 20 GDPR. In order to assert your above right, please use the contact addresses given above. 

8.6. Right to object

You have the right at any time, for reasons that arise from your particular situation, to object to the processing of personal data concerning you, which, among other things, based on Section 6 para. 1 lit. e or f GDPR takes place, to file an objection according to Section 21 GDPR. We will stop processing your personal data unless we can demonstrate compelling legitimate reasons for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. In order to assert your above right, please use the contact addresses given above.


8.7. Right of appeal 

You also have the right to contact a supervisory authority of your choice if you have complaints.

8.8. Data processing when exercising your rights 

Finally, we point out that when exercising your rights in accordance with. Art. 15 to 22 GDPR process personal data transmitted by you for the purpose of implementing these rights and to be able to provide evidence of this. This processing is based on the legal basis of Art. 6 Para. 1 lit. c GDPR. 

Effective Date: 17 November 2020
© 2020–present Upvest GmbH. All rights reserved.