Coinfirm Limited is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you in accordance with data protection law. Please read it carefully.
In this Policy:
Data protection law says that the personal information we hold about you must be:
This notice is separated into the following sections for ease of reference. If you have any questions about this notice or how we collect and use personal information about you, please contact us.
(If you are viewing this Policy online, you can click on the below links to jump to the relevant section)
1.1 We, Coinfirm Limited, are a controller of your personal data. Our registered office is at Lansdowne House 5th Floor, 57 Berkeley Square, London, W1J 6ER and our registered company number is 10027965.
1.2 If you have any questions, our contact details are:
1.2.1 Lansdowne House 5th Floor, 57 Berkeley Square, London, W1J 6ER
1.2.2 +44 203 608 6249
2.1 When you enter into a contract with us (or someone does so on your behalf) there will be personal information about you relating to that contract such as your name, contact details, contract details, delivery details, and correspondence with us about the contract. We may also generate further information from the information you provide, such as a case ID number that will be assigned to you.
2.2 We need certain information to carry out our contract with you and you must provide this in order to enter into a contract with us (or as required under that contract), if you do not, we may not be able to carry out our contract with you. Mandatory information fields are generally set out when you are entering into the contract, but in particular, you must provide the following information:
2.2.1 Your name and contact details (including your email address).
2.2.2 Your delivery address
2.2.3 Your payment details
2.2.4 Information to verify your identity and other information for us to carry out anti money laundering checks.
2.3 Other correspondence or interaction (for example by email, telephone, post, SMS or via our website) between you and us, will include personal information (such as names and contact details) in that correspondence. This may include enquiries, reviews, follow-up comments or complaints lodged by or against you and disputes with you or your organisation.
2.4 Call information. We may also collect details of phone numbers used to call our organisation and the date, time and duration of any calls. Please note that if we record your calls to or from us, we will inform you of this.
2.5 We will keep and use that information to carry out our contract with you (if applicable), to comply with any legal requirements for us to maintain certain records or carry out certain verifications, and/or for our legitimate interests in dealing with a complaint or enquiry and administering your (or your organisation’s) account or order and any services we offer, as well as to review and improve our offerings, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
3.1 We may collect your name and contact details (such as your email address, phone number or address) in order to send you information about our products and services which you might be interested in. We may collect this directly from you, or through a third party. If a third party collected your name and contact details, they will only pass those details to us for marketing purposes if you have consented to them doing so.
3.2 You always have the right to “opt out” of receiving our marketing. You can exercise the right at any time by contacting us, using the details in paragraph 1.2 above. If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you “opt-out” of our marketing materials, you will be added to our suppression list to ensure we do not accidentally send you further marketing. We may still need to contact you administrative or operational purposes, but we will make sure that those communications don’t include direct marketing. More about direct marketing you can find in our Direct Marketing Policy.
3.3 If you are an existing customer or are acting in a professional capacity as part of a company or LLP, we use your contact details as necessary for our legitimate interests in marketing to you and maintaining a list of potential customers.
3.4 If you are not an existing customer and are not acting in a professional capacity as part of a company or LLP, we will only contact you for marketing purposes with your consent (whether we have collected your details directly from you, or through a third party).
3.5 We never share your name or contact details with third parties for marketing purposes unless we have your “opt-in” consent to share your details with a specific third party for them to send you marketing. We do use third party service providers to send out our marketing, but we only allow them to use that information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
3.7 When we send marketing emails to you, we use “web beacons” to collect information about when you open the email, your IP address and browser or email client type, and other similar information. We do this as necessary for our legitimate interests reviewing and considering our direct marketing activities. We keep this information for marketing of our services.
4.1 We may collect information about you and your use of our website via technical means such as cookies, webpage counters and other analytics tools. This may include your IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website. We use this as necessary for our legitimate interests in administering and improving our website and its content, to ensure it operates effectively and securely, and to develop our business and inform our marketing strategy. We may also create aggregate statistical data from that information (for instance, overall numbers of website visitors) which is not personal information about you.
4.2 We, or third party advertisers, may also use this information to serve adverts on you. Where those adverts are targeted, this may involve using website information and information we (or our third party advertisers) have obtained from third parties. This won’t include information such as your name or contact details. Where our adverts are displayed to you using your information, your information is used as necessary for our legitimate interests in marketing to you.
4.4 Our website may, from time to time, contain links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
5.1 If you work for one of our customers, suppliers or business partners, the information we collect about you may include your contact information, details of your employment and our relationship with you. This information may be collected directly from you or provided by your organisation. Your organisation should have informed you that your information would be provided to us and directed you to this policy. We use this as necessary for our legitimate interests in managing our relationship with your organisation. If we have a business relationship with you or your organisation, we may receive information about you from your organisation. We reserve the right to issue separate privacy notices setting out the handling of personal information in an employment context, including where services are offered under a contract for services and/or on a consultancy basis.
6.1 Visitor information. We collect information about visitors to our premises. We may record information on your visit, including the date and time, who you are visiting, your name, employer, contact details and vehicle registration number. If you have an accident at our premises, this may include an account of your accident. If you require any special assistance, or have specific dietary requirements, this information will be recorded where necessary to protect your vital interests, and will be deleted when no longer required in accordance with our information retention policies.
6.2 CCTV. We may operate CCTV at our premises which may record you and your activities. We display notices to make it clear what areas are subject to surveillance. We only release footage following a warrant or formal request from law enforcement, or as necessary in relation to disputes.
6.3 We use this information as necessary for our legitimate interests in administering your visit, ensuring site security and visitor safety, and administering parking.
6.4 Visitor information is kept for a period necessary to deal with security issues, up to 3 years. If you have an accident on our premises, our accident records are retained for a period necessary to deal with any claims, up to 6 years.
7.1 We will collect and hold information on job applicants, including information you provide to us in your application, or provided to us by recruitment agencies, as well as information on you from any referees you provide. We may also collect information about your professional history which you make available on LinkedIn or other social media or networking services, or which are on your employer’s website.
7.2 We use this as necessary to enter into an employment contract with you, and for our legitimate interests in evaluating candidates and recording our recruitment activities, and as necessary to exercise and perform our employment law obligations and rights. Where you voluntarily provide us with special categories of data, such as information about your race, health or sexuality, we will store this as part of your application on the basis that you have decided to disclose for this purpose, and to ensure that our record of your application is accurate so we can comply with (and demonstrate our compliance with) our obligations under employment law.
7.4 You must provide certain information (such as your name, contact details, professional and educational history) for us to consider your application fully. If you have not provided all of this information, we may contact you to ask for it. Providing this information is voluntary, but if you fail to do this, we may not be able to properly consider your application. If your application is successful, we will retain information your provide, including special categories of data, for such time as an employment relationship exists between us, and thereafter in accordance with paragraph 8.1 below. If your application is unsuccessful, we will retain your personal information for such period as you specifically consent to, and in the absence of such consent your information will be deleted.
7.5 If you are listed as a referee by an applicant, we will hold your name, contact details, professional information about you (such as your employer and job title) and details of your relationship with the applicant. We will use this information as necessary for our legitimate interests in evaluating candidates and as necessary to exercise and perform our employment law obligations and rights. Your information will be kept alongside the applicant’s information. Where the applicant is successful, we will retain this information until we no longer need to contact that worker after they have stopped working for us. Where the applicant is unsuccessful, we will retain this information for such period as the applicant consents to under paragraph 7.4 above.
7.6 If you are listed as an emergency contact by someone who works for us, we will hold your name, contact details and details of your relationship with that worker. We will use this to contact you as necessary to carry out our obligations under employment law, to protect the vital interests of that worker, and for our legitimate interests in administering our relationship with that worker. Your information will be kept until it is updated by that worker, or we no longer need to contact that worker after they have stopped working for us. For the avoidance of doubt, we do not require emergency contact information from prospective job applicants, and if such information is volunteered by an applicant, we do not store such information unless their application is successful.
8.1 Where we consider there to be a risk that we may need to defend or bring legal claims, we may retain your personal information as necessary for our legitimate interests in ensuring that we can properly bring or defend legal claims. We may also need to share this information with our insurers or legal advisers. How long we keep this information for will depend on the nature of the claim and how long we consider there to be a risk that we will need to defend or bring a claim.
9.1. Considering the fact that is likely that fulfilling the information obligation may render impossible or seriously impair the achievement of the objectives of AML analysis we will not inform data subjects about that processing.
9.2. In order to conduct our anti-money laundering (AML) analysis, we may collect and use following personal data: name, email, country, nationality, phone number, job description, social media links, location, and wallet address(es).
9.3. We will use all that information to provide our AML analysis. Processing in such a purpose is based on our legitimate interest – processing of personal data is strictly necessary for the purposes of preventing fraud – the legal basis for that processing is article 6.1.f) GDPR.
9.4. We collect that information from publicly available sources in Clearnet and Deep Web.
10.1 We may also receive information about you from the following sources:
10.1.1 Our service providers. We work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers and credit reference agencies) who may provide us with information about you, to be used as set out above.
10.1.2 Businesses we have bought. If we have acquired another business, or substantially all of its assets, which originally held your information, we will hold and use the information you provided to them, or which they otherwise held about you, in accordance with this privacy notice.
10.1.3 Our other channels. This is information we receive about you if you use any of the other websites we operate or the other services or products we provide. In this case we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this website. We will also have told you for what purpose we will share and combine your data.
10.1.4 Publicly available sources. We obtain information from the following publicly available sources such as: Companies House, LinkedIn or Facebook, Twitter, and other social media and online platforms including those available on dark web.
10.1.5 Credit information. We may also collect credit information on you from third party reference agencies.
11.1 Where we collect “special categories” of particularly sensitive personal information this information requires higher levels of protection and by law we need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
11.1.1 In limited circumstances, with your explicit written consent.
11.1.2 Where it is needed in the public interest.
11.1.3 Where it is needed in relation to legal claims or where it is needed to protect your vital interests (or someone else’s vital interests) and you are not capable of giving your consent.
11.2.4. Where you have already clearly made the information public.
12.1 Common uses of your information. We will only use your personal information when the law allows us to do so. Although in limited circumstances we may use your information because you have specifically consented to it, we generally use your information in the ways set out in this notice because:
12.1.1 We need to perform a contract we have entered into with you.
12.1.2 We need to comply with a legal obligation.
12.1.3 It is necessary for our legitimate interests (or those of a third party) and your interests and rights do not override those interests.
12.1.4 We need to protect your interests (or someone else’s interests) or where it is needed in the public interest (although these circumstances are likely to be rare).
12.5 Change of purpose. We will only use your personal information for the purposes for which we collected it as set out in this notice, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
As well as any sharing listed above, we may also share your information with third parties, including third-party service providers and other entities in our group. Third parties are required to respect the security of your personal information and to treat it in accordance with the law. We never sell your data to third parties.
13.1 Why we might share your personal information with third parties
We may share your personal information with third parties if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our agreements with you, or to protect the rights, property, or safety of us, our customers, or others or where we have another legitimate interest in doing so. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
13.2 Which third-party service providers process your personal information?
We also may need to share your personal information for third-party service providers (including contractors and designated agents) so that they can carry out their services.
The following activities are carried out by third-party service providers: legal advice, contract administration, order fulfilment, delivery, administration, IT services, payment processing.
13.3 When might we share your personal information with other entities in the group?
We may share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, and for system maintenance support and hosting of data.
13.4 How secure is your information with third-party service providers and other entities in our group?
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information. Where third parties process your personal information on our behalf as “data processors” they must do so only on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
13.5 What about other third parties?
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business where necessary in connection with the purposes which your information was collected for. We may also need to share your personal information with a regulator or to otherwise comply with the law.
14.1 Our office headquarters are based in London and our main data centre is located in in Poland. However, where required to perform our contract with you or for our wider business purposes, the information that we hold about you may be transferred to, and stored at, a destination outside the UK and the EU. It may also be processed by staff operating outside the UK and EU who work for us or for one of our service providers. In particular, we operate in the following countries: Poland.
14.2 We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this privacy notice.
14.3 Some countries or organisations outside of the UK and the EU which we may transfer your information to will have an “adequacy decision” in place, meaning the EU considers them to have an adequate data protection regime in place. These are set out on the European Commission website: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en .
14.4 If we transfer data to countries or organisations outside of the UK and the EU which the EU does not consider to have an adequate data protection regime in place, we will ensure that appropriate safeguards (for example, model clauses approved by the EU or a data protection authority) are put in place where required. To obtain more details of these safeguards, please contact us.
15.1 As well as the measures set out above in relation to sharing of your information, we have put in place appropriate internal security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
15.2 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where necessary.
16.1 We have set out above indications of how long we generally keep your information. In some circumstances, it may be necessary to keep your information for longer than that in order to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
16.2 To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
16.3 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
16.4 You can find more information about retention periods you can request to see a copy of our External Data Retention Policy, by contacting us on the details in paragraph 1.2 above.
17. Your rights
17.1 Data protection law, and in particular Regulation EU 2016/679 (‘General Data Protection Regulation’ or ‘GDPR’) and Data Protection Act 2018, gives you a number of rights when it comes to personal information, we hold about you. The key rights are set out below. More information about your rights can be obtained from the Information Commissioner’s Office or by accessing the European Commission’s website. Under certain circumstances, by law you have the right to:
17.1.1 Be informed in a clear, transparent and easily understandable way about how we use your personal information and about your rights. This is why we are providing you with the information in this notice. If you require any further information about how we use your personal information, please let us know.
17.1.2 Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
17.1.3 Request correction (rectification) of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
17.1.4 Request erasure of your personal information, also known as the ‘right to be forgotten’. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it (for instance, we may need to continue using your personal data to comply with our legal obligations). You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
17.1.5 Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to us using your information on this basis and we do not have a compelling legitimate basis for doing so which overrides your rights, interests and freedoms (for instance, we may need it to defend a legal claim). You also have the right to object where we are processing your personal information for direct marketing purposes, or where the processing is based on your consent and you withdraw that consent.
17.1.6 Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
17.1.7 Request the transfer of your personal information to another party where you provided it to us and we are using it based on your consent, or to carry out a contract with you, and we process it using automated means. This is also referred to as a ‘right to data portability’.
17.1.8 Withdraw consent. In the limited circumstances where we are relying on your consent (as opposed to the other bases set out above) to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate interest in doing so.
17.1.9 Lodge a complaint. If you think that we are using your information in a way which breaches data protection law, you have the right to lodge a complaint with the national data protection supervisory authority in the country of your habitual residence, place of work, or place of the alleged infringement. In the UK the relevant supervisory authority will be the Information Commissioner’s Office, which may be contacted on the below details:
Information Commissioner’s Office
Phone: 0303 123 1113
17.1.9 Freedom from direct marketing (‘opting out’). Further information on this right is found at paragraph 3.2 above and in our Direct Marketing Policy.
17.1.20 Right to freedom from automated decision-making. You have a right to request that decisions made about you using your personal information are made by humans, and not by automated means, such as by computers. We do not use automated-decision making methods (including profiling), save that we may risk profile our customers in compliance with applicable anti-money laundering legislation. However, there will be human intervention following such processing, unless we specifically notify you that this is not the case. This means decisions are not made by robots or computers, and therefore not ‘automated’. However, certain third parties (e.g. credit referencing agencies) may use certain automated decision-making tools or software. We are not responsible for the privacy practices of others and will take reasonable steps to bring such automated decision-making to your attention, but you are encouraged to become familiar with the privacy practices of any third parties you enter into any agreements with.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, withdraw your consent to the processing of your personal information or request that we transfer a copy of your personal information to another party, please contact us on the details at paragraph 1.2 above. Exercise of any of the above rights may impact the services we can provide and we will explain the consequences to you if you decide to exercise one or more of these rights.
In addition, you are directed to paragraph 20 below, which provides further information on the blockchain and how these privacy rights may be affected by the nature of the blockchain.
17.2 No fee usually required. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if one or more of your requests for access are clearly unfounded or excessive, in particular because any repetitive character in such requests. Alternatively, we may refuse to comply with such requests in such circumstances.
17.3 What we may need from you. We may need to request specific information from you to help us understand the nature of your request, to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
17.4 Timescale. Please consider your request responsibly before submitting it. We will respond to your request as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will let you know.
Part of our services includes the provision of products and tools which require us to disclose your information on the blockchain. In this context, ‘the blockchain’ may refer to one or more global decentralized public networks that harness distributed ledger technology. Given the nature of decentralized networks, information written onto the blockchain may be transferred and stored (i.e. distributed) across the globe in a variety of forms (i.e. ‘ledgers’).
It is important for you to understand that certain information on several blockchains cannot be modified or deleted (often referred to as ‘immutable’), which may restrict the exercise of your rights to restrict, object to or request erasure or rectification of your personal information.
If you want to ensure your privacy rights are not affected in any way, you should not transact on blockchains as certain rights will not be fully available or exercisable by you or us.
Information written onto the blockchain is limited by the nature of the decentralized public network. For example, in the Ethereum blockchain, information written onto that blockchain may include cryptographic wallet addresses, and the amount of cryptocurrency transferred (sent or received).
Wallet addresses constitute personal information under England and Wales law, and you are responsible for maintaining the details of your wallet (including private and public keys) secure. In most cases ultimate decisions to (i) transact on the blockchain using your Ethereum/Bitcoin or other cryptocurrency wallet address, as well as (ii) share the public key relating to your Ethereum/Bitcoin or other cryptocurrency wallet address with anyone (including us) rests with you.
In particular the blockchain is available to the public and certain personal information shared on the blockchain will become publicly available (including, but not necessarily limited to, wallet addresses and/or public keys).
We will ensure that information that can be used to identify you from a wallet address you provide to us is kept secure, and will only disclose such information where you consent to such disclosure, where necessary for the provision of our services under the terms of any contract with you, or where required to do under a legal obligation, including where we receive a request from a court or law enforcement authority or agency of competent jurisdiction.