Last updated: 01-01-2020
When you visit Bitvavo.com or any related Website or use the Services, Bitvavo collects and processes data in relation to you. Since Bitvavo respects your privacy and makes it a high priority to handle your personal data with care, this policy (the “Privacy Notice”) explains how we handle your personal data. Bitvavo will ensure that your personal data is carefully processed and protected. Bitvavo will always do this in line with applicable privacy laws and regulations. This means, for example, that Bitvavo:
- will clearly mention for which purposes your personal data is processed by way of this Privacy Notice;
- will limit the personal data collected to that required for the purposes specified, and will only collect or process more data based on a legal ground, such as your (explicit) consent;
- will not share your personal data with third parties unless it is required for performance of the Services or to be able to fulfill applicable (European or Dutch) rules and regulations, including assisting Financial Intelligence Units (FIU) or (other) competent supervisory authorities, law enforcement authorities or if necessary to assist in combating fraud and other types of abuse to the extent permitted by law;
- will sign an appropriate processor’s agreement with third parties that we instruct to process your personal data on our behalf, to guarantee the confidentiality of your personal data;
- will take all reasonable administrative, technical and physical measures to protect your personal data and require the same of any third party processing your personal data on our behalf; and
- will respect your rights for example to have access to the processed data in relation to you and to amend or erase your personal data. You can read more about your privacy rights in this policy below.
In Bitvavo’s view, it is important that you are well-informed about the above; therefore, please read this Privacy Notice carefully. Please note that Privacy Notice forms part of, and utilizes certain terms that are defined in the User Agreement and User is accepting and consenting to the practices described in this Privacy Notice by accepting the User Agreement and using the Services.
2. Who is responsible for the processing of your personal data?
Bitvavo B.V. and Stichting Bitvavo Payments are established at Herengracht 450, 1017 CA in Amsterdam and registered with the Dutch Chamber of Commerce respectively under number 68743424 and 69228922. Bitvavo BV and Stichting Bitvavo Payments are responsible for processing of your personal data as described in this policy and act as (joint) ‘data controller’ under the General Data Protection Regulation (GDPR). In this Policy, all entities are (together) referred to as ‘Bitvavo’, ‘we’, ‘our’, or ‘us’. For all your questions and requests, you can contact our Data Protection Officer at email@example.com.
3. Which (personal) data could be processed and from which sources?
Bitvavo may process (your personal) data if you:
- are a visitor/user of our Website or Services;
- are (an authorized representative or UBO of) our Customer (or their related family member or close business partner);
- have a Business Relationship with Bitvavo; and/or
- are an associate of our counterparties or service providers of Bitvavo.
In paragraph 3.1 – 3.3 is described which data could be processed and from which source.
3.1 Information we collect from you automatically
We receive and store certain types of information automatically, such as whenever you interact with the Website or use the Services. This information helps us address Customer support issues, provide you with a streamlined and personalized experience, improve the performance of our Website, and protect your account from fraud by detecting unauthorized access. Information collected automatically includes:
- Online Identifiers: Operating system, browser name and version, device and/or personal IP addresses.
- Usage and Security Data: Authentication data, security questions, and other data collected via cookies and similar technologies.
3.2 Information you provide to us
To establish an account and access our Services, we'll ask you to provide us with some important information about you. This information is either required by law (e.g. to verify your identity) or necessary to provide the requested Services (e.g. you will need to provide your bank account number if you'd like to link that to your Bitvavo account).
- Personal Identification Information: Full name, date of birth, gender, nationality, country of origin, home address, photographs for identification purposes (art. 25 sub a Dutch Implementation GDPR Act), phone number, email, login details and/or other information you might provide about your reputation and background or about your family members or close business partners.
- Personal Identification Information:Personal Identification Information: Government issued identity document such as Passport, Driver's License, National Identity Card or Resident Permit - including details such as document type, document number, date of issuance and issuing authority - and/or any other information, such as video verification if deemed necessary to comply with our legal obligations under financial or anti-money laundering laws. Please note that Bitvavo does not process special personal data including, but not limited to, the social security citizen service number.
- Institutional Information: Company identification number (or comparable number issued by a government), proof of legal formation (e.g. articles of incorporation), additional legal documents – including articles of association, shareholder register, structure chart, corporate tax return and UBO statement – and personal identification (and institutional) information for all direct and indirect representatives, directors and material beneficial owners (if applicable).
- Account purpose information: Information of purpose and intended nature of the business relationship.
- Employment Information: Profession, job title, office location, description of role, employment contract and/or annual income.
- Financial Information: Bank account information, transaction history, source of funds, source of wealth and/or tax identification number.
- Transaction Information: Information about the transactions you make on our Services, such as your name, your bank account number, the amount, the type of transaction (e.g. deposit or withdraw), the name of the recipient, the virtual currency wallet address of the recipient and/or the corresponding timestamps of each of these.
- Correspondence: Survey responses or information provided to our support team and other information that you might voluntary share with us.
As we add new features and Services and applicable laws and regulations might change, you may be asked to provide additional information.
3.3 Information generated by us
We may generate information about you, for example based on information you provided to us.The categories of data may include:
- Account information: Information about the transactions you make on our Services - such as the type of transaction (e.g. buy transaction and/or sell transaction), the amount, the type of virtual currency, the counterparty – and the processing of this information together with information as provided by you – which might result in behavioral pattern information, risk profiles, risk categories, transaction profile information, transaction patterns information, internal suspicious transaction reports or intelligence, hit / no hit information on PEP and sanction lists – and/or notices to designated authorities including reports/notifications to FIU.
- Whistleblowing or fraud reports: we may receive your personal data if they have been necessarily included in whistleblowing reports from Bitvavo Staff Members or in fraud reports from relevant payment institutions and payments service providers to ensure our Services are not used fraudulently or for other illicit activities.
3.4 Information collected from third parties
From time to time, we may obtain information about you from third party sources as required or permitted by applicable laws en regulations. These sources may include:
- Public Databases: We obtain information from public databases such as the relevant Chamber of Commerce, the UBO / Beneficial Owners / Transparency (or similar) register, Google searches and other (reliable and independent) sources for purposes of verifying your identity and checking your background in accordance with applicable laws and regulations.
- Blockchain Data: We may analyze public blockchain data and obtain information about your transactions from Blockchain analysis providers to ensure parties utilizing our Services are not engaged in illegal or prohibited activity under our Terms, and to analyze transaction trends for research and development purposes.
4. For what purposes are your personal data processed?
We may use your personal data for the following purposes:
- To comply with laws and regulations; Most of our Services are subject to laws and regulations requiring us to collect, use, and store your personal data in certain ways. For example, Bitvavo must identify and verify customers using our Services in order to comply with anti-money laundering laws such as the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft).
- To enforce our terms in our user agreement and other agreements;Bitvavo handles sensitive information, such as your identification and financial data, so it is very important for us and our customers that we actively monitor, investigate, prevent, and mitigate any potentially prohibited or illegal activities, and/or prevent and detect violations of our User Agreement or agreements for other Services.
- To prevent fraud, misuse of services, or money laundering; Bitvavo process personal data that are not strictly required by law, but nevertheless are necessary to protect the legitimate interest to (i) guarantee the safety and integrity of the Digital Currency sector, (ii) to prevent and actively combat (attempts to commit) criminal offences and (iii) to assist in combating fraud and other types of abuse.
- To provide Bitvavo’s Services; We process your personal date to provide the Services to you. For example, when you want to store funds on our platform, we require certain information such as your identification, contact information, and payment information. We cannot provide you with Services without such information.
- To provide service communications; We send administrative or account-related information to you to keep you updated about our Services, inform you of relevant security issues or updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our Services. You may not opt-out of receiving critical service communications, such as emails or mobile notifications sent for legal or security purposes.
- To provide customer service; We process your personal date when you contact us to resolve any questions, disputes, collect fees, or to troubleshoot problems. Without processing your personal data for such purposes, we cannot respond to your requests and ensure your uninterrupted use of the Services.
- For research and development purposes; We process your personal data to better understand the way you use and interact with Bitvavo’s Services. In addition, we use such information to customise, measure, and improve Bitvavo’s Services and the content and layout of our website and applications, and to develop new services. Without such processing, we cannot ensure your continued enjoyment of our Services.
- To engage in marketing activities; Based on your communication preferences, we may send you marketing communications (e.g. emails or mobile notifications) to inform you about our events or our partner events; to deliver targeted marketing; and to provide you with promotional offers. Our marketing will be conducted in accordance with your advertising marketing preferences and as permitted by applicable laws and regulations.
- To set price alerts; Based on your account settings you can set a price alert to be notified when the price for a specific virtual currency reaches a set threshold. We will send this notification, depending on your preference, by e-mail, sms or a push notification in the app. When setting price alerts, we process your personal data with your (explicit) consent, which can be withdrawn at any time.
The following chart summarizes how we use the categories of personal data we collect from customers:
|Personal Data Category as mentioned in paragraph 3||Sources of Personal Data||Purpose of Collecting Personal Data|
|Online Identifiers||Information we collect from you automatically||Section 1, 3, 5, 6, 7|
|Personal Identification Information||Information you provide us||All sections|
|Formal Identification Information||Information you provide us||Section 1, 3|
|Institutional Information||Information you provide us||Section 1, 3|
|Financial Information||Information you provide us||Section 1, 3, 4|
|Employment Information||Information you provide us||Section 1, 3, 4, 6|
|Transaction Information||Information you provide us||Section 1, 3, 4, 6, 7, 8, 9|
|Account information||Information you provide usInformation collected from third partiesInformation generated by us||Section 1, 3|
|Correspondence||Information you provide us||Section 1, 3, 4, 5, 6|
|ID Verification Partners, PEP and Sanction Check Partners and Credit Bureaus||Information collected from third parties||Section 1, 3|
|Public Databases||Information collected from third parties||Section 1, 3|
|Blockchain Data||Information collected from third parties||Section 1, 2, 3, 6|
|Blockchain Data||Information collected from third parties||Section 1, 2, 3, 6|
|Whistleblowing or fraud reports||Information collected from third partiesInformation generated by us||Section 1, 3|
5. Legal Bases for Processing your Information
Bitvavo only processes your personal data for a specified purpose and based on a legal ground, such as your (explicit) consent or if necessary for the execution of an agreement with you or in your interest, to comply with a legal obligation or to protect a legitimate interest.
|Section & Purpose of Processing||Legal Bases for Processing|
|1. To comply with laws and regulations and related legitimate interests.|
2. To prevent fraud, misuse of services, or money laundering.
|Based on our legal obligations or the legitimate interest to prevent fraud, misuse of services, or money laundering.|
|3. To enforce our terms in our user agreement and other agreements.|
4. To provide Bitvavo’s Services.
5. To provide service communications.
6. To provide customer service.
|Based on our contract with you or to take steps at your request prior to entering into a contract.|
|7. For research and development purposes.||Based on our legitimate interest (see paragraph 3.4. section 7 above). When we process your personal data for our legitimate interests we always ensure that we consider and balance any potential impact on you and your rights under data protection laws.|
|8. To engage in marketing activities.|
9. To set price alerts.
|Based on your (explicit) consent.|
Please note that we need to have your (explicit) consent to use your data to engage in marketing activities or to set price alerts. If you provided Bitvavo your (explicit) consent for any processing of your personal data, you have always the right to withdraw your (explicit) consent at any moment by emailing us at: firstname.lastname@example.org. Please note withdrawal of your (explicit) consent does not affect the lawfulness of the processing of your personal data before such withdrawal.
6. Does Bitvavo make use of automated decision making including profiling?
Bitvavo monitors on an ongoing basis whether any new information would affect your risk profile, transaction profile and/or risk category and whether your behavior and (if applicable) investments are in line with the information Bitvavo has about you and your risk classification. In this respect, Bitvavo is using software which is automatically updating your risk profile, transaction profile and/or risk category based on your behavior and might result in soft stops (i.e. transaction will be executed but manually reviewed afterwards by the compliance team) and hard stops (i.e. transaction will only be executed after manually review and approval by the compliance team) of transactions. If your transaction has been stopped, you can request (another) manual review, explain your transaction and/or appeal the stop, by contacting the Chief Compliance Officer at: email@example.com.
7. Who may receive your personal data?
Bitvavo only provides access to your personal data to Bitvavo associates that need to have access to your personal data to perform their tasks and duties. Bitvavo ensures associates are legally required to keep your personal data confidential.
Bitvavo has instructed third parties to process personal data on our behalf if such is necessary for third parties to perform their tasks and duties. Such third parties qualify as ‘data processors’. Bitvavo will sign an appropriate processor’s agreement with data processors, ensuring that your personal data is always protected to at least the same level of security as Bitvavo provides and guaranteeing the confidentiality of your personal data. Bitvavo nevertheless remains fully responsible for these processing operations and will therefore take all reasonable administrative, technical and physical measures to protect your personal data against unauthorised access, unintentional loss or alteration.
Bitvavo has instructed the following categories of data processors to process personal data:
- Amazon as hosting service provider which is located in Germany, Ireland and the United States; Amazon’s privacy notice, available at https://aws.amazon.com/privacy/, describes its collection and use of personal data.
- Belco as customer support provider which is located in the Netherlands; Belco’s privacy notice, available at https://www.belco.io/privacy-policy/, describes its collection and use of personal data.
- Credit Safe, Lexis Nexis, Mitek, Onfido as (enhanced) customer due diligence providers which are all located in the Netherlands except for Onfido which is located in the United Kingdom;
- Credit Safe’s privacy notice, available at https://www.creditsafe.com/gb/en/legal/privacy-policy.html, describes its collection and use of personal data.
- Lexis Nexis’ privacy notice, available at https://www.lexisnexis.com/en-us/terms/privacy-policy.page, describes its collection and use of personal data.
- Mitek’s privacy notice, available at https://www.miteksystems.com/privacy-policy, describes its collection and use of personal data.
- Onfido's privacy notice, available at https://onfido com/privacy/, describes its collection and use of personal data.
- LINK Mobility as SMS platform which is located in Poland; LINK Mobility’s privacy notice, available at https://www.smsapi.com/public/files/SMSAPI_privacy_notice.pdf, describes its collection and use of personal data.
- TWILIO as email service provider which is located in the United States; TWILIO’s privacy notice, available at https://www.twilio.com/legal/privacy, describes its collection and use of personal data.
- Tintel as payment provider which is located in the Netherlands. Tintel’s privacy notice, available at https://www.pay.nl/en/privacy-cookies, describes its collection and use of personal data.
Bitvavo may share your personal data with third parties who process personal data for their own purposes (and do not qualify as ‘data processors’) in limited circumstances. Bitvavo may share your personal data if and to the extent this is required to be able to fulfill applicable (European or Dutch) rules and regulations, including assisting Financial Intelligence Units (FIU) or (other) competent supervisory authorities, law enforcement authorities or if necessary to assist in combating fraud and other types of abuse to the extent permitted by law.
Bitvavo may share your personal data with other Bitvavo data controller to the extent permitted by applicable law. Bitvavo does not sell your personal data to third parties.
Your personal data may also be shared after requesting and obtaining your (explicit) consent.
8. Does Bitvavo process personal data to recipients outside the European Economic Area?
We keep and process in principle your personal data within the European Economic Area (EER). Your personal data will be adequately protected by the applicable laws and legislation of these countries (similarly to your own EU country of residence). It can be necessary for Bitvavo to transfer your personal data to (a recipient in) a country outside the EER. If the European Commission has not issued an ‘adequacy decision’ with regard to such country, and it is necessary that your personal data will be transferred to a country without such adequate level of protection, Bitvavo only transfers your personal data to the extent permitted by law.
Bitvavo may transfer personal data to its hosting service provider(s) and transaction monitoring software provider(s) located in the Unites States based on Standard Contractual Clauses (based on Article 46.2.d GDPR).
If you want to consult any guarantees that Bitvavo has in place to protect your personal data if we transfer your personal data outside the EER, please contact us via: firstname.lastname@example.org.
9. Your rights
If your personal data is processed, you have privacy rights and, of course, Bitvavo respects these. More specifically, you have the right to access, rectify, restrict processing of to object against processing or the right to data portability of or erase personal data collected or processed about you. You can submit your request to Bitvavo’s Data Protection Officer at email@example.com. The Data Protection Officer may ask you to provide further information in order to determine your identity first, to ensure that no one else is trying to execute your privacy rights.
Bitvavo will respond to your request as quickly as possible, although this can take up to one month (if legally allowed). If more time is required to complete your request, Bitvavo will let you know how much longer is needed and the reasons for the delay.
In certain cases, Bitvavo may deny your request. If it is legally permitted, Bitvavo will let you know in due course why it is denied.
If you believe that Bitvavo has used your personal data unlawfully or if you are not satisfied with Bitvavo’s response to your request, you can send your complaint to firstname.lastname@example.org. Bitvavo will respond to your complaint as quickly as possible.
For example if you are still unhappy with the response to your complaint, you have the right to lodge your complaint with a competent EU data protection authority, which in the Netherlands is the ‘Autoriteit Persoonsgegevens’. You can lodge a complaint with the data protection authority of the EU Member State of your habitual residence, your place of work or in which an alleged infringement of the GDPR took place.
11. How Bitvavo will protect your personal data?
We understand how important your privacy is, which is why Bitvavo takes the appropriate administrative, technical and physical measures to ensure a level of security appropriate to the risk as required by law. For example, we use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our buildings and files, and we authorize access to personal data only for those employees who require it to fulfill their job responsibilities. If Bitvavo intends to share your personal data with a third party we instruct to process personal data on our behalf, Bitvavo will sign an appropriate processor’s agreement with that third party to guarantee the confidentiality of your personal data.
However, we cannot guarantee that loss, misuse, unauthorized acquisition, or alteration of your data will not occur. Please recognize that you play a vital role in protecting your own personal data. When registering with our Services, it is important to choose a password of sufficient length and complexity, to not reveal this password to any third parties, and to immediately notify us if you become aware of any unauthorized access to or use of your account.
Furthermore, we cannot ensure or warrant the security or confidentiality of information you transmit to us or receive from us by Internet or wireless connection, including email, phone, or SMS, since we have no way of protecting that information once it leaves and until it reaches us. If you have reason to believe that your data is no longer secure, please contact us using the contact information provided in this Privacy Notice.
12. For how long will Bitvavo keep your personal data?
Bitvavo will not keep your personal data longer than the mandatory statutory period or, if such a mandatory statutory period does not apply, no longer than is strictly necessary to achieve the purposes for which your personal data were collected or processed.
Criteria for data retentionBitvavo retains personal data we process to execute any agreement with you as long as such agreement is applicable. Bitvavo retains personal data we processes to comply with a legal obligation, as long as such legal obligation applies to Bitvavo. Bitvavo retains personal data for purposes to protect any legitimate interest (as described in this policy) as long as necessary to achieve such purposes. If Bitvavo has asked your (explicit) consent for any processing of your personal data, Bitvavo retains your personal data until you withdraw your (explicit) consent (to the extent Bitvavo has no legal obligation to keep retaining such data) or until your (explicit) consent would be expired while you have not given your (explicit) consent again.
In addition to the legal obligations already mentioned in this policy, Bitvavo has the following legal obligations to (keep) retaining personal data:
- Personal data to the extent relevant for tax purposes (pursuant to Article 52 of the Dutch General Tax Act): 7 years after the latest relevant calendar year;
- Personal data to the extent relevant to comply with Article 33(3) of the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft): 5 years after the business relationship has been ended;
- Personal data to the extent relevant to comply with Article 34 of the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft): 5 years after Bitvavo submitted a notification to the FIU.
13. Updating the Privacy Notice
Bitvavo reserves the right to change the Privacy Notice at any time and under any condition. Any update of the Privacy Notice will apply after announcing the update on the website or any other official communication channel. If the change to the information is indicative of a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country) or if the change may be relevant to and impact upon you, Bitvavo will inform you of changes to the Privacy Notice, explicitly and effectively, well in advance of the change actually taking effect.
14. Contact and questions about this Privacy Notice?
If you want to know more about Bitvavo’s Privacy Notice or have any questions or recommendations, please email Bitvavo’s Data Protection Officer at email@example.com. Bitvavo will respond to your request as quickly as possible.