Privacy Notice

Privacy Notice Bitvavo

Version of: 07-June-2022

1. Introduction

Bitvavo operates an online central limit order book (CLOB) trading platform, where digital assets can be exchanged for other digital assets or fiat (the Platform). You can access the Platform via our Website: https://bitvavo.com and the Bitvavo app. The Platform and Website are collectively referred to as our Services.

This is our Privacy Notice. In this document we explain what kind of personal data we collect via our Services. Personal data means all information by which a person can be directly or indirectly identified and is a term under the General Data Protection Regulation (GDPR. We also explain what role we have in the processing of personal data, how long we retain personal data and what rights you have as a data subject.

Please read this Privacy Notice carefully. Please note that Privacy Notice utilizes certain terms that are defined in the User Agreement Bitvavo B.V. (User Agreement).

If you have questions about the processing of your personal data, you can always contact us through the contact details listed at the bottom of this Privacy Notice.

2. Who is responsible for the processing of your personal data?

Bitvavo B.V. is responsible for the processing of your personal data as described in this Privacy Notice and acts as ‘controller’ under the GDPR, except when the processing of personal data described takes places in the context of off-chain staking services (as further explained in the User Agreement). In such case, Bitvavo Custody B.V. qualifies as the controller.

This Privacy Notice also applies to the processing of personal data by Stichting Bitvavo Payments as controller (as further explained in paragraph 7).

If you have questions about the processing of your personal data, you can always contact us through the contact details listed at the bottom of this Privacy Notice.

3. Which personal data could be processed and from which sources?

Bitvavo may process your personal data if you:

1. are a visitor/user of our Website or Services;
2. are (an authorized representative or UBO of) our customer (or their related family member or close business partner);
3. have a business relationship with Bitvavo; and/or
4. work at our service providers or other parties we deal with.

In paragraph 3.1 – 3.3 is described which data could be processed and from which source.

3.1 Information we collect from you automatically

We receive and store certain types of information automatically, such as whenever you interact with the Platform or use the Services. This information helps us address customer support issues, provide you with a streamlined and personalized experience, improve the performance of our Platform, and protect your account from fraud by detecting unauthorized access. Information collected automatically includes:

1. Usage Data: Information on how our Services are accessed and used, such as your IP-address, when and for how long you visit the Platform, which pages you visit on the Platform, on which links you click and technical information (e.g. type of browser and operating system). Please read our Cookie Statement for more information: https://bitvavo.com/en/cookie-policy.

3.2 Information you provide to us

To establish an account and allow you access to our Services, we'll ask you to provide us with some important information about you. This information is either required by law (e.g. to verify your identity) or necessary to provide the requested Services (e.g. you will need to provide your bank account number if you'd like to link that to your Bitvavo account). Below you will find an overview of the personal data we generally collect from our (potential) customers and individuals related to our (potential) customers.

1. Registration data: Full name, country of residence, email address, password, affiliate code (optional) and pin code.
2. Identification data: Government issued identity document such as Passport, Driver's License, National Identity Card or Resident Permit (ID Document) - including your full name, date of birth, nationality, place of birth, place and date of the issuance of the document, data of expiry of the document, document type, document number, signatory and your photo. In addition, we ask you to record a video clip of yourself with audio to verify your identity. In this context we process your facial images, voice and polygon mesh data. Please note that you must cover your social security number on your ID Document before providing it to us.
3. Personal data included in institutional information: proof of legal formation of a company (e.g. articles of incorporation), additional legal documents – including articles of association, shareholder register, structure chart, corporate tax return and UBO statement – and personal identification (and institutional) information for all direct and indirect representatives, directors and material beneficial owners (if applicable).
4. Account information: Information of purpose and intended nature of the business relationship you have with us.
5. Employment information: Profession, job title, office location, description of role, employment contract and/or annual income.
6. Financial information: Bank account information, transaction history, source of funds, source of wealth and/or tax identification number.
7. Transaction information: Information about the transactions you make on our Services, such as your name, your bank account number, the amount, the type of transaction (e.g. deposit or withdraw), the name of the recipient, the virtual currency wallet address of the recipient and/or the corresponding timestamps of each of these.
8. Correspondence: Survey responses or information provided to our support team and other information that you might voluntarily share with us.

As we add new features and Services and applicable laws and regulations might change, you may be asked to provide additional information. In such case, we will inform you about the purposes and legal grounds for such additional processing separately and/or via an update of this Privacy Notice.

3.3 Information generated by us

We may generate information about you, for example based on information you provided to us. The categories of (personal) data may include:

1. Risk and fraud related information: behavioral pattern information, risk profiles, risk categories, transaction profile information, transaction patterns information and internal suspicious transaction reports or intelligence, derived from information about the transactions you make on our Services - such as the type of transaction (e.g. buy transaction and/or sell transaction), the amount, the type of virtual currency, the counterparty – and other personal data we have of you, hit / no hit information on Politically Exposed Persons (PEP’s) and sanction lists – and/or notices to designated authorities including reports/notifications to FIU.
2. Whistleblowing or fraud reports: We may receive your personal data if they have been necessarily included in whistleblowing reports from Bitvavo Staff Members or in fraud reports from relevant payment institutions and payments service providers, law enforcement agencies and the Financial Intelligence Units (FIU). We may draw conclusions from such personal data regarding your risk classification and include such conclusions in our systems.

3.4 Information collected/received from third parties

From time to time, we may obtain information about you from third party sources as required or permitted by applicable laws and regulations. These sources may include:

1. Public Databases: We obtain information from public databases such as the relevant Chamber of Commerce, the UBO / Beneficial Owners / Transparency (or similar) register, Google searches and other (reliable and independent) sources. We may also receive such public information via third party service providers such as Comply Advantage (adverse media checks) and Lexis Nexis (information on PEP’s, sanctions and blacklists).
2. Blockchain Data: We may analyze public blockchain data and obtain information about your transactions from Blockchain analysis providers.

4. For what purposes are your personal data processed?

We may use your personal data for the following purposes:

1. To comply with laws and regulations; Most of our Services are subject to laws and regulations requiring us to collect, use, and store your personal data in certain ways. For example, Bitvavo must identify and verify customers using our Services in order to comply with anti-money laundering laws such as the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft). In order to verify your identity remotely, we match your photo with your identification. When you provide us with your identification, please ensure your signature and national identification number are masked. We retain your photo to check if you are a politically exposed person (PEP) and to verify your identity when you request withdrawal of digital assets.
2. To enforce the terms in the User Agreement and other agreements; Bitvavo handles sensitive information, such as your identification and financial data, so it is very important for us and our customers that we actively monitor, investigate, prevent, and mitigate any potentially prohibited or illegal activities, and/or prevent and detect violations of the User Agreement or agreements for other Services.
3. To prevent fraud, misuse of services, or money laundering; Bitvavo processes personal data that are not strictly required by law, but nevertheless are necessary to protect the legitimate interest to (i) guarantee the safety and integrity of the digital currency sector, (ii) to prevent and actively combat (attempts to commit) criminal offenses and (iii) to assist in combating fraud and other types of abuse. We also process personal data of existing customers to determine potential risk factors for new customers.
4. To provide the Services; We process your personal data to provide the Services to you. For example, when you want to store funds on our platform, we require certain information such as your identification, contact information, and payment information. We cannot provide you with Services without such information.
5. To provide service communications; We send administrative or account-related information to you to keep you updated about our Services, inform you of relevant security issues or updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our Services. You may not opt-out of receiving critical service communications, such as emails or mobile notifications sent for legal or security purposes.
6. To provide customer service; We process your personal data when you contact us to resolve any questions, disputes, collect fees, or to troubleshoot problems. Without processing your personal data for such purposes, we cannot respond to your requests and ensure your uninterrupted use of the Services.
7. For research and development purposes; We process your personal data to better understand the way you use and interact with the Services. In addition, we use such information to customize, measure, and improve the Services and the content and layout of our website and applications, and to develop new services. Without such processing, we cannot ensure your continued enjoyment of our Services.
8. To engage in marketing activities; Based on your communication preferences, we may send you marketing communications (e.g. emails or mobile notifications) to inform you about our products and services; to deliver targeted marketing; and to provide you with promotional offers and to wish you a happy birthday. Our marketing activities will be conducted based on your customer profile, including your account and trading data.
9. To set price alerts; Based on your account settings you can set a price alert to be notified when the price for a specific virtual currency reaches a set threshold. We will send this notification, depending on your preference, by email or a push notification in the app.
10. For accountability purposes; Bitvavo retains personal data insofar necessary to protect the legitimate interest to (i) maintain a proper administration and (ii) to substantiate potential legal claims. Bitvavo therefore needs to keep records of registration, identification, transactions, withdrawals of funds, access logs and important correspondence.
11. The following chart summarizes how we use the categories of personal data we collect from customers:

*For this purpose, we process your first name, email, date of birth and country.

5. Legal Bases for Processing your Information

Bitvavo only processes your personal data for a specified purpose and based on a legal ground, such as your consent or when necessary for the execution of an agreement with you, to comply with a legal obligation or to protect a legitimate interest.

Please note:

1. If you provided Bitvavo your consent for any processing of your personal data, you always have the right to withdraw your consent at any moment by emailing us at: [email protected]. Please note withdrawal of your consent does not affect the lawfulness of the processing of your personal data before such withdrawal.
2. If we send you targeted marketing messages based on legitimate interest, we always offer you the opportunity to unsubscribe. If you wish to unsubscribe, you can do so (i) on our website by changing your preferences under the ‘settings’ tab or (ii) in every marketing email we send you, by clicking ‘unsubscribe’.

Special categories of personal data
Part of your Identification Data qualifies as biometric data. We process such data as this is necessary for our legal identification and authentication purposes. In addition, we may process personal data related to criminal offences and/or personal data revealing political opinions to assess your request to become our customer and to meet our legal obligations under anti-money laundering laws such as the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft).

6. Does Bitvavo make use of automated decision making including profiling?

Bitvavo uses software to verify and read out your ID Document and check whether the picture on your ID Document matches your video. In addition, Bitvavo uses software to verify your bank account (by checking whether the name of the bank account and the name on your ID Document match) and your wallet address (by identifying your wallet address and provider in a video provided by you). If no issues are identified in such a process, the ID Document/bank account/wallet address is automatically approved. ID Documents of minors are automatically disapproved, as minors are not allowed to use our Services under the User Agreement. All other disapprovals are always reviewed manually first by Bitvavo’s customer onboarding team. If your ID Document/bank account/wallet address has been disapproved, you can request (another) manual review, express your point of view and/or contest such a decision by contacting Bitvavo’s support team at: [email protected].

Bitvavo also monitors on an ongoing basis whether any new information would affect your risk profile, transaction profile and/or risk category and whether your behavior and (if applicable) investments are in line with the information Bitvavo has about you and your risk classification. In this respect, Bitvavo is using software which is automatically updating your risk profile, transaction profile and/or risk category based on your behavior and might result in soft stops (i.e. transaction will be executed but manually reviewed afterwards by the compliance team) and hard stops (i.e. transaction will only be executed after manual review and approval by the compliance team) of transactions. In addition, an update of your risk profile might result in our compliance team performing additional or more frequent reviews of your account details, such as your transactions and background information. If your transaction has been stopped, you can request (another) manual review, explain your transaction and/or appeal the stop, by contacting Bitvavo’s compliance team at: [email protected].

7. Who may receive your personal data?

Bitvavo only provides access to your personal data to Bitvavo personnel that need to have access to your personal data to perform their tasks and duties. Bitvavo ensures personnel are contractually or legally required to keep your personal data confidential.

Processors

Bitvavo has instructed third parties to process personal data on our behalf if such is necessary for third parties to perform their tasks and duties. Such third parties qualify as ‘Processors’. Bitvavo signs appropriate data processing agreements with all Processors. Through these data processing agreements, the Processors provide at least the same level of security as provided by Bitvavo and guarantee the confidentiality of your personal data. Bitvavo nevertheless remains fully responsible for these processing operations and will therefore take all reasonable technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access.

Bitvavo has instructed the following categories of Processors to process personal data:

1. Hosting service providers, including Amazon Web Services which is located in Luxembourg;
2. Customer support software providers, including Zendesk which is located in the United States;
3. ID Document & facial biometrics verification software providers, including Onfido which is located in the United Kingdom;
4. Customer screening service provider, including Comply Advantage which is located in the United Kingdom;
5. Customer engagement software providers, including Braze which is located in the United States.
6. Customer relationship software providers, including Pipedrive which is located in Estonia.
7. Automatic chat translations software providers, including Language I/O which is located in the United States;
8. Chatbot software providers, including Supwiz which is located in Denmark;
9. Software providers for checking the quality of support messages, including Klaus which is located in Estonia.
10. Software providers for analyzing customer reviews, including Lumoa which is located in Finland;
11. Business accounting software providers, including NetSuite which is located in the United Kingdom.

Controllers

Bitvavo may share your personal data with third parties who process personal data for their own purposes (and do not qualify as Processors but as “Controllers”) in limited circumstances:

1. Stichting Bitvavo Payments (in the Netherlands) functions as a bankruptcy remote vehicle for safeguarding funds of users of the Services. For this purpose, your name and bank account number is shared with and processed by Stichting Bitvavo Payments.
2. Bitvavo shares your personal data if and to the extent this is required to be able to fulfill applicable (European or Dutch) rules and regulations, including assisting Financial Intelligence Units (FIU) or (other) competent supervisory authorities, law enforcement authorities or if necessary to assist in combating fraud and other types of abuse to the extent permitted by law.
3. Bitvavo shares your personal data with Tintel: our payment provider which is located in the Netherlands. Tintel’s privacy notice, available at https://www.pay.nl/en/privacy-cookies, describes its collection and use of personal data.
4. We are legally obliged to include (some of) your personal data in our financial administration, which has to be shared with the national tax authority. The tax authority will process these personal data in accordance with its own privacy policies.
5. If Bitvavo is the subject of a sale, merger, or other transaction, we may also share your personal data with the organization that is (planning) to acquire Bitvavo.
6. We share your transaction hash ID with Chainalysis so that Chainalysis can enable us to analyze public blockchain data and obtain information about your transactions to ensure you are not engaged in illegal or prohibited activity under the User Agreement. Chainalysis is located in the United States.

Your personal data may also be shared after requesting and obtaining your (explicit) consent.

8. Does Bitvavo transfer personal data to recipients outside the European Economic Area?

We may transmit personal data to parties outside the European Union, if one of our Processors or Controllers is established outside the European Union (see paragraph 7 above). In this scope, Bitvavo takes the following safeguards to ensure that personal data is adequately protected in accordance with EU law:

1. When Bitvavo transfers personal data to its customer engagement software provider(s), transaction monitoring software provider(s), customer support software provider(s) and other software providers located in the United States, it will do so based on Standard Contractual Clauses (based on Article 46(2)(d) GDPR).
2. When Bitvavo transfers personal data to its ID Document & facial biometrics verification software provider(s), customer screening service provider(s) and other software and service providers located in the United Kingdom, it will do so based on an adequacy decision (Article 45(3) GDPR).

You may contact us if you wish to receive more information or a copy of the safeguards we take in this scope where necessary.

If you want to consult any safeguards that Bitvavo has in place to protect your personal data if we transfer your personal data outside the EER, please contact us via: [email protected].

9. Your rights

If your personal data is processed, you have privacy rights and, of course, Bitvavo respects these. More specifically, you have the right of access, deletion and rectification of personal data, objection to processing of personal data, restriction of processing of personal data and the right of data portability. You can exercise your right by contacting [email protected]. We may ask you to provide further information in order to determine your identity first, to ensure that no one else is trying to execute your privacy rights.

Bitvavo will respond to your request as quickly as possible, although this can take up to one month. If more time is required to complete your request, Bitvavo will let you know how much longer is needed and the reasons for the delay.

The above rights are not always absolute, and sometimes we may have pressing interests or a legal obligation to deny your request. In such case, we will explain to you our reason for denying your request.

10. Complaints

If you believe that Bitvavo has processed your personal data unlawfully or if you are not satisfied with Bitvavo’s response to your request, you can send your complaint to [email protected]. Bitvavo will respond to your complaint as quickly as possible. You may also directly contact our Data Protection Officer via [email protected].

You are always entitled to file a complaint with a data protection supervisory authority if you believe that we are not processing your personal data in accordance with the GDPR. In the Netherlands, the supervisory authority for data protection is:

Autoriteit Persoonsgegevens
Website: https://www.autoriteitpersoonsgegevens.nl

11. For how long will Bitvavo keep your personal data?

Bitvavo will not keep your personal data longer than the mandatory statutory retention period or, if such a mandatory statutory retention period does not apply, no longer than is strictly necessary to achieve the purposes for which your personal data were collected or processed.

Criteria for data retention
Bitvavo retains personal data processed to execute any agreement with you as long as the term of such agreement. Bitvavo retains personal data processed to comply with a legal obligation, as long as such legal obligation applies to Bitvavo. Bitvavo retains personal data processed to protect any legitimate interest (as described in this Privacy Notice) for as long as necessary to achieve such protection. If Bitvavo has asked for your (explicit) consent for any processing of your personal data, Bitvavo retains your personal data until you withdraw your (explicit) consent or until your (explicit) consent can be deemed expired and you have not renewed such (explicit) consent.

In addition to the legal obligations already mentioned in this Privacy Notice, Bitvavo has the following legal obligations to (keep) retaining personal data:

1. Personal data to the extent relevant for tax purposes (pursuant to Article 52 of the Dutch General Tax Act): 7 years after the latest relevant calendar year;
2. Personal data to the extent relevant to comply with Article 33(3) of the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft): 5 years after the business relationship has been ended;
3. Personal data to the extent relevant to comply with Article 34 of the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft): 5 years after Bitvavo submitted a notification to the FIU.

12. Updating the Privacy Notice

Bitvavo may update this Privacy Notice. Any update of the Privacy Notice will apply after announcing the update on our website or any other official communication channel. If the change to the Privacy Notice concerns a fundamental change to the nature of the processing (e.g. a new category of sensitive data processed) or if the change may be relevant to and impact upon you, Bitvavo will inform you of changes to the Privacy Notice, explicitly and effectively, well in advance of the change actually taking effect.

13. Contact and questions about this Privacy Notice?

If you want to know more about Bitvavo’s Privacy Notice or have any questions or recommendations, please send an email to [email protected] or contact Bitvavo’s Data Protection Officer directly at [email protected]. Bitvavo will respond to your request as quickly as possible.

Contact details

Bitvavo B.V.
⁠Keizersgracht 281, 1016 ED Amsterdam, The Netherlands
⁠E: [email protected].
⁠W: bitvavo.com.
⁠Chamber of Commerce number: 68743424.

Bitvavo Custody B.V.
⁠Keizersgracht 281, 1016 ED Amsterdam, The Netherlands
⁠E: [email protected].
⁠W: bitvavo.com.
⁠Chamber of Commerce number: 80118844.

Stichting Bitvavo Payments
⁠Keizersgracht 281, 1016 ED Amsterdam, The Netherlands
⁠E: [email protected].
⁠W: bitvavo.com.
⁠Chamber of Commerce number: 69228922.