When you visit Bitvavo.com or any related Website or use the Services, Bitvavo collects and processes data in relation to you. Since Bitvavo respects your privacy and makes it a high priority to handle your personal data with care, this policy (the “Privacy Notice”) explains how we handle your personal data. Bitvavo will ensure that your personal data is carefully processed and protected. Bitvavo will always do this in line with applicable privacy laws and regulations. This means, for example, that Bitvavo:
In Bitvavo’s view, it is important that you are well-informed about the above; therefore, please read this Privacy Notice carefully. Please note that Privacy Notice forms part of, and utilizes certain terms that are defined in the User Agreement and User is accepting and consenting to the practices described in this Privacy Notice by accepting the User Agreement and using the Services.
Bitvavo B.V. and Stichting Bitvavo Payments are established at Herengracht 450, 1017 CA in Amsterdam and registered with the Dutch Chamber of Commerce respectively under number 68743424 and 69228922. Bitvavo BV and Stichting Bitvavo Payments are responsible for processing of your personal data as described in this policy and act as (joint) ‘data controller’ under the General Data Protection Regulation (GDPR). In this Policy, all entities are (together) referred to as ‘Bitvavo’, ‘we’, ‘our’, or ‘us’. For all your questions and requests, you can contact our Data Protection Officer at email@example.com.
Bitvavo may process (your personal) data if you:
In paragraph 3.1 – 3.3 is described which data could be processed and from which source.
We receive and store certain types of information automatically, such as whenever you interact with the Website or use the Services. This information helps us address Customer support issues, provide you with a streamlined and personalized experience, improve the performance of our Website, and protect your account from fraud by detecting unauthorized access. Information collected automatically includes:
We may also use identifiers to recognize you when you access our Sites via an external link, such as a link appearing on a third party site.
To establish an account and access our Services, we'll ask you to provide us with some important information about you. This information is either required by law (e.g. to verify your identity) or necessary to provide the requested Services (e.g. you will need to provide your bank account number if you'd like to link that to your Bitvavo account).
As we add new features and Services and applicable laws and regulations might change, you may be asked to provide additional information.
We may generate information about you, for example based on information you provided to us.
The categories of data may include:
From time to time, we may obtain information about you from third party sources as required or permitted by applicable laws en regulations. These sources may include:
We may use your personal data for the following purposes:
The following chart summarizes how we use the categories of personal data we collect from customers:
|Personal Data Category as mentioned in paragraph 3||Sources of Personal Data||Purpose of Collecting Personal Data|
|Online Identifiers||Information we collect from you automatically||Section 1, 3, 5, 6, 7|
|Usage Data||Information we collect from you automatically||Section 2, 3, 4, 5, 8|
|Personal Identification Information||Information you provide us||All sections|
|Formal Identification Information||Information you provide us||Section 1, 3|
|Institutional Information||Information you provide us||Section 1, 3|
|Financial Information||Information you provide us||Section 1, 3, 4|
|Employment Information||Information you provide us||Section 1, 3, 4, 6|
|Transaction Information||Information you provide us||Section 1, 3, 4, 6, 7, 8, 9|
|Account information||Information you provide us|
Information collected from third parties
Information generated by us
|Section 1, 3|
|Correspondence||Information you provide us||Section 1, 3, 4, 5, 6|
|ID Verification Partners, PEP and Sanction Check Partners and Credit Bureaus||Information collected from third parties||Section 1, 3|
|Public Databases||Information collected from third parties||Section 1, 3|
|Blockchain Data||Information collected from third parties||Section 1, 2, 3, 6|
|Blockchain Data||Information collected from third parties||Section 1, 2, 3, 6|
|Whistleblowing or fraud reports||Information collected from third parties|
Information generated by us
|Section 1, 3|
Bitvavo only processes your personal data for a specified purpose and based on a legal ground, such as your (explicit) consent or if necessary for the execution of an agreement with you or in your interest, to comply with a legal obligation or to protect a legitimate interest.
|Section & Purpose of Processing||Legal Bases for Processing|
|1. To comply with laws and regulations and related legitimate interests.|
3. To prevent fraud, misuse of services, or money laundering.
|Based on our legal obligations or the legitimate interest to prevent fraud, misuse of services, or money laundering.|
|2. To enforce our terms in our user agreement and other agreements.|
4. To provide Bitvavo’s Services.
5. To provide service communications.
6. To provide customer service.
|Based on our contract with you or to take steps at your request prior to entering into a contract.|
|7. For research and development purposes.||Based on our legitimate interest (see paragraph 3.4. section 7 above). When we process your personal data for our legitimate interests we always ensure that we consider and balance any potential impact on you and your rights under data protection laws.|
|8. To engage in marketing activities.|
9. To set price alerts.
|Based on your (explicit) consent.|
Please note that we need to have your (explicit) consent to use your data to engage in marketing activities or to set price alerts. If you provided Bitvavo your (explicit) consent for any processing of your personal data, you have always the right to withdraw your (explicit) consent at any moment by emailing us at: firstname.lastname@example.org. Please note withdrawal of your (explicit) consent does not affect the lawfulness of the processing of your personal data before such withdrawal.
Bitvavo monitors on an ongoing basis whether any new information would affect your risk profile, transaction profile and/or risk category and whether your behavior and (if applicable) investments are in line with the information Bitvavo has about you and your risk classification. In this respect, Bitvavo is using software which is automatically updating your risk profile, transaction profile and/or risk category based on your behavior and might result in soft stops (i.e. transaction will be executed but manually reviewed afterwards by the compliance team) and hard stops (i.e. transaction will only be executed after manually review and approval by the compliance team) of transactions. If your transaction has been stopped, you can request (another) manual review, explain your transaction and/or appeal the stop, by contacting the Chief Compliance Officer at: email@example.com.
Bitvavo only provides access to your personal data to Bitvavo associates that need to have access to your personal data to perform their tasks and duties. Bitvavo ensures associates are legally required to keep your personal data confidential.
Bitvavo has instructed third parties to process personal data on our behalf if such is necessary for third parties to perform their tasks and duties. Such third parties qualify as ‘data processors’. Bitvavo will sign an appropriate processor’s agreement with data processors, ensuring that your personal data is always protected to at least the same level of security as Bitvavo provides and guaranteeing the confidentiality of your personal data. Bitvavo nevertheless remains fully responsible for these processing operations and will therefore take all reasonable administrative, technical and physical measures to protect your personal data against unauthorised access, unintentional loss or alteration.
Bitvavo has instructed the following categories of data processors to process personal data:
Bitvavo may share your personal data with third parties who process personal data for their own purposes (and do not qualify as ‘data processors’) in limited circumstances. Bitvavo may share your personal data if and to the extent this is required to be able to fulfill applicable (European or Dutch) rules and regulations, including assisting Financial Intelligence Units (FIU) or (other) competent supervisory authorities, law enforcement authorities or if necessary to assist in combating fraud and other types of abuse to the extent permitted by law.
Bitvavo may share your personal data with other Bitvavo data controller to the extent permitted by applicable law. Bitvavo does not sell your personal data to third parties.
Your personal data may also be shared after requesting and obtaining your (explicit) consent.
We keep and process in principle your personal data within the European Economic Area (EER). Your personal data will be adequately protected by the applicable laws and legislation of these countries (similarly to your own EU country of residence). It can be necessary for Bitvavo to transfer your personal data to (a recipient in) a country outside the EER. If the European Commission has not issued an ‘adequacy decision’ with regard to such country, and it is necessary that your personal data will be transferred to a country without such adequate level of protection, Bitvavo only transfers your personal data to the extent permitted by law.
Bitvavo may transfer personal data to its hosting service provider(s) and transaction monitoring software provider(s) located in the Unites States based on Standard Contractual Clauses (based on Article 46.2.d GDPR).
If you want to consult any guarantees that Bitvavo has in place to protect your personal data if we transfer your personal data outside the EER, please contact us via: firstname.lastname@example.org.
If your personal data is processed, you have privacy rights and, of course, Bitvavo respects these. More specifically, you have the right to access, rectify, restrict processing of to object against processing or the right to data portability of or erase personal data collected or processed about you. You can submit your request to Bitvavo’s Data Protection Officer at email@example.com. The Data Protection Officer may ask you to provide further information in order to determine your identity first, to ensure that no one else is trying to execute your privacy rights.
Bitvavo will respond to your request as quickly as possible, although this can take up to one month (if legally allowed). If more time is required to complete your request, Bitvavo will let you know how much longer is needed and the reasons for the delay.
In certain cases, Bitvavo may deny your request. If it is legally permitted, Bitvavo will let you know in due course why it is denied.
If you believe that Bitvavo has used your personal data unlawfully or if you are not satisfied with Bitvavo’s response to your request, you can send your complaint to firstname.lastname@example.org. Bitvavo will respond to your complaint as quickly as possible.
For example if you are still unhappy with the response to your complaint, you have the right to lodge your complaint with a competent EU data protection authority, which in the Netherlands is the ‘Autoriteit Persoonsgegevens’. You can lodge a complaint with the data protection authority of the EU Member State of your habitual residence, your place of work or in which an alleged infringement of the GDPR took place.
We understand how important your privacy is, which is why Bitvavo takes the appropriate administrative, technical and physical measures to ensure a level of security appropriate to the risk as required by law. For example, we use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our buildings and files, and we authorize access to personal data only for those employees who require it to fulfill their job responsibilities. If Bitvavo intends to share your personal data with a third party we instruct to process personal data on our behalf, Bitvavo will sign an appropriate processor’s agreement with that third party to guarantee the confidentiality of your personal data.
However, we cannot guarantee that loss, misuse, unauthorized acquisition, or alteration of your data will not occur. Please recognize that you play a vital role in protecting your own personal data. When registering with our Services, it is important to choose a password of sufficient length and complexity, to not reveal this password to any third parties, and to immediately notify us if you become aware of any unauthorized access to or use of your account.
Furthermore, we cannot ensure or warrant the security or confidentiality of information you transmit to us or receive from us by Internet or wireless connection, including email, phone, or SMS, since we have no way of protecting that information once it leaves and until it reaches us. If you have reason to believe that your data is no longer secure, please contact us using the contact information provided in this Privacy Notice.
Bitvavo will not keep your personal data longer than the mandatory statutory period or, if such a mandatory statutory period does not apply, no longer than is strictly necessary to achieve the purposes for which your personal data were collected or processed.
Criteria for data retention
Bitvavo retains personal data we process to execute any agreement with you as long as such agreement is applicable. Bitvavo retains personal data we processes to comply with a legal obligation, as long as such legal obligation applies to Bitvavo. Bitvavo retains personal data for purposes to protect any legitimate interest (as described in this policy) as long as necessary to achieve such purposes. If Bitvavo has asked your (explicit) consent for any processing of your personal data, Bitvavo retains your personal data until you withdraw your (explicit) consent (to the extent Bitvavo has no legal obligation to keep retaining such data) or until your (explicit) consent would be expired while you have not given your (explicit) consent again.
In addition to the legal obligations already mentioned in this policy, Bitvavo has the following legal obligations to (keep) retaining personal data:
Bitvavo reserves the right to change the Privacy Notice at any time and under any condition. Any update of the Privacy Notice will apply after announcing the update on the website or any other official communication channel. If the change to the information is indicative of a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country) or if the change may be relevant to and impact upon you, Bitvavo will inform you of changes to the Privacy Notice, explicitly and effectively, well in advance of the change actually taking effect.
If you want to know more about Bitvavo’s Privacy Notice or have any questions or recommendations, please email Bitvavo’s Data Protection Officer at email@example.com. Bitvavo will respond to your request as quickly as possible.