Last Updated 13 September 2024
In this Notice, "we", "us" and "our" refers to Prex Spółka Z Ograniczoną Odpowiedzialnością (“Prex”). Prex is a company incorporated, and registered in the Register of Virtual Currency Activities, in Poland.
Prex is committed to protecting the privacy of our customers and stakeholders, and we take our data protection responsibilities with the utmost seriousness.
This Privacy Notice sets out what Personal Data we collect, how we process it and how long we generally retain it, along with details of your rights as a data subject.
To the extent that you are a customer or user of our services, this Privacy Notice applies together with any Terms of Use and other contractual documents, including but not limited to any agreements we may have with you. We reserve our right to issue separate policies in respect of other relevant stakeholders such as our employees, connected persons and/or our business partners.
To the extent that you are not a relevant stakeholder, customer or user of our services, but are using our website, this Privacy Notice also applies to you.
In this Notice, “Personal Data” means any information relating to you as an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
For the avoidance of doubt, Personal Data does not include data from which you cannot be identified (which is referred to simply as data, non-personal data, anonymous data, or de-identified data).
In this Notice, “processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
This Privacy Notice is issued by Prex as a data controller of your Personal Data, and shall serve as a notice to you in your capacity as Data Subject. For persons subject to EU Data Protection Laws, please also refer to our GDPR Information Clause below, which shall, together with this Privacy Notice, serve as a notice to you.
1. Personal Information We Collect
We collect information about you when you:
- Use our mobile application;
- visit our website;
- contact us either through or web, mobile, or through other direct means of electronic communication including social media engagement;
- interact with us or our services including account creation;
- enter into a contract with us to use our services;
- use our services to enter into transactions (including but not limited to transactions on public blockchains);
- provide instructions to us in relation to your account with us; and/or
- enter into any other relationship with us or interact with us or our services, whether directly or indirectly through any of our affiliated entities or partners.
2. The type of information we collect
The personal information we collect about you includes the following:
| Category of personal data | Types of Personal data |
|---|
| Personal Identification Data | Name
Address
Date of Birth
Gender
Nationality
Identification Number
Residential Address
Copy of your identification document
Proof of residence documents or information |
| Personal Identification Data (special categories of data) | biometric details (including a visual image of your face as part of a “liveness check”). |
| Contact Data | Email address
Phone number
Telegram handle (where necessary) |
| Financial Data | Employment data (such as salary and employer details)
Bank account information
Proof of income documents or information |
| Transactional and Account Data | Your transaction details when using our services, our mobile application, or our site.
You account details when using our services, our mobile application, or our site (such as your username, your uid, your account balance) |
| Usage Data | Information on how you use our site or mobile application (including the content you interact with and the frequency and duration of your activities)
Performance and diagnostic data (such as information on how our service is performing when you are using our service) |
| Marketing and Communications Data | Email address
Marketing preferences
Demographic data
Survey responses
Your communications with us (through any electronic or non-electronic channel)
Referral code information
Participation data on your participation in our campaigns or activities
Public social networking posts, social media, or other available electronic information on third party platforms or applications (including where you interact with us, our affiliates, our partners, our products, our campaigns, or our events) |
| Automatically Collected Data | Location and time zone data
IP Address
MAC Address
Login data
Device information
User settings
Cookie identifiers
Mobile carrier
Internet service provider details
Browser details
Pages that you visit before, during and after using our services, information about the links you click, and other information about how you use our services
Other automatically collected data collected by us, our affiliated entities or third parties through the use of cookies, pixel tags and other technologies when you interact with our services. |
| Blockchain data | Cryptographic wallet address
Transaction IDs |
We may also use Google Analytics and other service providers to collect information regarding visitor behavior and visitor demographics on our Services. For more information about Google Analytics, please visit http://www.google.com/policies/privacy/partners. You can opt out of Google’s collection and processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.
We may obtain information about you from other sources, including through third party services and organizations to supplement information provided by you. For example, if you access our services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect information about you from that third-party application that you have made public via your privacy settings. Information we collect through these services may include your name, your user identification number, your user name, location, gender, birth date, email, profile picture, and your contacts stored in that service. This supplemental information allows us to verify information that you have provided to us and to enhance our ability to provide you with information about our business, products, and Services.
3. Information written on the blockchain
When you enter into a transaction using our services for the deposit or withdrawal of digital currency the following information is written onto the blockchain:
- the cryptographic wallet address from which you send us digital currency or to which you send digital currency to;
- the amount of the digital currency involved in the transaction(s); and/or
- the cryptographic wallet address linked to your account on our platform which holds the digital currency.
You should be aware that data on the blockchain cannot generally be erased or changed, although some smart contracts may be able to revoke certain access rights, and some content may be made invisible to others; however, it is not deleted.
If the abovementioned blockchain characteristics are not acceptable to you, you should not transact on blockchains as certain rights will not be fully available or exercisable by you or us.
4. Purpose and legal basis for the use of your personal information
We use personal information about you in connection with the following purposes:
| Purpose for processing | Category of personal data | Legal basis for processing |
|---|
Provision of services and management
In order to,
- provide you with the information, products and services that you have requested from us;
- perform a contractual obligation we have to you; and/or
- to complete any transaction you are undertaking with us;
we will need to process the categories of your personal data as set out in the column to the right. | Personal Identification Data
Contact Data
Transactional and Account Data
Automatically Collected Data
Blockchain Data
Usage Data | Processing is necessary for the performance of a contract of which you are a party |
Meet legal or regulatory obligation
Related to the purpose directly above, in order to provide you with our services, we will need to first onboard you as a client. As part of onboarding, verification of your identity is necessary to meet our various “know your customer” legal or regulatory obligations. Verification of your identity will involve, amongst other things, collection of your biometric data (such facial scan data extracted from your selfie, video, and/or your government issued identity document).
By agreeing to our Privacy Notice you understand that you are giving us explicit consent for the processing of your biometric data for the purposes of meeting our legal or regulatory obligations.
We are also required to comply with various anti-money laundering laws and regulations. This includes ongoing monitoring and Know-Your-Transaction obligations. If we are unable to collect the personal information required in order for us to fulfil our legal obligations, you may be unable to open an account, or we may have to close your account where it is already opened. | Personal Identification Data (special categories of data)
Financial Data
Personal Identification Data
Contact Data
Transactional and Account Data
Automatically Collected Data
Blockchain Data | Processing is necessary to comply with our legal obligations under applicable laws and regulations, and Anti-Money Laundering laws and regulations.
Processing is necessary for reasons of substantial public interest, on the basis of EU or EU member state law relating to Anti-Money Laundering.
Processing on the basis of consent provided |
Service improvements
It is in our legitimate interests:
- to ensure that content from our site and app is presented in the most effective manner for you;
- to administer our site & app and for internal business administration and operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to notify you about changes to our service; and/or
- as part of our efforts to keep our site safe and secure. | Personal Identification Data
Contact Data
Transactional and Account Data
Usage Data
Communications Data
Automatically Collected Data
Blockchain Data | Processing is necessary for the purposes of the legitimate interests pursued by us for the reasons as set out in the left most column |
Marketing
We process your personal data for marketing purposes:
- to provide you with information about other services we offer (through email, mobile, in-app notifications, etc) that are similar to those that you already have or that you have enquired about or indicated your interest to us about; and/or
- to provide you with other marketing material such as our Newsletter.
By agreeing to our Privacy Notice you understand that you are giving us explicit consent for the processing of your personal data for direct marketing purposes as set out herein (including sharing your personal data to third parties for the purposes of marketing to you, subject to transfer safeguards as set out in Section 6 below).
If you do not want your personal information to be used for marketing purposes, please contact us using our contact information as set out in the section titled “Contact and further information” below to request for us to stop processing your personal data for all marketing purposes. In relation to our marketing Newsletter, you may also opt out by clicking on the “unsubscribe” link which can be found at the bottom of every email.
We make a distinction between marketing emails and transactional account/service update emails. Opting out of marketing communications will not affect your receipt of transactional account/service update emails. This will ensure that you do not miss important platform service updates. | Contact Data
Personal Identification Data
Transactional and Account Data
Usage Data
Marketing and Communications Data
Automatically Collected Data | Processing on the basis of consent provided
Processing is necessary for the purposes of the legitimate interests pursued by us for improving our product offerings, and to deliver relevant content to you. |
5. How we share your Information
Why and when we share your information
We may share your Personal Data with third parties (including but not limited to entities of the wider group of companies to which we belong) if we believe that sharing your Personal Data is in accordance with, or required by, any contractual relationship with you or us, applicable law, regulation or legal process.
We may also be required by law or by a Court to disclose certain information about you or any engagement we may have with you to relevant regulatory, law enforcement and/or other competent authorities. We will disclose information about you to public, regulatory and/or other competent authorities to the extent we are obliged to do so according to the law. We may also need to share your information in order to enforce or apply our legal rights.
In addition, your Personal Data may also be shared and processed by us and/or other members of the of the wider group of companies to which we belong, our affiliates, agents, vendors, consultants or suppliers, as well as any other third party service providers who are performing certain services on our behalf (for example, outsourced service providers, external counsel, financial institutions, etc.). Such third parties will have access to your Personal Data solely for the purposes of performing the services specified in the applicable engagement, or to comply with applicable laws and not for any other purpose. These third parties are not permitted to use your personal information for their own purposes, and rather can only process in accordance with our instructions. We require these third parties to undertake security measures consistent with the protections specified in this Privacy Notice and applicable law.
In addition, we may transfer your personal information to a third party as part of a sale of some, or all, of our business and assets or as part of any business restructuring or reorganisation, or if we are under a duty to disclose or share your personal data in order to comply with any legal obligation. However, we will take steps to ensure that your privacy rights continue to be protected.
Transferring your information outside of the European Economic Area
Sometimes our business partners, third party service providers (including but not limited to entities of the wider group of companies which we belong), agents, subcontractors and other associated organisations may be located outside of the European Economic Area (EEA). The EEA includes the European Union countries as well as Iceland, Liechtenstein and Norway. Transfers outside of the EEA are sometimes referred to as ‘third country transfers’.
We share your personal data with these third parties outside of the EEA where we have a legal basis for doing so such as to provide you with our services or because we ourselves use service providers outside of the EEA in order to operate our business. If we transfer your information outside of the EEA to third parties we will take steps to ensure that your privacy rights continue to be protected as outlined in this Notice. This may require us to take certain additional steps to ensure that appropriate safeguards are in place if that third country is not deemed by the European Commission to offer an adequate level of protection for your privacy rights, which may include use of contractual safeguards to allow you to be able to enforce your rights and ensure these are preserved.
In certain circumstances, your personal data may be transferred out of the EEA to a country which is not considered a privacy safe harbour by the European Commission and where there may be an absence of appropriate safeguards. For instance, your personal data may be transferred to a third party service provider located in a country which does not provide for the same extent of data subject rights as under the EU GDPR. We will nevertheless endeavour to ensure that your privacy rights continue to be protected to the fullest extent practicable. By agreeing to our Privacy Notice and continuing to use our services and/ or website, you hereby give your explicit consent for your personal data to be transferred under the aforementioned circumstances.
6. Automated decision-making
We do not use automated-decision making methods (including profiling), save that we may risk profile our clients in compliance with applicable anti-money laundering legislation. This means decisions are not made solely by robots or computers, and therefore not ‘automated’. However our compliance processes involve certain automated decision-making tools or software (whether through third-party vendor software or otherwise) to help determine if a transaction or customer account presents fraud or legal risk.
7. How long do we keep your information
We retain your information only for as long as is necessary for the purposes for which we process the information as set out in this Notice. Records can be held on a variety of media (physical or electronic) formats.
In addition, we may retain your personal data for a period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person or where we have a legitimate interest to do so.
8. Security Measures
We have appropriate security measures to prevent your information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have taken substantial precautions to ensure the security of your data. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality and a duty to comply with data protection procedures. We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so
9. Your Data Rights
In accordance with applicable law, you may have the right to:
Right Information and access
You have a right to be informed about the processing of your Personal Data (and if you did not give it to us, information as to the source) and this Notice intends to provide the information.
Right to rectification
You have the right to have any inaccurate personal information about you rectified and to have any incomplete personal information about you completed. You may also request that we restrict the processing of that information.
The accuracy of your information is important to us. If you do not want us to use your Personal Data in the manner set out in this Notice, or need to advise us of any changes to your personal information, or would like any more information about the way in which we collect and use your Personal Data, please contact us using our contact information as set out in the section titled “Contact and further information” below.
Right to erasure (right to be ‘forgotten’)
You have the general right to request the erasure of your personal information in the following circumstances:
- the personal information is no longer necessary for the purpose for which it was collected;
- you withdraw your consent to consent based processing and no other legal justification for processing applies;
- you object to processing for direct marketing purposes;
- we unlawfully processed your personal information; and
- erasure is required to comply with a legal obligation that applies to us.
We will proceed to comply with an erasure request without delay and to such extent we are able to do so, unless continued retention is necessary for:
- exercising the right of freedom of expression and information;
- complying with a legal obligation under EU or other applicable law;
- the performance of a task carried out in the public interest;
- archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; and/or
- the establishment, exercise, or defence of legal claims.
However, when interacting with the blockchain we may not be able to ensure that your personal data is deleted. This is because the blockchain is a public decentralized network and blockchain technology does not generally allow for data to be deleted and your right to erasure may not be able to be fully enforced. In these circumstances we will only be able to ensure that all personal data that is held by us is permanently deleted.
Right to restrict processing and right to object to processing
You have a right to restrict processing of your personal information, such as where:
- you contest the accuracy of the personal information;
- where processing is unlawful you may request, instead of requesting erasure, that we restrict the use of the unlawfully processed personal information;
- we no longer need to process your personal information but need to retain your information for the establishment, exercise, or defence of legal claims.
You also have the right to object to processing of your personal information under certain circumstances, such as where the processing is based on your consent and you withdraw that consent. This may impact the services we can provide and we will explain this to you if you decide to exercise this right.
However, when interacting with the blockchain, as it is a public decentralized network, we will likely not be able to prevent external parties from processing any personal data which has been written onto the blockchain. In these circumstances we will use our reasonable endeavours to ensure that all processing of personal data held by us is restricted.
If you would like to exercise any of these rights, please log into your account or contact us using our contact information as set out in the section titled “Contact and further information” below. We will process such requests in accordance with applicable laws. To protect your privacy, we will take steps to verify your identity before fulfilling your request.
Right to lodge a complaint with a relevant supervisory authority
You also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of our rights has taken place, if that is based in the EEA or the UK.
10. Changes to Our Privacy Notice
We may revise this Privacy Notice from time to time in our sole discretion. If there are any material changes to this Privacy Notice, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Notice if you continue to use our services after the new Privacy Notice takes effect.
11. Contact and further information
If you would like a copy of your Personal Data or wish to exercise any of your Data Subject Rights as set out in this Notice, please contact support@flipster.io. If you have any other questions regarding this Notice or generally about the way we handle your Personal Data please contact dpo@flipster.io
GDPR Information Clause (For persons subject to EU Data Protection Laws)
In accordance with art. 13 (1) and (2) of General Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (GDPR), we hereby inform you of the following:
- The joint controllers of your personal data are Prex Spółka Z Ograniczoną Odpowiedzialnością and Prex Technologies Pte Ltd.
- The joint controllers of your personal data have a data protection officer, who can be contacted via the email address: dpo@flipster.io
- Your personal data will be processed for the purposes of providing you with (i) the products and services that you have requested from us; (ii) service improvements; (iii) to meet any relevant legal or regulatory obligation; and (iii) (with your explicit consent) marketing. For further details, please refer to our Privacy Notice.
- The legal basis for processing your data is Art. 6 section 1 (a), (b), (c) and (f) of the GDPR.
- The recipients of your personal data will mainly be (i) our affiliated entities and their employees where is it necessary for the provision of products and services to you (ii) any other third party service providers who are performing certain services on our behalf where it is necessary for the provision of products and services to you. Transfers of your personal data will only be made where we have a legal basis for doing so and with appropriate safeguards in place. For full details on this, please refer to our Privacy Notice.
- Your data will be stored for the period necessary to achieve the purposes set out in point 3. For full details on this, please refer to our Privacy Notice.
- You have the right to access your data and subject to the law: the right to rectify, delete, limit processing, the right to transfer data, the right to object, the right to withdraw consent at any time.
- You also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of our rights has taken place, if that is based in the EEA or the UK.
- We do not use automated-decision making methods (including profiling), save that we may risk profile our clients in compliance with applicable anti-money laundering legislation.
- If you are an EU citizen, recipients of personal data may be located outside the European Economic Area in the area of operation of other Prex group companies. Unless a European Commission decision has been issued for the country to which the data is transferred stating that it provides an adequate level of personal data protection, Prex Spółka Z Ograniczoną Odpowiedzialnością requires such recipients to apply the data protection measures enshrined in the data processing agreement and standard contractual clauses. For full details of this, please refer to our Privacy Notice.