Privacy Notice

Figure Markets Ireland Limited EEA & UK Privacy Notice

Effective Date: November 2024

Introduction

Figure Markets Ireland Limited (“Figure Markets Ireland”, “we”, “our”) is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Notice explains how we collect, use, and share your personal data in connection with our virtual asset services.

Figure Markets Ireland is part of the Figure Markets Holdings, Inc. group, which includes affiliates, subsidiaries other entities that provide complementary services and/or which provide innovative financial and technological solutions globally and (“Figure Group”). We are committed to safeguarding your privacy and ensuring the security of your personal data.

This Privacy Notice explains:

• How we collect, use, and share your personal data.
• The measures we take to protect your data.
• Your rights under applicable data protection laws, including the General Data Protection Regulation (GDPR).

This Privacy Notice applies to data collected through our virtual asset services, including those provided by Figure Markets Ireland and its affiliates, as well as interactions via our websites, mobile apps, and APIs.

For inquiries about this Privacy Notice, your rights, or data protection measures, please contact our Data Protection Officer (DPO) at dpo@xpertdpo.com.

1. Who We Are

Data Controller:

Figure Markets Ireland Limited

33 Sir John Rogerson’s Quay, Dublin 2, D02 XK09, Ireland

Registered with the Central Bank of Ireland as a Virtual Asset Service Provider (VASP).

2. Services We Provide

We provide virtual asset services, including:

• Exchange between virtual assets and fiat currencies.
• Exchange between virtual assets.
• Transfer of virtual assets between accounts or wallets.

Our services leverage the expertise and infrastructure of the Figure Group to deliver secure, efficient, and compliant solutions.

3. Data We Collect

You may provide us with Identity Data, Social Identity Data, Contact Data, Financial Data, Profile Data, Investment Data, Marketing and Communications Data, Transactional Data, Technical Data, Usage Data, and Biometric Data by directly interacting with us, including through forms, email, our Service, or otherwise. This includes personal data you provide when you:

• Apply for our products or services.
• Create an account on our website or app.
• Subscribe to our service or publications.
• Complete identity verification processes (e.g., uploading a video selfie or voice recording).
• Request marketing to be sent to you.
• Apply for an advertised or speculative role with us.
• Enter a competition, promotion, or survey.
• Provide feedback or contact us.

We may also collect data about you through cookies or other tracking technologies when you interact with our website or app. For more details, please refer to our EEA & UK Cookie Policy.

Category of personal data	Examples of specific pieces of personal data
Identity Data	first name maiden name last name username or similar identifier title employment status date of birth gender Biometric Data, including: Visual images of your face (e.g., photos or video selfies). Facial geometry (e.g., distance between facial features) for identity verification and fraud prevention. Voice recordings to enhance identity verification processes. Fingerprint scans or similar identifiers (if applicable to specific services). In certain scenarios, biometric data may fall within the GDPR’s special categories of data. passport, driving licence, national identity card, or other form of an identification document
Social Identity Data	group/company data information on referrals related to you political background close connections behavioural data risk assessment compliance assessment
Contact Data	residential address registered or business address evidence of address email address and telephone number
Financial Data	bank and/or payment account details payment card details digital asset accounts stored value accounts amounts associated with accounts external account details annual income range source of funds, source of wealth and related documentation
Transactional Data	details about payments to and from you other details of any transactions you enter using the Services, Website or App
Investment Data	information about your: investment objectives (e.g. purpose and nature of account(s), expected annual transaction volume range)investment experienceprior investments
Technical Data	internet connectivity data internet protocol (IP) address operator and carrier data login data browser type and version device type, category and model time zone setting and location data language data application version and SDK version browser plug-in types and versions operating system and platform diagnostics data such as crash logs and any other data we collect for the purposes of measuring technical diagnostics, and other information stored on or available regarding the devices you allow us access to when you visit the Site, or use the Services or the App
Profile Data	username and password identification number as our user information on whether you have an App account, and the email associated with your account(s) requests by you for products or services your interests, preferences and feedback other information generated by you when you communicate with us, for example when you address a request to our customer support team
Usage Data	information about how you use the Site, the Services, mobile applications and other offerings made available by us, including: device download time install time interaction type and time event time, name and source
Marketing and Communications Data	your preferences in receiving marketing from us or third parties your communication preferences your survey responses
Employment Applications	We collect personal data through our website in connection with applications for employment which will include your name, date of birth, email address, phone number, address, other contact details and employment history. This data will be used to determine your suitability for a position within Figure Markets Ireland or, the wider Figure Markets group and, if applicable, your terms of employment or engagement. Your Information may also be used to monitor our recruitment initiatives and equal opportunities policies.
Other Parties or Publicly Available Sources	We may receive personal data about you from certain third parties and public sources including: other companies in the Figure Markets group. your current, or previous employers, our corporate customers or suppliers with which you have a relationship or are an authorized representative/user. recruitment agencies. social media sites (such as LinkedIn); and other publicly available databases such as the Companies Registration Office.

4. How We Use Your Data

We will only use your personal data for the purposes for which we collected it unless we reasonably determine that it needs to be used for another purpose that is compatible with the original purpose. If you would like an explanation of how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.

4.1 Purposes for Processing Your Personal Data

We process your personal data, including biometric data, for the following purposes:

4.4.1 Service Provision

To fulfil our contractual obligations, including (but not limited to):

• Account creation and management.
• Transaction processing.
• Customer support and relationship management.
• Identity verification during onboarding and account activity.

4.4.2 Regulatory Compliance

To meet our legal obligations under:

• Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) legislation and applicable legislation and guidance.
• Employment Law and other applicable regulations.

4.4.3 Security

To ensure the safety and security of your data and our services, including:

• Fraud detection and prevention.
• Identity verification through biometric data, such as facial geometry and voice recordings.
• Prevention of unauthorized access using multifactor authentication and advanced security measures.

4.4.4 Analytics and Improvement

To improve our services and user experience, including:

• Monitoring and analyzing website or app usage.
• Diagnosing technical issues and optimizing platform performance.

4.4.5 Marketing and Communications

To send you marketing communications, newsletters, or promotional materials, in line with your preferences.

4.4.6 Biometric Data-Specific Usage

We utilize reputable third-party service providers specializing in biometric data processing to facilitate identity verification. These providers act as data processors on our behalf, adhering to stringent data protection standards and legal requirements. We ensure that any third-party processor we engage complies with applicable data protection laws and implements appropriate technical and organizational measures to protect your data.

If biometric data is collected (e.g., facial geometry, video, or voice recordings), it will only be used for:

• Identity verification for account setup and transaction authorization.
• Fraud prevention and enhancing account security.

Biometric data will not be used for any unrelated purposes without your explicit consent.

5. Legal Basis for Processing

We process your personal data under the following legal bases, as required by the General Data Protection Regulation (GDPR):

5.1 Legal Bases for Processing

5.1.1 Contractual Necessity

Processing is necessary to perform our contractual obligations or to take steps at your request before entering into a contract. This includes:

• Creating and managing accounts.
• Processing transactions.
• Providing customer support and other services.
• Managing employment-related contracts.

5.1.2 Legal Obligation

Processing is necessary to comply with legal obligations, including:

• Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) requirements.
• Adherence to Employment Law and other statutory regulations.
• Meeting obligations to regulators, such as the Central Bank of Ireland and other relevant authorities.

5.1.3 Legitimate Interests

Processing is necessary for purposes of our legitimate interests, provided these do not override your fundamental rights and freedoms. This includes:

• Detecting and preventing fraud.
• Improving and personalizing services and user experience.
• Ensuring the security and integrity of our platforms.
• Conducting compliance audits and risk assessments.

5.1.4 Explicit Consent

We rely on your explicit consent for certain types of processing, including:

• Collecting and processing biometric data for identity verification, fraud prevention, and account security.
• Sending marketing communications, where required by law.

You may withdraw your consent at any time without affecting the lawfulness of processing conducted before consent was withdrawn.

5.1.5 Employment and Social Security Obligations

Processing is necessary for the purpose of complying with obligations in the fields of employment, social security, and social protection.

5.1.6 Legal Claims

Processing is necessary for the establishment, exercise, or defense of legal claims, including:

• Investigating and addressing potential disputes or regulatory inquiries.
• Retaining data for use in litigation or dispute resolution.

5.1.7 Biometric Data-Specific Legal Bases

Processing biometric data, categorized as special category data under the GDPR, requires both a lawful basis under Article 6 and an additional condition under Article 9. We rely on the following legal bases for processing biometric data:

• Article 6(1)(a) (Consent) and Article 9(2)(a):
  Explicit consent is obtained for biometric data collection and processing where required, such as during identity verification for onboarding or account access.

• Article 6(1)(c) (Legal Obligation) and Article 9(2)(g) (Substantial Public Interest):
  Biometric data may be processed without explicit consent when necessary to comply with legal obligations, such as:

  • Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) regulations.
  • Compliance with financial regulations requiring fraud detection and security measures.

• Article 6(1)(f) (Legitimate Interests):
  Processing biometric data is justified where it serves legitimate business interests, provided such interests are not overridden by the fundamental rights and freedoms of data subjects. Examples include:

  • Fraud detection and prevention systems where explicit consent is impractical.
  • Enhancing security protocols to safeguard accounts and transactions.

• Article 9(2)(b) (Employment Obligations):
  Biometric data may be processed as necessary to fulfill obligations related to employment, such as ensuring secure access to employee systems or facilities.

6. Sharing Your Data

When processing your personal data, we may need to share it with specific third parties. The nature of the data shared and the recipients depend on the type of personal data and the purposes for which it is processed. The categories of recipients are as follows:

6.1 Categories of Recipients

6.6.1 Third-Party Service Providers

We may share your data with third-party service providers, subcontractors, agents, and other organizations that provide services to us or to you on our behalf, such as:

• IT and Cloud Hosting Providers: To ensure secure data storage and access.
• HR and Administrative Services: For employment-related processing.
• Financial and Accounting Services: To manage payments and financial records.
• Recruitment Agencies: To assist in hiring processes.
• Onboarding and Identity Verification Providers: Including providers of biometric data processing for fraud prevention and compliance purposes.

6.1.2 Professional Advisors

We may share your data with professional advisors, including:

• Lawyers, auditors, accountants, and insurers.
• Credit reference agencies for credit assessments.

6.1.3 Regulatory Authorities

We may disclose your data to regulatory authorities where required by law or necessary for compliance, such as:

• Central Bank of Ireland and the Data Protection Commission.
• Law enforcement authorities inside or outside the EEA or UK, where applicable.

6.1.4 Figure Group Entities

We may share your data within the Figure Group, for:

• Providing services to you.
• Business management or administrative purposes.
• Meeting legal or regulatory obligations.

6.1.5 Third Parties in Corporate Transactions

Your data may be shared with third parties as part of:

• A restructure, sale, or acquisition of our group or affiliates.
• Any recipient will only use your information for the purposes originally specified in this Privacy Notice.

6.2 Safeguards for Sharing Data

We require all third parties to respect the confidentiality and security of your personal data and to process it in compliance with EEA and UK law. Specifically:

• Data Processing Agreements: Where third parties act as data processors on our behalf, we enter into contracts that comply with GDPR requirements, restricting data use to specified purposes and in accordance with our instructions.
• Data Transfers: Where data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

6.3 Biometric Data

If biometric data is shared, additional safeguards are applied to ensure compliance with GDPR requirements for processing special categories of data. These include:

• Sharing only with providers necessary for biometric identity verification or fraud prevention.
• Ensuring providers adhere to robust security measures, such as encryption and pseudonymization.
• Limiting retention and use of biometric data to the purposes specified in this Privacy Notice.

7. International Data Transfers

7.1 Transfers Within and Outside the EEA/UK

We may transfer personal data:

• Within the Figure Markets Group: To affiliates or subsidiaries located in countries outside the EEA/UK.
• To Third-Party Providers: Such as IT infrastructure providers, cloud hosting services, and identity verification partners, where they are based outside the EEA/UK.

7.2 Safeguards for International Transfers

To ensure your personal data receives an adequate level of protection in line with GDPR, we implement the following safeguards for all transfers outside the EEA/UK:

1. Adequacy Decisions

We transfer your personal data to countries that have been deemed to provide an adequate level of protection by the European Commission or the UK Secretary of State.

2. Standard Contractual Clauses (SCCs)

For transfers to countries without an adequacy decision, we rely on SCCs approved by the European Commission or the UK Secretary of State, ensuring contractual safeguards are in place to protect your data.

3. Transfer Impact Assessments (TIAs)

We conduct TIAs for transfers outside the EEA/UK, assessing whether the data importer can comply with the safeguards required by GDPR and, if necessary, implementing additional measures to mitigate risks.

3. Additional Safeguards

Where appropriate, we may apply supplementary measures, such as:

• Encryption during transmission and storage.
• Pseudonymization of data to reduce identifiability.
• Restricting access to personal data to authorized personnel only.

7.4 Biometric Data Transfers

For biometric data, additional protections are implemented:

• Biometric data is only transferred to jurisdictions where adequate safeguards are ensured.
• Transfers are limited to providers necessary for identity verification or fraud prevention.
• Biometric data is encrypted during transmission and storage to ensure confidentiality.

8. Retention of Your Data

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, including satisfying legal, regulatory, tax, accounting, or reporting obligations. Personal data may be retained for longer periods in the event of a complaint or where we reasonably believe litigation related to our relationship with you is likely.

8.1 Factors Determining Retention Periods

To determine appropriate retention periods, we consider:

• The amount, nature, and sensitivity of the personal data.
• The potential risk of harm from unauthorized use or disclosure.
• The purposes for which the data is processed and whether those purposes can be achieved through other means.
• Applicable legal, regulatory, tax, accounting, or other requirements.

8.2 Retention Periods

We retain personal data in line with the following schedules:

1. Customer Due Diligence (CDD) Records

Retained for 5 years after account closure in compliance with Anti-Money Laundering (AML) regulations.

2. Transaction Data

Retained for 6 years after the last transaction, in line with tax and regulatory obligations.

3. Biometric Data

We collect only the biometric data necessary for identity verification and fraud prevention. Alternative methods, such as manual document checks, are offered for users unwilling to provide biometric data.

We utilize reputable third-party service providers specializing in biometric data processing to facilitate identity verification. These providers act as data processors on our behalf, under data processing agreements that comply with applicable data protection laws.

We ensure that any third-party processor we engage:

• Implements robust technical and organizational measures, including encryption and pseudonymization, to protect your data.
• Processes data solely under our instructions and for the purposes outlined in this Privacy Notice.
• Undergoes regular audits and assessments to verify compliance with data protection standards.

While we do not directly collect or store biometric data, we securely access and review it through the third-party provider's platform as part of the identity verification process.

Biometric data is retained only for as long as necessary to fulfill its specific purpose, such as identity verification, fraud prevention, or security, in accordance with GDPR’s principles of data minimization and storage limitation. Retention periods are as follows:

• Identity Verification Data:

Retained for a maximum of 6 months post-verification, unless a longer retention period is required by legal or regulatory obligations.

• Security Purposes:

Retained for the duration of account activity and up to 1 year post-account closure to allow for the resolution of disputes or to meet security requirements.

• Fraud Prevention or Regulatory Compliance:

Retained for up to 3 years after the last interaction or until the purpose (e.g., fraud prevention, compliance with AML/CTF regulations) is fulfilled, whichever occurs first.

At the end of these periods, biometric data is securely deleted using irreversible deletion protocols to prevent unauthorized access or recovery.

4. Employment Data

• Unsuccessful Job Applicants: Personal data is retained for 6 months following the application process, unless otherwise agreed.
• Employee Records: Retained for the duration of employment and as required by law following termination.

5. Complaint or Litigation Data

Retained for as long as necessary to address disputes or legal claims, including any associated statutory limitation periods.

6. Anonymization for Research or Statistical Use

In some cases, personal data may be anonymized, ensuring it is no longer identifiable to you. Anonymized data may be used indefinitely for research or statistical purposes without further notice to you.

8.3 Safeguards for Retention and Deletion

We aim to ensure the secure retention and disposal of personal data through:

• Regular data audits to identify and delete data no longer required.
• Implementation of robust deletion protocols, including encryption and pseudonymization during data lifecycle management.
• Secure disposal of data, including biometric data, following retention periods.

9. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data. The availability of these rights depends on the legal basis for processing. For detailed information or to exercise any of these rights, please contact us at DPO@xpertdpo.com

Your GDPR Rights

9.1 Right of Access

You may request a copy of the personal data we hold about you and information about how it is processed.

9.2 Right to Rectification

You may ask us to correct inaccurate or incomplete personal data. Verification of the updated information may be required.

9.3 Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data when:

• The data is no longer necessary for the purpose it was collected.
• You withdraw your consent (where processing is based on consent).
• You object to processing, and there are no overriding legitimate grounds.
• The data has been unlawfully processed.

We may retain your data where required for legal obligations or in defense of legal claims.

9.4 Right to Restrict Processing

You may request us to limit the processing of your personal data where:

• Its accuracy is contested.
• The processing is unlawful, and you request restriction instead of deletion.
• The data is no longer needed, but you require it to establish, exercise, or defend legal claims.
• You have objected to processing, pending verification of overriding legitimate grounds.

9.5 Right to Object

You may object to processing based on legitimate interests if it impacts your fundamental rights and freedoms. You may also object to processing for direct marketing purposes.

9.6 Right to Withdraw Consent

You have the right to withdraw your consent at any time for processing activities that are based on your consent (e.g., marketing or biometric data processing). Withdrawal of consent does not affect the lawfulness of any processing conducted prior to its withdrawal.

Withdrawing Consent for Biometric Data

You may withdraw your consent for biometric data processing at any time. However, please note:

• Withdrawal may limit or prevent access to services that require biometric verification (e.g., identity verification for account security or transaction authorization).
• Where biometric data is processed based on legal obligations or legitimate interests, withdrawal of consent may not fully apply, but we will provide alternative methods for fulfilling those obligations where feasible.

How to Withdraw Consent

To withdraw your consent, please contact us at DPO@xpertdpo.com We will process your request promptly and provide confirmation once your consent has been withdrawn.

9.7 Right to Data Portability

You may request that we transfer your personal data in a structured, commonly used, and machine-readable format to you or a third party, where technically feasible.

9.8 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you may lodge a complaint with:

• Ireland Data Protection Commission (DPC)
• UK Information Commissioner’s Office (ICO)
• Any relevant data protection authority in your jurisdiction.

You may also seek judicial remedies, including compensation for damages.

9.9 Response Timeline

We will respond to legitimate requests within 30 days. In certain cases, particularly where requests are complex or numerous, we may extend this period by up to two additional months, in accordance with GDPR. If an extension is necessary, we will notify you and provide reasons for the delay.

9.9.1 Verification of Identity

To protect your data, we may request sufficient information to verify your identity before fulfilling your request.

9.9.2 Special Considerations for Biometric Data

If your request involves biometric data, additional safeguards are applied to ensure compliance with GDPR requirements for special category data, including secure deletion or restricted access as appropriate.

10. Automated Decision-Making

10.1 What is Automated Decision-Making?

Automated decision-making refers to decisions made entirely by automated systems or algorithms without human intervention. Such decisions may significantly impact you, particularly in areas such as onboarding, identity verification, fraud detection, and transaction monitoring.

• Logic: Automated systems analyze biometric data, such as facial geometry, to match your identity against submitted documents.
• Significance: This process enhances security during onboarding and mitigates fraud risks.
• Consequences: Errors or inaccuracies may result in delays, denial of service, or additional verification requirements. You have the right to request human intervention and to challenge such decisions.

10.2 How We Use Automated Decision-Making

Automated decision-making enables us to provide efficient, secure, and compliant services. The key processes include:

10.2.1 Onboarding

• Logic: Algorithms evaluate personal and biometric data, including facial geometry and ID documentation, to verify identity and determine eligibility for account creation.
• Significance: This ensures a streamlined onboarding experience while maintaining regulatory compliance.
• Consequences: If the automated process identifies discrepancies or risks, your account creation may be delayed or declined.

10.2.2 Identity Verification

• Logic: Biometric matching compares facial geometry or video selfies against submitted ID documents to confirm identity.
• Significance: Reduces the risk of identity theft and ensures compliance with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) obligations.
• Consequences: If mismatches are detected, further manual review or additional documentation may be required.

10.2.3 Transaction Monitoring

• Logic: Algorithms monitor transactional patterns, such as amounts, geographic locations, and frequencies, to identify unusual or potentially fraudulent activities.
• Significance: Protects against unauthorized transactions and ensures compliance with financial regulations.
• Consequences: Transactions flagged as high-risk may be temporarily withheld for further investigation or reported to regulators where required.

10.2.4 Fraud Detection

• Logic: Behavioral analysis and pattern recognition algorithms detect unauthorized access or fraudulent behavior.
• Significance: Safeguards your account and ensures the integrity of our platform.
• Consequences: Suspicious patterns may trigger additional verification steps or temporary account suspension.

10.3 Your Rights Regarding Automated Decision-Making

Under Article 22 of the General Data Protection Regulation (GDPR), you have the following rights:

10.3.1 Right to Information

You may request an explanation of the logic behind the automated decision-making process, including the significance and potential consequences of the decision.

10.3.2. Right to Human Intervention

You may request that a human reviews any decision that significantly affects you instead of relying solely on automated processing.

10.3.3. Right to Express Your Opinion

You can provide feedback or share concerns about any automated decision.

10.3.4. Right to Contest Decisions

You may challenge decisions made by automated processes and request reconsideration.

10.4 How to Exercise These Rights

If you wish to exercise these rights or require further details about automated decision-making, including its logic, significance, or consequences, please contact us at DPO@xpertdpo.com

10.5 Safeguards for Automated Decision-Making

We have implemented the following safeguards to ensure compliance with GDPR Article 22 and protect your rights:

• Regular Algorithm Audits: We regularly test and review algorithms to ensure accuracy, fairness, and compliance with data protection laws.
• Human Oversight: Where necessary, human intervention is available to review automated decisions.
• Transparency: We provide detailed explanations of the logic behind automated decision-making processes upon request.
• Data Minimization: Only the necessary personal data is used for automated decision-making.
• Secure Processing: Biometric and other sensitive data used in automated decisions are encrypted, pseudonymized, and retained only as long as necessary.

11. Privacy when Using Digital Assets and Blockchains

11.1 Use of Blockchain Technology

Some services provided by Figure Markets Ireland utilize blockchain technology. Blockchains are decentralized, distributed ledgers designed to immutably record transactions across multiple computer systems. While this technology ensures security, transparency, and data integrity, it presents unique challenges regarding personal data protection under applicable laws, including the GDPR.

11.2. Public Nature and Immutability of Blockchain Data

11.2.1 Transparency of Public Blockchains

• Transactions recorded on public blockchains are visible to all participants of the network.
• Although blockchain data is pseudonymized by design (e.g., represented by alphanumeric addresses), it is often subject to forensic analysis. When combined with external datasets, this analysis can potentially lead to the re-identification of individuals and the exposure of personal data.

11.2.2. Immutability and Its Implications

• Blockchain transactions are immutable, meaning data recorded on the blockchain cannot be altered or deleted.
• This ensures the security and reliability of the blockchain but also means personal data stored on it cannot be erased, modified, or withdrawn.

11.3 Impact on the Right to Erasure (GDPR Article 17)

The General Data Protection Regulation (GDPR) grants individuals the "Right to Erasure," which allows them to request the deletion of their personal data. Due to the immutable nature of blockchain technology:

11.3.1 Technical Limitations:

• Personal data recorded on the blockchain cannot be erased or modified.
• This is a fundamental feature of blockchain technology and applies to all participants, including Figure Markets Ireland.

11.3.2 Mitigation Measures:

To address these limitations, we have implemented the following measures:

• Pseudonymization: Wherever possible, personal data is pseudonymized before being recorded on the blockchain, reducing the likelihood of re-identification. Pseudonymized data, while not removable, cannot be directly linked back to an individual without additional information.
• Off-Chain Storage: Whenever feasible, we store personal data off-chain and record only necessary references (e.g., transaction hashes) on the blockchain. This allows off-chain data to be deleted or modified in response to erasure requests.
• Balancing Legal and Technical Realities: While blockchain technology inherently limits the "Right to Erasure," we work to balance GDPR compliance with blockchain's technical constraints by minimizing the storage of personal data on-chain and providing users with clear guidance on their rights.

11.4 Privacy Measures for Blockchain Transactions

We have adopted the following practices to mitigate privacy risks and to aim to ensure compliance with applicable laws:

11.4.1 Data Minimization

• Only the minimum necessary personal data is recorded on the blockchain.
• Sensitive personal data is processed and stored off-chain whenever possible.

11.4.2 Pseudonymization and Anonymization

• Personal data is pseudonymized before being added to the blockchain to minimize the risk of re-identification.
• In certain use cases, data may be anonymized to ensure it no longer qualifies as personal data under the GDPR.

11.4.3 Transparency and Informed Consent

• Users are informed of the immutable nature of blockchain transactions before engaging in blockchain-based activities.
• Consent is obtained where necessary, particularly when special category data is involved.

11.4.4 Off-Chain Processing Solutions

• We prioritize the use of off-chain storage solutions for personal data, enabling greater flexibility for data modification and deletion.Biometric data processed off-chain will be subject to GDPR rights, including erasure. Data recorded directly on the blockchain cannot be erased due to its immutable nature.
• Only references or transactional metadata are stored on the blockchain to ensure compliance with GDPR where possible.

11.5 User Responsibilities

As a user of blockchain services, it is important to:

• Understand that data recorded on a blockchain is immutable and cannot be deleted or modified.
• Exercise caution when sharing personal data in transactions that will be recorded on the blockchain.
• Use pseudonymous accounts or wallets to protect your privacy.

12. Our Products and Services are not available to Children

Our products and services are designed exclusively for individuals aged 18 and older and are not directed at persons under the age of 18 (herein, “Children” or “Child”). We do not knowingly collect, process, or store personal data from children.

12.1.1 Our Policy on Children’s Data

12.1.2 No Intentional Collection

• We do not knowingly collect personal data from individuals under the age of 18.
• If you are under the age of 18, you are prohibited from accessing or using our products and services.

12.1.2 Remedial Actions for Inadvertent Data Collection

• If we become aware that we have inadvertently collected personal data from a child, we will take legally permissible measures to remove the data from our records promptly.
• Any accounts created by individuals under the age of 18 will be terminated immediately upon discovery.

12.2 Parental or Guardian Responsibilities

If you are a parent or guardian and become aware that a child has provided personal data to us, we encourage you to contact us promptly at dpo@xpertdpo.com. Upon verification, we will:

• Remove the personal data of the child from our systems.
• Ensure that the child’s access to our products and services is permanently revoked.

13. Data Security

We are committed to protecting your personal data and have implemented robust security measures to prevent unauthorized access, use, loss, alteration, or disclosure. These measures are designed to ensure the confidentiality, integrity, and availability of your data, aligning with GDPR requirements and industry best practices.

1. Our Security Measures

13.1.1 Organizational Measures

• Regular staff training on data protection, security protocols, and GDPR compliance.
• Development and enforcement of internal policies to ensure consistent data handling practices.
• Designation of a Data Protection Officer (DPO) to oversee compliance and address security concerns.

13.1.2 Technical Measures

• Encryption of personal data (including biometric data) both at rest and in transit to protect against unauthorized access.
• Implementation of access controls, ensuring data is only accessible to authorized personnel with a legitimate business need.
• Use of pseudonymization and anonymization techniques where appropriate to minimize data identifiability.
• Deployment of firewalls, intrusion detection systems, and other advanced security technologies to protect against cyber threats.

13.1.3 Physical Measures

• Secure data centers with restricted physical access.
• Redundant power supplies and disaster recovery protocols to ensure uninterrupted service.

13.1.4 Resilience and Backups

• Regular system backups to secure the availability of personal data in case of technical failure or disaster.
• Routine testing of backup and disaster recovery procedures to ensure operational readiness.

13.2 Monitoring and Detection

To maintain the security of our systems and data:

• We monitor all internet communications, including web and email traffic, into and out of our domains.
• Suspicious activities, such as unauthorized access attempts, are promptly flagged and investigated to prevent or mitigate breaches.

13.3 Data Breach Response

We have established procedures to detect, report, and respond to data breaches:

13.3.1 Detection: Continuous monitoring of systems for potential vulnerabilities or unauthorized access.

13.3.2 Containment and Mitigation: Immediate measures to contain and limit the impact of a breach.

13.3.3 Notification: Where legally required, we will:

• Notify affected individuals without undue delay, providing clear guidance on protective measures.
• Notify the relevant data protection authority, such as the Data Protection Commission (DPC) or the UK Information Commissioner’s Office (ICO), within the statutory timeframes.

13.3.4 Post-Breach Review: Conducting root cause analysis and implementing measures to prevent recurrence.

13.4 Security for Biometric Data

Special attention is given to the protection of biometric data:

• Biometric data is encrypted at collection, during storage, and in transit.
• Access to biometric data is strictly limited to authorized personnel with appropriate training.
• Biometric data is stored only for as long as necessary and securely deleted when no longer required.

13.5 Commitment to Ongoing Improvement

We conduct regular security audits, vulnerability assessments, and penetration testing to evaluate and strengthen our security posture. Our security measures are continually updated to address emerging threats and align with industry standards and regulatory requirements.

14. Updates to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, legal or regulatory requirements, or advancements in technology. When updates are made, we will ensure transparency and provide appropriate notification of changes.

14.1 How We Notify You of Changes

14.1 Significant Changes:

If the updates include significant changes to how we process your personal data (e.g., introducing new processing purposes, updating the legal bases, or collecting new categories of personal data), we will notify you directly via email and/or through prominent in-app or website notifications.

14.2 Routine Updates:

For minor updates (e.g., clarifications or adjustments to ensure compliance with new regulations), we will update this Privacy Notice on our website and indicate the date of the most recent revision.

14.3 Effective Date of Changes:

Updates to this Privacy Notice will take effect upon publication unless otherwise specified.

14.4 Review and Acknowledgment:

For significant changes, where required by law, we may seek your acknowledgment or explicit consent before the updates apply to your data.

14.5 Staying Informed

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your data. The latest version of the Privacy Notice is always accessible via our website or app.

Last Update

This EEA & UK Privacy Notice was last updated in November 2024.

Contact Information

For questions, concerns, or to exercise your rights, please contact our DPO:
Email: DPO@xpertdpo.com