Privacy Policy

Last Update: 28 July 2020

We take privacy very seriously and have incorporated into the business model of XMR.to (the “Platform”), the fight against data privacy attacks and security breaches. We are true believers in the principle that good technology products should not come at the sacrifice of your privacy and security and have designed the Platform as much as possible to enable a 1st class service without retaining your personal information, as the term is understood under the GDPR (“personal information”).

As use of the Platform can involve our obtainment of some of your personal information (not least because of the broad scope of the definition of personal data under the GDPR), we ask that you read this website privacy policy (the “Policy”) carefully as it contains important information on who we are, how and why we collect, store, use and share the limited personal information we do collect, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.

This Policy also helps us in complying with our applicable global data privacy laws, including the EU General Data Protection Regulation (the “GDPR”).

Who we are

This website is operated by 5atech Ltd, a company registered in Bulgaria under UIC number: 206147710, and the following address: 4 Iskar Street, Sofia 1000, Bulgaria (“We”, “we”, “our ”, “ourselves” or “us”).

We  use and are responsible for the limited personal information we collect about you. If you are located in the European Union including the United Kingdom when we do so, then we are regulated under the GDPR which applies across the European Union (including in the United Kingdom), and we are responsible as ‘controller’ of that personal information for the purposes of those laws.

Our website

This privacy policy relates to your use of our website, XMR.to only (the “Platform”).

Throughout our website we may link to other websites owned and operated by certain trusted third parties to make additional products available to you. These other third party websites may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to these other third party websites, please consult their privacy policies as appropriate.

Our collection and use of your personal information

We collect limited personal information about you directly when you carry out a transaction (“Transaction Event”), contact our customer service with a general query/request and provide us with your personal information (“General Contact Event), or contact us and provide us with your personal information with a GDPR Request (as defined below)h; and indirectly when we carry out checks and monitoring to tackle anti-money laundering, anti-terrorist financing, anti-fraud and general risk mitigation, which also assists us in complying with our regulatory requirements, as further detailed below (“Regulatory Checks”).

The following details the only personal information we collect about you (each and collectively your “Protected Data”):

We use your Protected Data to:

This website is not intended for use by children and we do not knowingly collect or use personal information relating to children.

Our legal basis for processing your personal information

When we use your Protected Data we are required to have a legal basis for doing so. There are various different legal bases upon which we may rely, depending on what Protected Data we process and why.

The legal bases we may rely on include:

Overview

So, to sum up:

In every General Contact Event, we process your Contact Details if you provide them to enable our Customer Service function, on the legal basis of the Contract (i.e. the Terms) of the Platform;

In every Transaction Event we process a Bitcoin address to enable Transaction Processing, on the legal basis of the Contract (i.e. the Terms) of the Platform; and

During Regulatory Checks, and when you provide Regulatory Information, we may process your Regulatory Information and Indirect Regulatory Information to enable Regulatory Compliance on the legal basis of our Legal Obligation.

In every GDPR Request, we process your GDPR Request Details to enable GDPR Request Processing on the legal basis of our Legal Obligation.

Who we share your personal information with

As part of our Regulatory Compliance:

Other than law enforcement or other authorities if required by applicable law, we do not share your Protected Data with any other third parties!

Whether personal information has to be provided by you, and if so why

We require you to provide:

We do not require you to provide your Contact Details to use the Platform, however if you do provide us your Contact Details when contacting our Customer Service function, then in accordance with section 1.6 of the terms and conditions of the Platform accessible here: https://xmr.to/privacy-policy (the “Terms”), we will process your request, however the extent of such processing shall be determined by us in our absolute discretion.

The impact of our use of your personal information

We do not otherwise transfer your personal information outside the EEA.

Also, we implement internal safeguards (see ‘Keeping your information secure’ below); and have designed the Platform to obtain as little personal information as possible, to essentially heavily reduce the gravity of any losses that can occur via a data breach (see ‘Data protection by design’ and ‘Data protection by default’ below).

Data protection by design 

‘Data protection by design’ is an approach to ensure privacy and data protection issues are considered at the design phase of any system, service, product or process and then throughout the lifecycle. The Platform: 

  1. implements appropriate technical and organisational measures designed to implement the data protection principles; and
  2. integrates necessary safeguards to meet GDPR and other data protection requirements and protect your rights.

In deciding what measures are appropriate, we have taken into account the state of the art and the cost of implementation. We have also taken account of the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for your rights and freedoms. This approach has given us the freedom to determine the best approach on how to comply with data protection principles.

Data protection by default

Under principles of ‘Data protection by default’ we implement appropriate technical and organisational measures to ensure that, by default, your personal information is only processed as necessary to achieve a specific purpose. Under this requirement we:

  1. minimise the amount of personal information collected, the extent of the processing carried out on your Protected Data, who can access your Protected Data and the period of storage; and    
  2. ensure that your Protected Data is not made accessible without your intervention to an indefinite number of natural persons.

Cookies and similar technologies

A cookie is a small text file which is placed onto your device (eg computer, smartphone or other electronic device) when you use our Platform. We use cookies on the Platform, however our cookies do not process any of your personal information.

For further information on our use of cookies, please see our ‘Cookie Policy’ https://xmr.to/cookie-policy.

Your rights

Under the GDPR you have a number of important rights free of charge. In summary, those include rights to (each and collectively “GDPR Rights”) :

If you would like to exercise any of your GDPR Rights, please (each request a “GDPR Request”):

Keeping your personal information secure

We have appropriate security measures in place to prevent your Protected Data from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your Protected Data to those who have a genuine business need to know it. Those processing your Protected Data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to complain

We hope that we can resolve any query or concern you raise about our use of your information. The GDPR also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred.

Changes to this website privacy policy

This Policy was published on 20190507 and last updated on Jan 08, 2020.

We may change this website privacy policy from time to time, when we do we will inform you via a notice on the Platform or an email to the email address you provided.

How to contact us

Please contact us via email at customerservice@5atech.io, if you have any questions about this Policy or the Protected Data we hold about you.