Last Update: 28 July 2020
We take privacy very seriously and have incorporated into the business model of XMR.to (the “Platform”), the fight against data privacy attacks and security breaches. We are true believers in the principle that good technology products should not come at the sacrifice of your privacy and security and have designed the Platform as much as possible to enable a 1st class service without retaining your personal information, as the term is understood under the GDPR (“personal information”).
This Policy also helps us in complying with our applicable global data privacy laws, including the EU General Data Protection Regulation (the “GDPR”).
Who we are
This website is operated by 5atech Ltd, a company registered in Bulgaria under UIC number: 206147710, and the following address: 4 Iskar Street, Sofia 1000, Bulgaria (“We”, “we”, “our ”, “ourselves” or “us”).
We use and are responsible for the limited personal information we collect about you. If you are located in the European Union including the United Kingdom when we do so, then we are regulated under the GDPR which applies across the European Union (including in the United Kingdom), and we are responsible as ‘controller’ of that personal information for the purposes of those laws.
Throughout our website we may link to other websites owned and operated by certain trusted third parties to make additional products available to you. These other third party websites may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to these other third party websites, please consult their privacy policies as appropriate.
Our collection and use of your personal information
We collect limited personal information about you directly when you carry out a transaction (“Transaction Event”), contact our customer service with a general query/request and provide us with your personal information (“General Contact Event”), or contact us and provide us with your personal information with a GDPR Request (as defined below)h; and indirectly when we carry out checks and monitoring to tackle anti-money laundering, anti-terrorist financing, anti-fraud and general risk mitigation, which also assists us in complying with our regulatory requirements, as further detailed below (“Regulatory Checks”).
The following details the only personal information we collect about you (each and collectively your “Protected Data”):
We use your Protected Data to:
This website is not intended for use by children and we do not knowingly collect or use personal information relating to children.
Our legal basis for processing your personal information
When we use your Protected Data we are required to have a legal basis for doing so. There are various different legal bases upon which we may rely, depending on what Protected Data we process and why.
The legal bases we may rely on include:
So, to sum up:
In every General Contact Event, we process your Contact Details if you provide them to enable our Customer Service function, on the legal basis of the Contract (i.e. the Terms) of the Platform;
In every Transaction Event we process a Bitcoin address to enable Transaction Processing, on the legal basis of the Contract (i.e. the Terms) of the Platform; and
During Regulatory Checks, and when you provide Regulatory Information, we may process your Regulatory Information and Indirect Regulatory Information to enable Regulatory Compliance on the legal basis of our Legal Obligation.
In every GDPR Request, we process your GDPR Request Details to enable GDPR Request Processing on the legal basis of our Legal Obligation.
Who we share your personal information with
As part of our Regulatory Compliance:
Other than law enforcement or other authorities if required by applicable law, we do not share your Protected Data with any other third parties!
Whether personal information has to be provided by you, and if so why
We require you to provide:
We do not require you to provide your Contact Details to use the Platform, however if you do provide us your Contact Details when contacting our Customer Service function, then in accordance with section 1.6 of the terms and conditions of the Platform accessible here: https://xmr.to/privacy-policy (the “Terms”), we will process your request, however the extent of such processing shall be determined by us in our absolute discretion.
The impact of our use of your personal information
We do not otherwise transfer your personal information outside the EEA.
Also, we implement internal safeguards (see ‘Keeping your information secure’ below); and have designed the Platform to obtain as little personal information as possible, to essentially heavily reduce the gravity of any losses that can occur via a data breach (see ‘Data protection by design’ and ‘Data protection by default’ below).
Data protection by design
‘Data protection by design’ is an approach to ensure privacy and data protection issues are considered at the design phase of any system, service, product or process and then throughout the lifecycle. The Platform:
In deciding what measures are appropriate, we have taken into account the state of the art and the cost of implementation. We have also taken account of the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for your rights and freedoms. This approach has given us the freedom to determine the best approach on how to comply with data protection principles.
Data protection by default
Under principles of ‘Data protection by default’ we implement appropriate technical and organisational measures to ensure that, by default, your personal information is only processed as necessary to achieve a specific purpose. Under this requirement we:
Cookies and similar technologies
Under the GDPR you have a number of important rights free of charge. In summary, those include rights to (each and collectively “GDPR Rights”) :
If you would like to exercise any of your GDPR Rights, please (each request a “GDPR Request”):
Keeping your personal information secure
We have appropriate security measures in place to prevent your Protected Data from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your Protected Data to those who have a genuine business need to know it. Those processing your Protected Data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information. The GDPR also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred.
This Policy was published on 20190507 and last updated on Jan 08, 2020.
How to contact us
Please contact us via email at firstname.lastname@example.org, if you have any questions about this Policy or the Protected Data we hold about you.