- Introduction
With this policy Cryptosmart S.r.l., with registered office in 06134 Perugia (PG), Strada Canneto Sant’Angelo n. 5, C.F. and registration number with the Companies’ Register of Perugia no. 03775010543 (hereinafter, the “Company” or “Cryptosmart” or the “DataController“), as the owner of the processing of personal data, intends to provide, in a transparent and detailed manner, the information in relation to the personal data of users that the Company collects, the methods of processing and the entities to which the same are transferred, as well as the precautions taken to protect such data and the rights due to users.
This notice is prepared in compliance with the provisions of the EU Regulation 2016/679 (the “GDPR“) and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018 (jointly, the “Privacy Regulations“). Regarding the meaning of terms used in this policy with a capital letter and which are not defined within it, please refer to the definitions of GDPR.
For any questions regarding this policy, the Owner may be contacted at the following email address: privacy@cryptosmart.it.
- Scope of application
Cryptosmart offers, through its website (www.cryptosmart.it)(the “Site“) and its app for smartphones (the “App” and, jointly with the Site, the “Platform“), the following services (collectively, the “Services“):
- services for exchanging and converting virtual currencies into currencies having legal tender status (or vice versa), or virtual currencies into other virtual currencies;
- services related to information technology activities based on cryptography and blockchain technology, such as but not limited to staking services;
- services related to the business of safeguarding and/or custody of private cryptographic keys of virtual currencies, as well as virtual currency custody services on behalf of and for third parties; and
- management services of infrastructure, resources and applications of an IT nature functional with respect to the provision of services and settlement of the above transactions.
This policy applies to all users who use the Services, Platform, Apps and/or interact in any other way with Cryptosmart and/or technologies related to the Platform (e.g., business partners, stakeholders, service providers, APIs, etc.).
Please note that the Services are not intended for persons under the age of 18. Only persons of legal age may use the Cryptosmart Services and register a account within the Platform. Therefore, the Company does not intentionally collect personal data from underage individuals. If the aforementioned restriction is not observed, Cryptosmart will not register, process, and otherwise immediately delete and/or erase personal data received from minor subjects.
With reference to the processing of personal data through cookies and similar technologies, please refer to the cookie policy.
- Personal Data Subject to Processing
The personal data received from the user (the “Personal Data“) is processed by the Company for the purpose of establishing the business relationship and using the Platform and the related Services offered. In addition, Personal Data received from credit agencies, debtor lists, business analytics providers, public registries, third-party providers of anti-money laundering services (by way of example only, Consap S.p.A.) and from publicly accessible sources (e.g., business registries, association registries, land registries, media, sanctions lists) may also be processed by the Controller.
When using the Cryptosmart Services or interacting with the Platform, the following Personal Data may be processed:
- Contact Information: when the user registers a new account on the Platform, Cryptosmart may process the following Personal Data:
- if natural person: first name, last name, social security number, date of birth, residential address, telephone number, e-mail, date of birth, photo of the user;
- if legal person: name, registered office, tax code.
- Data for adequate verification: for the purpose of adequate verification of the user under the anti-money laundering regulations, depending on the activities actually carried out by the Company, one or more of the following Personal Data may be required: copy of a valid identification document (passport, driver’s license, ID card); copy of documents proving “contact information” (by way of example only, data from a utility bill in the user’s name for verification of the relevant residence, data on the status of politically exposed persons, video data for the execution of the user’s remote identification and authentication procedure, biometric verification data, etc.).
- Financial Data: in the course of using the Services and with specific reference to cryptocurrency buying and selling transactions, Cryptosmart may collect and process one or more of the following Personal Data of the user: bank details (IBAN, BIC), payment service provider information, payment data, transaction ID.
- Log data: when using the Site, Cryptosmart will collect and process one or more of the following User Personal Data: iP address, transaction data, deposit and withdrawal address of legal tender and/or cryptocurrencies, information about the computer or mobile device used, frequency of use of the Site, time of use of the Site, operating system, browser type, type of device used, unique device identification number, identification cookies, optional forms data, crash reports, performance data, third-party cookies.
- Mobile App Data: when using the App, Cryptosmart will collect and process one or more of the following User Personal Data: iP address, transaction data, deposit and withdrawal address of legal tender and/or cryptocurrencies, information about the mobile device used, frequency of App use, time of App use, operating system, browser type, type of device used, unique device identification number, form data, crash reports, performance data, and, only on the condition that the user has previously given his/her consent, data from: camera, microphone, device memory, phone (reading SMS confirmation).
- Company Information: if the user is an entity other than a natural person, Cryptosmart will record and process one or more of the following Personal Data: chamber of commerce visas, data relating to or concerning beneficial owners, data or additional information on recent, past or planned business activities, other data necessary to determine/confirm the company structure, beneficial owner or any outstanding powers of attorney related to the company.
- Details and proof of availability of funds: if it is necessary to resort to proof of availability of funds, Cryptosmart may record and process one or more of the following Personal Data: bank account statements or any other information provided by banks or financial institutions, sales contracts or other types of contracts, or any other data suitable for proving or determining the origin of the funds used by you as part of the Services.
- Information about the use of the Services or volume of activity: in order to determine the customer’s purpose in connection with the use of the Services or in connection with the volume of cryptocurrency trading, Cryptosmart may need to record and process additional information in connection with the user’s recent, past or planned business or personal activities, or other data to determine the user’s intentions.
- Support Requests: if you use our support service, Cryptosmart will record and process one or more of the following Personal Data: the Personal Data provided to the support team or transmitted to any other Cryptosmart employee and/or contractor.
- Marketing Data: when visiting the Website or the social media pages of Cryptosmart (by way of example only, the Facebookfanpage ) or while using the App, Cryptosmart will record and process one or more of the following statistical and marketing data: number of visitors, frequency of use, clicks made, time of use, geographical location from which access is made, target groups, data from cookies and similar technologies (Pixel, ClearGIF, etc.), user(s) behavior, user(s) interests and preferences, market research and survey data on target groups.
- Photo, video and audio data: in the case of participation in or organization of events or fairs or interviews with people by Cryptosmart, photos may be taken and other forms of recording of such events may be made, and therefore photo, video and audio data may also be subject to recording and processing by Cryptosmart. However, the user will be informed in advance through specific and separate information in relation to the recording and processing of the aforementioned Personal Data of the user.
- Application Data: if the user and/or another individual applies for a job offer on the website or through LinkedIn, one or more of the following data necessary for the hiring process may be subject to registration and processing: contact data, resume, personal qualifications, criminal record, credit report, copies of identification documents (such as passport, driver’s license, ID), links to the portfolio or social media platforms.
Cryptosmart generally does not process special categories of Personal Data within the meaning of Art. 9, co. Del GDPR of Customers.
In addition to personal identification data (screenshots of identity documents and related identification data, residence, status of politically exposed persons, video data, etc.), biometric data (personal data resulting from specific technical processing in relation to the physical, physiological or behavioral characteristics of a person and allowing the unambiguous identification of a person, by way of example, facial images, fingerprints) may also be collected. Such processing of biometric data is carried out exclusively on the basis of the user’s explicit consent, which can be revoked at any time.
Biometric data will be processed exclusively by our data controller Massimo Zamporlini in order to carry out the process of adequate user verification.
- Purposes of processing
In general, your Personal Data is collected to enable the Data Controller to provide the Services, fulfill legal obligations, respond to requests or enforcement actions, protect your rights and interests (or those of other users or third parties), detect any malicious or fraudulent activities, as well as for the following purposes:
- registration of the user to the Platform and creation of the user’s personal area for the purpose of access to the Services as well as to the processing, categorization, statistics and analysis carried out by Cryptosmart;
- activities related to pre-contractual information and any further activities instrumental to the signing and execution of the contract with third party operators, including the activation of products and services offered by such operators;
- periodically notifying the user about tariffs; responding to user requests for assistance or information; fulfilling legislative or regulatory obligations (e.g., of a tax nature);
- performing tests related to internet connection speed (“_speed internet test_”);
- sending commercial communications and newsletters, as described below, only with your express consent; and
- profiling and statistics, as described below, solely with the express consent of the user.
Any use of cookies – or other tracking tools – by Cryptosmart, unless otherwise specified, is for the purpose of providing the Services as used by you from time to time, in addition to the additional purposes described in this Policy and in Cryptosmart’s cookie policy .
Should Cryptosmart ask the user to provide additional Personal Data not included among those above, the Company will inform the user, at the same time as the request, what data it needs, what is the purpose of the processing and the legal basis(s) in connection with such request.
- Legal basis(s) of the processing
Cryptosmart will process the user’s Personal Data in compliance with the provisions of the Privacy Policy under the following legal basis(s):
- insofar as the Personal Data is necessary for the performance of the general terms and conditions of the Services entered into between the user and Cryptosmart; and/or
- if the Personal Data is subject to profiling, based on the express written consent of the user; and/or if the Personal Data is subject to processing for marketing direct purposes as described below, based on the express written consent of the user; and/or
- where the user has given consent for one or more specific purposes; and/or
- because the Personal Data is necessary for the performance of a task of public interest or for the exercise of public authority vested in the Data Controller; and/or
- processing is necessary for the pursuit of the legitimate interest of the Controller or third parties; and/or
- for the purpose of fulfilling legal obligations to which the Controller is subject.
In any case, it is always possible to request the Data Controller to clarify the concrete legal basis of each processing and in particular to specify whether the processing (i) takes place on the basis of the provisions of the Privacy Legislation and/or other applicable laws and regulations, (ii) is required by a contract or necessary to conclude a contract.
Detailed information is provided below in relation to the legal basis(s) underlying the processing of Personal Data in the context of the use of the Platform and/or in case of communication with Cryptosmart:
For the fulfillment of contractual obligations (Art. 6, para. 1, par. b, GDPR):
The processing of Personal Data may be necessary for the performance of contractual conditions entered into with the user or for the performance of pre-contractual measures taken at the user’s request. The following Personal Data processing operations fall within the scope of the performance of contractual obligations:
- general performance of the Services, all actions necessary for the operation, performance and administration of Cryptosmart and its Platform;
- account management (e.g., continuous updating of user data);
- execution of user orders (e.g., payment processing, chargebacks, proof of purchase and sale);
- user requests for assistance and support (e.g., in case of complications, Help Desk function;
- video authentication procedure to register a account in the Platform (identity verification);
- analysis and improvement of the quality of the Platform and overall user experience (e.g., performance monitoring on the Platform);
- implementation of data security and cybersecurity on the Site and safeguarding the Company’s network (by way of example, to prevent identity theft and irregular or suspicious access to the Company’s websites);
- processing of the App;
- procedure for hiring new employees.
For the fulfillment of legal obligations (Art. 6, co. 1, par. c, GDPR):
Processing of Personal Data may also be necessary for the fulfillment of various legal obligations. The following Personal Data processing operations fall within the scope of fulfilling legal obligations:
- contract management, accounting and billing;
- compliance and risk management;
- know-your-customer measures such as video authentication process (identity verification) and proof of funds availability;
- monitoring to prevent fraud, abuse (e.g., for illegal purposes), money laundering, and terrorist financing;
- providing information to criminal tax authorities as part of a tax prosecution or criminal prosecution in accordance with requests from the competent authorities;
- consultation with credit agencies to determine creditworthiness and insolvency risks.
To protect legitimate interests (Art. 6(1)(f) GDPR):
Where necessary, the processing of Personal Data may also take place after the validity of the general terms and conditions entered into with the user, in order to protect the legitimate interests of Cryptosmart or third parties. The following Personal Data processing operations are carried out on the basis of legitimate interest:
- prevention of fraud, abuse (e.g., for illegal purposes), money laundering, and terrorist financing;
- risk management and risk minimization, e.g., through inquiries to credit agencies, debtor lists, or business analysis providers;
- identification and examination of instances of potentially irregular or suspicious activity and access to the Company’s websites (e.g., website analysis using Sift Science);
- transmission of data within Cryptosmart or companies that may be part of the relevant group for internal administrative purposes;
- account management and handling of general user inquiries and requests;
- measures to protect our users and partners, as well as to safeguard network and information security; in addition to these are measures to protect our employees, users and Cryptosmart’s property, for example through video surveillance and information provided by data center and external service providers;
- processing of requests from authorities, lawyers, collection agencies in the course of legal proceedings and execution of legal requests in the course of legal proceedings;
- market research, business management and continuous development of services and products;
- processing of statistical data, performance data and market research data through the Site, App or social platforms (e.g., Facebook, Instagram, LinkedIn, YouTube, etc.);
- processing of user preferences (e.g., language, region) via cookies on our Site (see also our cookie policy);
- directmarketing and advertising (e.g., execution of marketing strategies, targeting users, sending vouchers, advertising by Cryptosmart and its partner companies);
- use of audio, video, and photographic data from public spaces (e.g., public events, trade shows, etc.) for marketing and other representative purposes on our social channels or website.
In accordance with the user’s consent (Art. 6, co. 1, para. a, GDPR):
Personal Data will be processed only in accordance with the defined purposes and to the extent agreed upon when the user gives consent. You may revoke your consent at any time without giving reasons and with future effect if you no longer agree with the processing of Personal Data carried out by Cryptosmart. Based on the user’s consent, Cryptosmart will process Personal Data for the following purposes:
- use of some of the features of the App (e.g., permission to access the phone for reading SMS confirmation text messages, the camera for scanning barcodes, the microphone for commands, etc.);
- directmarketing and advertising (by way of example, surveys concerning user satisfaction, newsletters, sweepstakes and other advertising communications);
- transfer of Personal Data to third parties;
- site analytics and tracking (for a more extensive disclosure please see the cookie policy;
- use of certain audio, video and photographic data (e.g., advertising, interviews, etc.) for marketing and other representative purposes through various channels,
Please note that revocation of consent will only take effect pro futuro, i.e. the lawfulness of the processing carried out by Cryptosmart on the basis of the user’s consent prior to its revocation is not affected.
- Consequences of non-disclosure of Personal Data
Failure to provide the User’s Personal Data in the manner specified in this Policy will prevent the Data Controller from proceeding to ‘user identification and registration to the Platform, making it impossible to provide the Services.
Furthermore, please consider that the revocation of one or more permissions and/or consents, not given and/or revoked to third parties and/or partners, may have consequences on the proper functioning and/or the possibility to deliver the Services.
- Retention of data
The User’s Personal Data, subject to processing for the above-mentioned purposes, will be retained for a period not exceeding 10 years from the date on which the general conditions stipulated between the User and Cryptosmart (including any renewal thereof) cease to be effective and, thereafter, for the period of time that the Data Controller is subject to retention obligations for tax purposes or for other purposes provided for by the regulations in force.
At the end of the retention period, the Personal Data will be deleted. Therefore, at the expiration of this period the right of access, deletion, rectification and the right to portability of the User’s Personal Data can no longer be exercised.
The User’s Personal Data will be stored by means of paper and computer archives, including portable devices, taking appropriate measures to ensure their security and to limit access to them only to personnel authorized by the Data Controller and within the strict scope of the purposes stated above.
- Disclosure of data to third parties
Cryptosmart transmits Users’ Personal Data only in the manner described below or if it is required by law at the time of data collection.
Transfer of data within Cryptosmart or to third parties
User Personal Data may be disclosed to the following third parties:
- consultants, accountants or lawyers providing services functional or related to the execution of the general conditions governing the Services;
- banking and insurance institutions that provide services functional or related to the execution of the aforementioned general conditions;
- judicial or administrative authorities, for the fulfillment of legal obligations.
Within Cryptosmart, those offices or employees who need it to fulfill contractual and legal obligations and legitimate interests will receive your Personal Data. The Company transfers Personal Data for the purpose of related day-to-day business operations, such asaccount management and other operations requested by you, as well as to carry out internal administrative activities in an efficient and shared manner and to maintain and improve our products and services.
To a limited extent, the Company also transmits personal information to data processors who perform any services on behalf of Cryptosmart, such as IT services, customer support, improvement of our Site, databases for the implementation of the customer due diligence procedure; execution of contracts, account management, accounting, billing, examination of irregular or suspicious business cases, application management, and sending newsletters. The data processors may use or disclose this data only to the extent necessary to perform the services required by the Company or to comply with legal regulations. The above processors are contractually obligated to ensure the confidentiality and security of your Personal Data.
The Company may also need to transfer your Personal Data (i) if required to do so by law or in the context of a legal proceeding, (ii) if it believes that disclosure is necessary to prevent damage or financial loss, (iii) in connection with an investigation of suspected or actual fraudulent or illegal activity, or (iv) at the request of competent authorities including for the purpose of complying with anti-money laundering obligations.
Transfer of data to third parties other than those mentioned above
If Cryptosmart acts together with other entities as a co-processor, the Company will provide such entities with Personal Data, where applicable, based on at least one of the legal bases listed above. In the case of co-processing, Personal Data will be transferred only on the basis of an agreement with our partners (Article 26 of the GDPR).
Cryptosmart may transfer Personal Data to other parties only with your consent to the disclosure or for the purpose of fulfilling a contract or for the performance of pre-contractual measures taken at your request.
Place of processing of Personal Data and countries outside the EU
User’s Personal Data will be processed and stored on servers located in the territory of the European Union. If for technical and/or operational issues it becomes necessary to use entities located outside the European Union, or it becomes necessary to transfer some of the collected data to technical systems and services of third parties operated in cloud and/or located outside the European Union area, the processing will be regulated in accordance with the provisions of Chapter V of the GDPR. Therefore, all necessary precautions will be taken in order to ensure the fullest protection of Personal Data by basing such transfer: a) on adequacy decisions of the third country recipients expressed by the European Commission (Article 45 of the GDPR); b) on adequate safeguards expressed by the third party recipient (Article 46 of the GDPR); c) on the adoption of bindingcorporate rules, cd. corporate binding rules (Article 47 of the GDPR).
In addition to the provisions of this Privacy Policy, such data may be processed in countries outside the European Union, provided that an adequate level of protection is guaranteed, as recognized by a specific adequacy decision of the European Commission. Any transfers of your Personal Data to countries outside the EU, in the absence of a European Commission adequacy decision, will take place exclusively under the terms and conditions set forth in contractual clauses ad hoc entered into between exporter and importer of the Personal Data (“CCS“), in accordance with European Commission Decision 2010/87/EU of February 5, 2010 (“Decision“). You may at any time request a copy of the CCS in effect from time to time by sending your request to the following email address privacy@cryptosmart.it.
In the absence of European Commission adequacy decisions or the appropriate measures described above, the transfer of Personal Data to non-EU countries will only take place with your express written consent or where otherwise permitted under the Privacy Regulations.
- Method of processing of Personal Data
The Data Controller takes appropriate security measures to prevent unauthorized access, disclosure, modification or destruction of Personal Data.
The processing is carried out by means of computer and/or telematic tools, with organizational and technological methods strictly related to the indicated purposes. In addition to the Data Controller, in some cases, other subjects involved in the organization of Cryptosmart (administrative, commercial, marketing, legal, system administrators personnel) or external subjects (such as third party technical service providers, postal couriers, hosting providers, IT companies, communication agencies) appointed, if necessary, as Data Processors by the Data Controller pursuant to the Privacy Regulations may have access to the Personal Data. The updated list of Data Processors can always be requested from the Data Controller.
- Profiling of Personal Data
Personal Data may be subject to fully automated decision-making, including profiling, only upon prior express consent, which may be freely revoked at any time.
Upon receipt of your express consent in writing, Cryptosmart may proceed to profile you using your Personal Data for the sole purpose of improving its Services by identifying and selecting homogeneous groups of users.
- Rights of the data subject
The rights granted to users by the GDPR include those of:
- request and obtain from the Data Controller access to your Personal Data;
- request and obtain from the Data Controller the rectification of their Personal Data that is inaccurate or the integration of their Personal Data that is incomplete under the terms and conditions set forth in Article 16 of the GDPR;
- request and obtain from the Data Controller the deletion of their Personal Data, upon the occurrence of any of the conditions set forth in Article 17(1) of the GDPR and in accordance with the exceptions set forth in paragraph 3 of the same Article;
- request and obtain from the Data Controller the restriction of the processing of their Personal Data under the terms and conditions set forth in Article 18(1) of the GDPR;
- request and obtain from the Data Controller your Personal Data in a structured, machine-readable format, including for the purpose of communicating such data to another data controller (so-called right to personal data portability) under the terms and conditions set forth in Article 20 of the GDPR;
- object at any time to the processing of your Personal Data under the terms and conditions set forth in Article 21 of the GDPR; lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) or other supervisory authority, if competent.
- Manifestation and revocation of consent
By checking the respective box during the registration process or in case of an update after logging into your Cryptosmart account, you expressly confirm that you have read this policy and agree to the processing of your data as described in it.
By checking the respective separate box for news and e-mail updates (newsletters), the user expressly agrees to receive e-mail messages as described in this policy.
Users have the right to revoke their consent at any time by sending a registered letter with return receipt to Cryptosmart S.r.l., with registered office in 06134 Perugia (PG), Strada Canneto Sant’Angelo n. 5, C.F. and registration number with the Registrar of Companies of Perugia n. 03775010543, or via PEC at cryptosmart@pec.it. It is important to note that if consent is revoked, the Company may no longer be able to provide all of its Services. The objection does not affect the lawfulness of the processing of personal data based on legitimate interests prior to the objection.
- Ways of exercising rights
In order to exercise the aforementioned rights, the user may address a request to the contact details of the Controller indicated in this policy. Requests are submitted free of charge and processed by the Controller as soon as possible, in any case within 30 days.
- Persons in charge of the processing
The updated list of data processors is kept at the Controller’s office and the user may make a request at any time by submitting a request to the Controller’s contact details indicated in this policy.
- Cookie Policy
Cryptosmart makes use of tracking tools (so-called cookies). For a more extensive information, the user is invited to view and consult the cookie policy
- Changes to the policy
The Owner reserves the right to make changes to this policy at any time by sending the user a notification via the Platform as well as, when technically and legally possible, by sending a notification via one of the contact details Cryptosmart has. Therefore, please consult this page on an ongoing basis, referring to the date of last modification indicated at the end of this page.
If the changes affect the processing of Personal Data whose legal basis is consent, the Data Controller will collect the user’s consent again, if necessary.
Last updated date: 15 June 2021