Your privacy is important to us. We are committed to protecting the privacy, confidentiality, and security of the personal data we hold by complying with the requirements under applicable laws and regulations. We are equally committed to ensuring that all our employees, service providers and agents uphold these obligations.
use of any of our products, services or applications (together the “Services”);
visit or use of our websites, BOFB.com, BOFB. io and/or BankOfBitcoin.com (“Site”) or mobile application (“App”);
Please note that our Services, Site and App are not intended for minors below the age of 18 years and we do not knowingly collect data relating to minors.
The controller of your personal data is the legal entity that determines the “means” and the “purposes” of any processing activities that it carries out. When you engage us to provide services for you, we will be the “data controller” for your personal data.
This policy explains how we collect, use, process, manage and disclose personal data within our organisation.
Explaining the legal basis we rely upon to process your personal information
Data protection laws set out various grounds on which an organisation may lawfully collect and process your personal data. These include:
We can collect and process your data with your consent. For example, when we are processing sensitive or special personal data, such as information relating to your health or religious beliefs. In many circumstances, if we rely on your consent as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
In many circumstances, we require your personal data to comply with contractual obligations. For example, we collect your identity and contact information when we verify you as a new customer. If you are unable to provide such information to us, we may not be able to perform the contract we have with you or your organisation or enter into a contract with you or your organisation.
If the law requires us to, we may need to collect and process your personal data. For example, we may require your personal data to comply with anti-money laundering legislation or laws relating to the provision of legal services. If you are unable to provide such information to us, we may not be able to perform the contract we have with you or your organisation or enter into a contract with you or your organisation.
In many situations, we require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact on your rights, freedoms or interests. For example, it may be in our legitimate interests to use your personal information for marketing purposes to assist us with the growth of our business. Data protection laws do vary across the different jurisdictions in which we operate. Please contact us if you require details of the specific legal ground we are relying on to process your personal data.
Our duties and your duties in case of changes
How we collect personal data
We collect personal data about you in the following ways:
where you register for an account or to receive emails from us
when you order products or services from us
when you submit a query or request to us
when you respond to a survey that we run or fill in forms on one of our websites
by tracking your use of our websites and mobile applications
from public sources
from examination of public and private blockchains
from third parties who are entitled to disclose that information to us
when you apply for a job with us
In some cases, we may be required by law to collect certain types of personal data about you.
Where we collect personal data from you, we will generally do so ourselves. However, in some cases we may collect personal data from a third party, such as through your representatives, contractors who provide services to us, or third parties who refer you to us because they think you may be interested in our products or services.
If you refuse to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you refuse to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you – for example, to provide you Services. In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.
Kinds of personal data we collect, use, hold and disclose
The kinds of personal data that we collect, use, hold and disclose about you may include:
identifying information, such as your name and date of birth
contact information, such as your postal address, email address and telephone number
social media handles and other social media profile information that you make available to us or to the public
financial information, such as credit card, bank account or other payment details
blockchain identifiers, such as blockchain addresses and public keys
usernames and passwords that you create when registering for an account with us
details of any products or services that we provide to you
information about how you use the products and services we provide
records of our communications with you, including any messages you send us
Without this information, we may not be able to provide you with our products or services (or with all of the features and functionality offered by our products or services) or to respond to queries or requests that you submit to us.
How we use your data - Lawful basis
We will only use your personal data when the applicable legislation allows us to. In other words, we have to ensure that we have a lawful basis for such use. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: - performance of a contract: means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract; we use this basis for provision of our Services; - legitimate interests: means our interests (or those of a third party), where we make sure we use this basis as far as your interests and individual rights do not override those interests; - compliance with a legal obligation: means processing your personal data where we need to comply with a legal obligation we are subject to; - consent: means freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you; under specific circumstances this consent should be explicit – if this is the case, we will ask for it properly.
Purposes for which we collect, use and/or disclose personal data
We collect, use and/or disclose personal data about you for the following purposes: - to verify your identity when you are dealing with us - to determine your eligibility for any of our products or services - to determine your compliance with the terms and conditions that apply to any of our products or services and applicable law - to enable us to provide our products and services - to improve our website based on your information and feedback - to answer your queries and requests - to conduct identity verification “know-your-client” (KYC) processes - to comply with any applicable rules, laws or regulations, regulatory policies, industry codes of practice or guidelines, judgments, orders, notices, directions or requests issued by any court, or any administrative, governmental or regulatory body, whether in Hong Kong or otherwise, including but not limited to rules and regulations relating to anti-money laundering and countering the financing of terrorism and the carrying out of audit checks, surveillance and investigations - to carry out market analysis and research - to monitor use of our products and services - to assess, maintain, upgrade and improve our products and services - to carry out education and training programs for our staff - to manage and resolve any legal or commercial complaints or issues - to carry out planning and forecasting activities and other internal business processes - to keep you informed about our activities, including by sending out newsletters - to connect you with our users of our products and services
We may also collect, use and/or disclose your information for other purposes in accordance with your requests or instructions.
People to whom we may disclose personal data
We share your personal data with our third-party service providers, agents, subcontractors and other associated organizations, our group companies, and affiliates (as described below) in order to complete tasks and provide the Services and use of the hi Platform to you on our behalf. When using third party service providers, they are required to respect the security of your personal data and to treat it in accordance with the law.
We may share personal data about you with: - our staff who need the information to discharge their duties - related entities within our corporate group - companies and organizations that assist us in processing, verifying or refunding transactions/orders you make and in providing any of the Services that you have requested; - identity verification agencies to undertake required verification checks; - fraud or crime prevention agencies to help fight against crimes including fraud, money-laundering and terrorist financing; - anyone to whom we lawfully transfer or may transfer our rights and duties under the relevant terms and conditions governing the use of any of the Services; - any third party because of any restructure, sale or acquisition of our group or any affiliates, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us; and - regulatory and law enforcement authorities, whether they are outside or inside of the EEA, where the law allows or requires us to do so.
We may also collect, use and/or disclose your information to other organisations in accordance with your requests or instructions. In some cases, the people to whom we disclose your personal information may be located overseas. Further, we may have servers located overseas.
We may from time to time use your personal data in order to send you marketing materials about products or services that we think you may be interested in (including in some cases products and services that are provided by a third party). We may not use your personal data unless we have received your consent.
There are several ways you can stop receiving direct marketing communications from us. Click the ‘unsubscribe’ or ‘opt-out’ link in any email communication that we send you, or email us at [email protected] We will then stop any further marketing related emails from us. Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated. In relation to any third-party marketing, we will get your express opt-in consent before we share your personal data with any company outside our company for any marketing purposes.
We may use your following personal data for the purpose of direct marketing: - identifying information, such as your name and date of birth - contact information, such as your postal address, email address and telephone number - products and services portfolio information and demographic data held by us from time to time
We may use your personal data to market the following products and/or services to you:
New service offerings, services that you are not yet using.
If we use your personal data in any direct marketing communications, you have the right to request that we provide you with the source of that personal data. There is no fee for requesting this information. We will provide you with the source of the personal data, unless it is impracticable or unreasonable to do so.
Please indicate your consent to receiving information relating to the above by contacting us at [[email protected]].
We may also use and disclose your information for other purposes in accordance with your requests or instructions.
The information generated by the cookie about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
Storage and security of personal data
While there is an inherent risk in any data being shared over the internet, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, damaged, or accessed in an unauthorised or unlawful way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Depending on the nature of the risks presented by the proposed processing of your personal data, we will have in place the following appropriate security measures:
organisational measures (including but not limited to staff training and policy development); technical measures (including but not limited to physical protection of data, pseudonymization and encryption); and securing ongoing availability, integrity, and accessibility (including but not limited to ensuring appropriate back-ups of personal data are held).
We have put in place procedures to deal with any suspected personal data breach and will notify you and any relevant regulator of a breach where we are legally required to do so.
Retention of personal data
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Here are some exemplary factors which we usually consider when determining how long we need to retain your personal data:
- in the event of a complaint; - if we reasonably believe there is a prospect of litigation in respect to our relationship with you or if we consider that we need to keep information to defend possible future legal claims (e.g. email addresses and content, chats, letters will be kept up to 10 years following the end of our relationship, depending on the limitation period applicable in your country); - to comply with any applicable legal and/or regulatory requirements with respect to certain types of personal data: - - under the EU Anti-Money Laundering legislation (Anti-Money Laundering Directives) we are obliged to retain your personal data for a period of 5 years after the end of the relationship between us as a company and you as a customer; this period may be further extended in certain cases if so provided by and in accordance with the applicable legislation; the same is valid also under the anti-money laundering legislation of the UK; - - if information is needed for audit purposes and so forth; - in accordance with relevant industry standards or guidelines; - in accordance with our legitimate business need to prevent abuse of the promotions that we launch. We will retain a customer’s personal data for the time of the promotion and for a certain period after its end to prevent the appearance of abusive behaviour.
Where your data may be processed
To facilitate our global operations, we may transfer, store and process your information within our group of associated entities around the world.
For those individuals residing in the European Economic Area (EEA), this may sometimes involve the transferring of your personal information out of the EEA. Laws in these countries may differ from the laws applicable to your country of residence. Where we transfer, store and process your data outside of the EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection. This may be an adequacy decision of the European Commission confirming an adequate level of data protection in the respective non-EEA country or an agreement on the basis of the EU Model Clauses (a set of clauses issued by the European Commission). Further information on these EU Model Clauses and the rights they provide to data subjects can be found on the European Commission website.
Please contact us if you require further information on the specific mechanism used by us when transferring your personal data outside of the EEA.
By using our website, providing personal data and/or using any of our products or services, you agree that:
What are your rights over your personal data?
You have a number of rights in relation to the personal data that we hold about you. These rights are subject to certain exemptions and do differ across the jurisdictions in which we operate.
Request access to the personal data we hold about you If you want to access any of the personal data that we hold about you or to correct some aspect of it (for example, because you think it is incomplete or incorrect), please contact our privacy compliance team using the contact details set out below. To protect the integrity and security of the information we hold, we may ask that you follow a defined access procedure, which may include steps to verify your identity. In certain cases we may charge you an administration fee for providing you with access to the information you have asked for, but we will inform you of this before proceeding. There may be cases where we are unable to provide the information you request, such as where it would interfere with the privacy of others or result in a breach of confidentiality. In these cases we will let you know why we cannot comply with your request.
Even if you do not request access to and/or correct your personal data held by us, if we are satisfied that, having regard to the reasons for which we hold your personal data, that personal data is inaccurate, incomplete, out-of-date, irrelevant or misleading, we may take reasonable steps to correct that information.
For EU residents, we will do this for no fee, in accordance with applicable legislation.
Right to rectification
If the information we hold about you is inaccurate, you have the right to have this information rectified.
Right to erasure / ‘Right to be forgotten*
You can ask us to delete or remove your information in certain circumstances. For EU residents, whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. In cases where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing your data for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Right to data portability
In certain circumstances, you may have the right to obtain your personal data in a structured, commonly used and machine readable format and to reuse it elsewhere or ask us to transfer it to a third party of your choice.
Right to object
In certain circumstances, you have a right to object to processing being carried out by us. Where personal data is being processed for direct marketing purposes, you have a right to object at any time
Rights in relation to automated decision-making and profiling
In certain circumstances, you have a right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on you. To protect the confidentiality of your information, we will require you to verify your identity before proceeding with any request. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
We try to meet the highest standards in order to protect your privacy. However, if you are concerned about the way in which we are managing your personal data and think we may have breached any applicable privacy laws, or any other relevant obligation, please contact our privacy compliance team using the contact details set out below. We will make a record of your complaint and refer it to our internal complaint resolution department for further investigation. We will deal with the matter as soon as we can, and keep you informed of the progress of our investigation.
If you want any further information from us on privacy matters, please contact our privacy compliance team at [email protected]