Last updated: 30 November, 2023
Ceffu (“Ceffu”, “we”, or “us”) is committed to protecting the privacy of our customers, and we take our data protection responsibilities seriously.
We provide Institutional Digital Asset Infrastructure to our Business Customers to enable their end-users to access digital asset custody services (“Services”). This Privacy Notice describes the Personal Data that we collect, use, and share about you when you explore, sign up or access Ceffu websites and applications, how it is used, when and how it is shared, the rights and choices that you have, and how you can contact us about our privacy practices. This Privacy Notice also outlines your data subject rights, including the right that you have to object to certain uses of your Personal Data.
This Privacy Notice applies to all Personal Data processing activities carried out by us, across our platform websites and departments. We are a platform that provides Institutional Digital Asset Infrastructure Custody Services, and in order to provide our Services to our Business Customers, we collect and process personal data. Business Customers are entities which directly and indirectly directs its users to Ceffu in connection with its business and activities. End Customers are those customers that are leveraging services directly from Ceffu.
To the extent that you are not a relevant stakeholder, customer or user of our Services, but are using our website, this Privacy Notice also applies to you together with our Cookie Notice.
This Notice should therefore be read together with our Cookie Notice, which provides further details on our use of cookies on the website. Our Cookie Notice can be accessed here.
1. What personal data does Ceffu collect and process?
Personal Data means any information that relates to an identified or identifiable individual, and can include information that you provide to us and that we collect about you, such as when you engage with our websites (e.g. device information, IP address).
Personal Data You Provide to Us
When we refer to “Personal Data you provide to us”, this means any information that you provide to us about yourself. This information is either required by law (e.g., to verify your identity and comply with “Know Your Business” obligations), necessary to provide the requested Services (e.g., you will need to provide your contact details in order to open your account), or is relevant for certain specified purposes, described in greater detail below.
Failure in providing the data required implies that Ceffu will not be able to offer you our Services.
Personal Data collected automatically from you:
In some cases we may collect personal data automatically from you, to the extent permitted under the applicable law, we may collect certain types of personal data automatically, for example whenever you interact with us or use the Services, when we process your usage data of the platform and when we review your browsing information. This information helps us address customer support issues, improve the performance of our sites and Services, maintain and or improve your user experience, and protect your account from fraud by detecting unauthorized access.
data does Ceffu collect and process? | Why does Ceffu process my personal data? | Legal Basis for our use of Personal Data |
---|---|---|
Personal Data related to company Directors, UBOs and Authorised persons, including: | Managing our contractual relationship with you, to create and maintain your account. | Performance of a contract when we provide you with products or services or communicate with you about them. This includes when we use your Personal Data to take and handle orders, and process payments. The consequences of not processing your Personal Data for such purposes is the inability to open an account with us or the termination of your account where one is already open. |
Personal data related to company Directors, UBOs and Authorised persons, including: | Personal data provided by you during Know-Your-Business activity to comply with applicable Anti-Money Laundering rules and regulations in jurisdictions where Ceffu is being used by institutional clients. | |
- Email Corporate address | To communicate with you on services and transaction related matters. We use your Personal Data to communicate with you in relation to our services on administrative or account related information. We will communicate with you to keep you updated about our Services, for example, to inform you of relevant security issues, updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our Services. You may not opt-out of receiving critical service communications, such as emails or mobile notifications sent for legal, compliance or security purposes. | Performance of a contract when we provide you with products or services, or communicate with you about them. This includes when we use your Personal Data to take and handle orders, and process payments. |
- Email Corporate address | To provide customer support services. We process your personal data when you contact us in order to provide support with respect to questions, disputes, complaints, troubleshoot problems, etc. Without processing this Personal Data for this purpose, we can’t respond to your requests. | Performance of a contract. Processing is necessary for the performance of a contract to which you are a party. |
- IP address | - To maintain the safety, security and integrity of our platform. We process your Personal Data in order to enhance security, monitor and verify identity or service access, combat malware or security risks and to comply with applicable security laws and regulations. We process your Personal Data to verify accounts and related activity, find and address violations of our Terms and Conditions, investigate suspicious activity, detect, present and combat unlawful behavior, detect fraud and maintain the integrity of our Services. Without processing your Personal Data, we may not be able to ensure the security of our Services. We use your Personal Data to provide functionality, analyze performance, fix errors, and improve the usability and effectiveness of Ceffu Services | Performance of a contract. Processing is necessary for the performance of a contract of which you are a party. |
- IP address | - To promote safety, security, and integrity of our Services. Fraud prevention and detection and credit risks. We process your Personal Data to prevent and detect, prevent and mitigate fraud and abuse of our Services and in order to protect you against account compromise or funds loss and in order to ensure the security of our users, our Services and others. We may also use scoring methods to assess and manage credit risks. | Our Legitimate Interests. Processing is necessary for the purpose of the legitimate interests pursued by us and the interests of our users when, for example, we detect and prevent fraud and abuse in order to protect the security of our users, ourselves, or others. |
- IP address | To provide you with our Services. We process your Personal Data to provide the Services to you and process your orders. | Performance of a Contract. Processing is necessary for the performance of a contract to which you are a party. |
- Email Corporate address | To improve our Services. We process your Personal Data to improve our services, for example, when we want to enhance your experience when navigating our site. | Our Legitimate Interests. Processing is necessary for the purpose of the legitimate interest pursued by us to improve our Services and enhance our user experience. |
- E-mail corporate address. | To do research and innovate. We carry out surveys to learn more about your experience using our Services. In that way we can support research and drive innovations of our Services and products. | Consent We will reach out to you only if you will provide your consent for this activity. |
- Email | Providing Ceffu product’s marketing content through emails to customers. | Consent We will reach out to you only if you will provide your consent for this activity. |
Ceffu does not allow anyone under the age of 18 to use our Services and does not knowingly collect personal data from children under 18.
2. What about cookies and other identifiers?
We use cookies and similar tools to enhance your user experience, provide our Services, and enhance our efforts and understand how customers use our Services so we can make improvements. Depending on applicable laws in the region you are located in, the cookie banner on your browser will tell you how to accept or refuse cookies. A copy of our cookie policy is available here.
3. How and why Ceffu shares your personal data
We may share your Personal Data with third parties (including other Ceffu entities) if we believe that sharing your Personal Data is in accordance with, or required by, any contractual relationship with you or us, applicable law, regulation or legal process. When sharing your Personal Data with other Ceffu entities, we will use our best endeavors to ensure that such entities are either subject to this Privacy Notice, or follow practices at least as protective as those described in this Privacy Notice.
We may also share personal data with the following persons or in the following circumstances:
Affiliates
Personal Data that we process and collect may be transferred between companies, Services, and employees affiliates with us as a normal part of conducting business and offering our Services to you.
Third party service providers
We employ other companies and individuals to perform functions on our behalf. Examples include analysing data, providing marketing assistance, processing payments, transmitting content, and assessing and managing credit risk. These third-party service providers only have access to personal data needed to perform their functions, but may not use it for other purposes. Further, they must process the personal data in accordance with our contractual agreements and only as permitted by applicable data protection laws.
Legal Authorities
We may be required by law or by Court to disclose certain information about you or any engagement we may have with you to relevant regulatory, law enforcement and/or other competent authorities. We will disclose information about you to legal authorities to the extent we are obliged to do so according to the law. We may also need to share your information in order to enforce or apply our legal rights or to prevent fraud.
Business transfers
As we continue to develop our business, we might sell or buy other businesses or services. In such transactions, user information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the user consents otherwise). Also, in the unlikely event that Ceffu or substantially all of its assets are acquired by a third party, user information will be one of the transferred assets.
Protection of Ceffu and others
We release accounts and other personal data when we believe release is appropriate to comply with the law or with our regulatory obligations; enforce or apply our Terms of Use and other agreements; or protect the rights, property or safety of Ceffu, our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction.
4. International transfers of personal information
To facilitate our global operations, we may transfer, store and process within our Affiliates, third-party partners, and service providers based throughout the world. The EEA includes the European Union countries as well as Iceland, Liechtenstein, and Norway. Transfers outside of the EEA are sometimes referred to as “third country transfers”.
In cases where we intend to transfer personal data to third countries or international organisations outside of the EEA, we put in place suitable technical, organizational and contractual safeguards (including Standard Contractual Clauses), to ensure that such transfer is carried out in compliance with applicable data protection rules, except where the country to which the personal data is transferred has already been determined by the European Commission to provide an adequate level of protection.
We also rely on decisions from the European Commission where they recognise that certain countries and territories outside of the European Economic Area ensure an adequate level of protection for personal data. These decisions are referred to as “adequacy decisions”.
5. How secure is my information?
We design our systems with your security and privacy in mind. We have appropriate security measures in place to prevent your information being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We work to protect the security of your personal data during transmission and while stored by using encryption protocols and softwares. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.
Our security procedures mean that we may ask you to verify your identity to protect you against unauthorised access to your account. We recommend using a unique password for your Ceffu account that is not utilized for other online accounts and to sign off when you finish using a shared computer.
6. What about advertising?
In order for us to provide you with the best user experience, we may share your Personal Data with our marketing partners for the purposes of targeting, modeling, and/or analytics as well as marketing and advertising. You have a right to object at any time to processing of your personal data for direct marketing purposes (see Section 7 “What Rights Do I Have”? below).
7. What rights do I have?
Subject to applicable law, as outlined below, you have a number of rights in relation to your privacy and the protection of your personal data. You have the right to request access to, correct, and delete your personal data, and to ask for data portability. You may also object to our processing of your personal data or ask that we restrict the processing of your personal data in certain instances. In addition, when you consent to our processing of your personal information for a specified purpose, you may withdraw your consent at any time. If you want to exercise any of your rights please contact atdpo@ceffu.com. These rights may be limited in some situations - for example, where we can demonstrate we have a legal requirement to process your personal information.
Right to access: you have the right to obtain confirmation that your Personal Data are processed and to obtain a copy of it as well as certain information related to its processing;
Right to rectify: you can request the rectification of your Personal Data which are inaccurate, and also add to it. You can also change your Personal Data in your account at any time.
Right to delete: you can, in some cases, have your Personal Data deleted;
Right to object: you can object, for reasons relating to your particular situation, to the processing of your Personal Data. For instance, you have the right to object where we rely on legitimate interest or where we process your data for direct marketing purposes;
Right to restrict processing: You have the right, in certain cases, to temporarily restrict the processing of your Personal Data by us, provided there are valid grounds for doing so. We may continue to process your personal data if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law;
Right to portability: in some cases, you can ask to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format, or, when this is possible, that we communicate your Personal Data on your behalf directly to another data controller;
Right to withdraw your consent: for processing requiring your consent, you have the right to withdraw your consent at any time. Exercising this right does not affect the lawfulness of the processing based on the consent given before the withdrawal of the latter;
Right to lodge a complaint with the relevant data protection authority: We hope that we can satisfy any queries you may have about the way in which we process your personal data. However, if you have unresolved concerns, you also have the right to complain to the data protection authority in the location in which you live, work or believe a data protection breach has occurred.
If you have any questions or objections as to how we collect and process your personal data, please contact dpo@ceffu.com.
8. How long is my personal data kept?
We keep your Personal Data to enable your continued use of theServices, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice, and as may be required by law such as for tax and accounting purposes, compliance with Anti-Money Laundering laws, or as otherwise communicated to you.
9. Contact information
Our data protection officer can be contacted at dpo@ceffu.com, and will work to address any questions or issues that you have with respect to the collection and processing of your Personal Data.
10. Ceffu's relationship to you
The Data Controller for the personal data collected and processed in connection with the provision of the Services is CH Europe Digital Solutions Sp. z.o.o. legal entity code: 0001031451, registered office address: Powstańców Śląskich street 103, Warszawa (01-355), Poland.
11. Notices and revisions
If you have any concerns about privacy at Ceffu, please contact us, and we will try to resolve them. You also have the right to contact your local Data Protection Authority.
Our business changes regularly, and our Privacy Notice may change also. You should check our websites frequently to see recent changes. Unless stated otherwise, our current Privacy Notice applies to all information that we have about you and your account.