Crypto.com Global Marketing
Privacy Notice
Last updated: 27 October 2023
Welcome to Crypto.com’s Global Marketing Privacy Notice (“Marketing Privacy Notice”).
Please spend a few minutes to read it carefully before providing us with any information about
you or any other person in relation to a Campaign, as defined below.
Contents
1. Introduction
2. Purpose
3. Who we are
4. What data we collect about you
5. How we collect your data
6. How we use your data
7. Disclosures of your data
8. International transfers
9. Data security
10. Data retention
11. Your legal rights
1. Introduction
We respect your privacy and we are committed to protecting your personal data. Throughout this
Marketing Privacy Notice, “personal data” shall mean any information relating to an identified or
identifiable natural person; an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, email, an identification
number, location data, IP address, physical address, phone number, device specifications,
clothing size, information contained in government issued identification documents, photos,
information related to social media accounts, etc. In this Marketing Privacy Notice the terms
“personal data” and “personal information” are used interchangeably.
This Marketing Privacy Notice applies to the processing of your personal data in connection with
your participation in any promotional initiative organized by or on behalf of Crypto.com that aims
to promote the Crypto.com products and services, including but not limited to campaigns,
giveaways, sweepstakes, draws, physical and online events, games, surveys, competitions,
targeted email marketing (“Campaign”).
Please note that any such Campaign is not intended for minors below the age of 18 years and we
do not knowingly collect data relating to minors.
2. Purpose
This Marketing Privacy Notice aims to give you information on why and how we collect and
process your personal data, as well as what your privacy rights are and how the data protection
principles set out in the applicable privacy legislation protect you.
It is important that you read this Marketing Privacy Notice together with any other notice or policy
we may provide on specific occasions when we are collecting or processing personal data about
you so that you are fully aware of why and how we are using your data.
3. Who we are
3.1. Data Controllers
The controller of your personal data is the legal entity that determines the “means” and the
“purposes” of any processing activities that it carries out. Since Crypto.com is operating around
the globe, this Marketing Privacy Notice applies to the processing of personal data by the following
entities within the Crypto.com group. One or more of those entities might be involved in organizing
the Campaign depending on your residency and/or used services: (“Crypto.com”, “we”, “us”,
“our”)
Data Controller
Contact Details
Foris DAX Global Limited
Kilmore House, Park
Lane, Spencer Dock,
Dublin 1, D01 XN99,
Ireland
Foris DAX Inc.
Suite 2725, Sabadell Financial Center
Building, 1111 Brickell
Avenue, Miami, FL 33131
Foris Inc.
Suite 2725, Sabadell Financial Center
Building, 1111 Brickell
Avenue, Miami, FL 33131
Foris DAX MT Limited
St. Julians, SPK
1000, level 7, Spinola
park, Triq Mikiel ang
Borg, Malta
Foris MT Limited
St. Julians, SPK
1000, level 7, Spinola
park, Triq Mikiel ang
Borg, Malta
Foris DAX AU Pty. Ltd.
Tricor Services (Australia) Pty Ltd, Level 3,
1049 Victoria Road, West Ryde NSW 2114,
Australia
Foris DAX Asia Pte. Ltd.
1 Raffles Quay, #25-01 Singapore 048583
CRO DAX Limited
94 Solaris Avenue Camana Bay PO Box
1348 Grand Cayman KY1-1108 Cayman
Islands.
Foris DAX UK Limited
Suite 5, 7th Floor 50 Broadway, London,
United Kingdom, SW1H 0DB
or the relevant Crypto.com entity that provides you with relevant Crypto.com services.
3.2. Data Protection Officer
We have appointed a Data Protection Officer (“DPO”) who is responsible for overseeing
questions in relation to this Marketing Privacy Notice. If you have any questions or complaints
related to this Marketing Privacy Notice or our privacy practices, or if you want to exercise your
legal rights, please contact our DPO at dpo@crypto.com.
4. What data we collect about you
Depending on the particular Campaign and its stage, as defined in the applicable written rules,
we will collect, use, store and transfer different kinds of personal data about you which we have
grouped in categories as follows:
Category of
Personal Data
Examples of specific pieces of personal data
Identity Data
first name,
maiden name,
last name,
username or similar identifier,
title,
date of birth and gender,
information contained in an identification document,
information relating to your physical well being,
information relating to your personal preferences (e.g. clothing
size, dietary preferences).
Social Identity
Data
information on referrals related to you,
information made publicly available by you on social media with
regards to the applicable campaign (e.g. publicly shared social
media posts).
Contact Data
delivery address,
email address and telephone number.
Financial Data
virtual currency account,
stored value account,
amounts associated with accounts,
external account details.
Transactional Data
details about payments to and from you,
other details of any transactions you enter into using the
Services.
Technical Data
internet connectivity data,
internet protocol (IP) address,
login data,
device type,
time zone setting and location data,
language data,
other information stored on or available regarding the devices
you allow us access to when you participate in a Campaign.
Profile Data
your username,
your identification number as our user,
information on whether you have Crypto.com App account and
the email associated with your accounts,
requests by you for products or services,
your interests, preferences and feedback,
other information generated by you when you communicate with
us.
Marketing and
Communications
Data
your preferences in receiving marketing from us or third parties,
your communication preferences,
your survey responses.
5. How we collect your data
We may get information about you from the following sources:
directly from you, including by filling in forms, by email or otherwise;
in case you have been selected as a guest by the winner of the Campaign, your personal
data will by provided by the winner using the above means;
where applicable, third parties or publicly available sources, such as social media.
You are not obliged to provide your personal data. However, if the requested data is not provided,
you will not be able to participate in the Campaign.
6. How we use your data
6.1. Lawful basis
We will only use your personal data when the applicable legislation allows us to. In other words,
we have to ensure that we have a lawful basis for such use.
We process your personal data relying on the following lawful bases:
processing is necessary for performance of a contract or in order to take steps at your
request prior to entering into a contract; when you participate in the Campaign a
contractual relationship is formed between you and Crypto.com;
processing is necessary for compliance with a legal obligation to which we are subject;
processing is necessary for the purposes of the legitimate interests pursued by us as a
contracting entity and our interests do not contradict your interests, fundamental rights or
freedoms (for instance, the interest in assessing your eligibility to participate in the
Campaign);
consent, if required.
We do not usually need your consent for processing personal data concerning you. If we need it,
we will ask for it and provide you with the respective information as required by law. Depending
on the applicable data protection framework, for example, if you are a resident of the European
Economic Area (“EEA”) or the United Kingdom (“UK”), you may also have the right to withdraw
your consent at any time, but please note that this will not affect the lawfulness of processing
based on your consent before its withdrawal.
If the prize of a Campaign includes passes to an event for you and a guest of your choosing, you
guarantee that your guest who will receive a pass has acknowledged and agreed for their
information to be used for the purposes listed herein. In addition, you guarantee that you and your
guest have acknowledged and shall adhere to the event-specific rules as provided by the event
organizer.
6.2. Purposes for which we will use your personal data
When you participate in the Campaign, we use the personal data you provide to conduct the
Campaign. Namely, we collect and use your personal data for the purposes of carrying out the
Campaign, monitoring for compliance with the applicable written rules, assessing your
eligibility to participate in the Campaign, prize draw, identity verification and prize delivery.
Further information on the purposes can be found in the respective written rules governing the
Campaign.
Note that we may process your personal data for more than one lawful basis depending on the
specific purpose for which we are using your personal data. Please contact us if you need details
about the specific legal ground we are relying on to process your personal data.
7. Disclosures of your data
We share your personal data with our third-party service providers, agents, subcontractors and
other associated organizations, our group companies, and affiliates (as described below) in order
to organize and carry out the Campaign. When using third party service providers, they are
required to respect the security of your personal data and to treat it in accordance with the law.
We may pass your personal data to the following third parties:
entities organizing the event related to the Campaign in cases of giveaways and
sweepstakes;
entities assisting us with the organization of the Campaign;
companies and organizations that assist us in processing, verifying or refunding
transactions/orders you make in relation to the Campaign;
anyone to whom we lawfully transfer or may transfer our rights and duties under the
relevant terms and conditions governing the Campaign;
any third party because of any restructure, sale or acquisition of our group or any affiliates,
provided that any recipient uses your information for the same purposes as it was originally
supplied to us and/or used by us; and
regulatory and law enforcement authorities, whether they are outside or inside of the EEA,
where the law allows or requires us to do so.
We disclose collected personal data to the relevant internal departments on a “need to know”
basis. We may also provide personal data to other affiliated companies within the Group or to
external service providers, contract processors (e.g. platform, hosting, shipping service providers)
in order to carry out the campaign. Platform and hosting service providers may have access to
personal data from a country outside the EEA. Where needed, as an appropriate safeguard we
have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers.
More information on this topic is published here (attention: a link to a third-party website).
8. International transfers
We share your personal data within our group. This will involve transferring your personal data outside
Hong Kong, EEA, the UK or the origin of where your data is collected.
We follow the specific legal framework applicable to such transfers. For example, whenever we
transfer your personal data out of the EEA or the UK, we ensure a similar degree of protection is
afforded to it by ensuring at least one of the following safeguards is implemented:
the country to which we transfer your personal data has been deemed to provide an adequate
level of protection (attention: a link to a third-party website) for personal data by the European
Commission or the UK government, as applicable to your particular case;
a specific contract approved by the European Commission or the UK government, which
gives safeguards to the processing of personal data, the so-called Standard Contractual
Clauses, as applicable to your particular case.
Please contact our Data Protection Officer at dpo@crypto.com if you want further information on the
specific mechanism used by us when transferring your personal data out of the EEA or the UK.
9. Data security
While there is an inherent risk in any data being shared over the internet, we have put in place
appropriate security measures to prevent your personal data from being accidentally lost, used,
damaged, or accessed in an unauthorised or unlawful way, altered, or disclosed. In addition, we
limit access to your personal data to those employees, agents, contractors and other third parties
who have a legitimate business need to know. They will only process your personal data on our
instructions, and they are subject to a duty of confidentiality.
Depending on the nature of the risks presented by the proposed processing of your personal data,
we will have in place the following appropriate security measures:
organisational measures (including but not limited to staff training and policy
development);
technical measures (including but not limited to physical protection of data,
pseudonymization and encryption); and
securing ongoing availability, integrity, and accessibility (including but not limited to
ensuring appropriate back-ups of personal data are held).
We have put in place procedures to deal with any suspected personal data breach and will notify
you and any relevant regulator of a breach where we are legally required to do so.
If you want to know more about our security practice, please visit this link.
10. Data retention
To determine the appropriate retention period for personal data, we consider the amount, nature
and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure
of your personal data, the purposes for which we process your personal data and whether we can
achieve those purposes through other means, and the applicable legal, regulatory, tax,
accounting or other requirements.
Here are some exemplary factors which we usually consider when determining how long we need
to retain your personal data:
in the event of a complaint;
if we reasonably believe there is a prospect of litigation in respect to our relationship with
you or if we consider that we need to keep information to defend possible future legal
claims;
to comply with any applicable legal and/or regulatory requirements with respect to certain
types of personal data;
if information is needed for audit purposes;
in accordance with relevant industry standards or guidelines;
in accordance with our legitimate business need to prevent abuse of the Campaign. We
will retain your personal data for the time of the Campaign to prevent the appearance of
abusive behavior. For the same purpose we may also retain your’ personal data for a
certain period after the Campaign’s end.
Please note that under certain condition(s), you can ask us to delete your data: see your legal
rights below for further information. We will honor your deletion request ONLY if the condition(s)
is met.
11. Your legal rights
You have rights we need to make you aware of. The rights available to you depend on our reason
for processing your personal data. If you need more detailed information or wish to exercise any
of the rights set out below, please contact us.
You may:
request access to your personal data, which enables you to obtain confirmation of whether
we are processing your personal data, to receive a copy of the personal data we hold
about you and information regarding how your personal data is being used by us;
request rectification of your personal data by asking us to rectify information you think is
inaccurate and to complete information you think is incomplete, though we may need to
verify the accuracy of the new data you provide to us;
request erasure of your personal data by asking us to delete or remove personal data we
hold about you; note, however, that we may not always be able to comply with your request
of erasure for specific legal reasons which will be notified to you;
object to the processing of your personal data, where we are relying on a legitimate
interest (or those of a third party) and there is something about your particular situation
which makes you want to object to processing on this ground as you feel it impacts on
your fundamental rights and freedoms; in some cases, we may demonstrate that we have
compelling legitimate grounds to process your information which override your rights and
freedoms; you also have the right to object where we are processing your personal data
for direct marketing purposes;
require that decisions be reconsidered if they are made solely by automated means,
without human involvement; we use automated tools to make sure that you are eligible to
participate in the Campaign taking into account our interests and legal obligations; if these
automated tools indicate that you do not meet our acceptance criteria, you shall not be
considered eligible to participate in the Campaign;
request restriction of processing your personal data, which enables you to ask us to
suspend the processing of your personal data, if you want us to establish the data
accuracy; where our use of the data is unlawful, but you do not want us to erase it; where
you need us to hold the data even if we no longer require it as you need it to establish,
exercise or defend legal claims, or if you have objected to our use of your data, but we
need to verify whether we have overriding legitimate grounds to use it;
request the transfer of your personal data to you or to a third party, and we will provide to
you, or a third party you have chosen (where technically feasible), your personal data in a
structured, commonly used, machine-readable format; note that this right only applies to
automated information which you initially provided consent for us to use or where we used
the information to perform a contract with you;
withdraw consent at any time where we are relying on consent to process your personal
data; however, this will not affect the lawfulness of any processing carried out before you
withdraw your consent; if you withdraw your consent, we may not be able to provide certain
products or services to you, but we will advise you if this is the case at the time you
withdraw your consent;
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
However, we may charge a reasonable fee if your request is manifestly unfounded or excessive.
Alternatively, we could refuse to comply with your request in these circumstances.
Period for replying to a legitimate request
We shall reply to a legitimate request within the legally prescribed period according to the
applicable legislation. If you are a resident of the EEA or the UK, the statutory period for us to
reply to a legitimate request is one month. That period may be extended by two further months
where necessary, taking into account the complexity and number of the requests.
Please note that we may request that you provide some details necessary to verify your identity
when you request to exercise a legal right regarding your personal data.
Complaints
You have the right to make a complaint about the way we process your personal data to a
supervisory authority. If you reside in an EEA Member State, you have the right to make a
complaint about the way we process your personal data to the supervisory authority in the EEA
Member State of your habitual residence, place of work or place of the alleged infringement.
Information about your supervisory authority could be found here.
You may contact the Information and Data Protection Commissioner (IDPC), Malta's
supervisory authority for data protection matters, if you are a customer of Foris DAX MT
Limited or Foris MT Limited.
You may contact the Data Protection Commission (DPC), Ireland’s supervisory authority
for data protection matters, if you are a customer of Foris DAX Global Limited.
You may contact the Office of the Australian Information Commissioner, Australia’s
supervisory authority for data protection matters, if you are a customer of Foris DAX AU
Pty. Ltd.
You may contact the California Privacy Protection Agency (CPPA), California’s
supervisory authority for data protection matters, and/or the U.S. Federal Trade
Commission (FTC), United States of America’s federal supervisory authority for data
protection matters, if you are a customer of Foris DAX Inc. or Foris Inc.
You may contact the Personal Data Protection Commission Singapore (PDPC),
Singapore’s supervisory authority for data protection matters, if you are a customer of
Foris DAX Asia Pte. Ltd.
You may contact the Office of the Privacy Commissioner (OPC), Canada’s supervisory
authority for data protection matters, if you are a customer of Foris DAX Inc. or Foris Inc.
You may contact the Cayman Islands Ombudsman, the Cayman Islands’ supervisory
authority for data protection matters, if you are a customer of CRO DAX Limited.
You may contact the Information Commissioner’s Office, United Kingdom’s supervisory
authority for data protection matters, if you are a customer of Foris DAX UK Limited.
If you are not required to be our customer in order to participate in the Campaign or you
are a customer of another Crypto.com entity that is not listed in Section 3. Who we are,
you may also contact your local data protection regulatory authority.
We would, however, appreciate the chance to deal with your concerns before you approach a
data protection regulatory authority, so please feel free to contact us in the first instance.
EU Representative
Our EU representative is Fix Lab EOOD, with registered address 40, Anton P. Chehov Str., Sofia,
1113, Bulgaria. You may also contact it at fixlabltd@gmail.com.
UK Representative
Our UK representative is Fix Lab UK Ltd, with registered address 86-90 Paul Street, London,
England, EC2A 4NE. You may also contact it at fixlabl[email protected].