Crypto.com Global Marketing  
Privacy Notice 
 
Last updated: 27 October 2023  
Welcome  to  Crypto.com’s  Global  Marketing  Privacy  Notice  (“Marketing  Privacy  Notice”). 
Please spend a few minutes to read it carefully before providing us with any information about 
you or any other person in relation to a Campaign, as defined below. 
 
Contents 
1.  Introduction 
2.  Purpose 
3.  Who we are 
4.  What data we collect about you 
5.  How we collect your data 
6.  How we use your data 
7.  Disclosures of your data 
8.  International transfers 
9.  Data security 
10.  Data retention 
11.  Your legal rights 
1. Introduction 
We respect your privacy and we are committed to protecting your personal data. Throughout this 
Marketing Privacy Notice, “personal data” shall mean any information relating to an identified or 
identifiable natural person; an identifiable natural person is one who can be identified, directly or 
indirectly,  in  particular  by  reference  to  an  identifier  such  as  a  name,  email,  an  identification 
number,  location  data,  IP  address,  physical  address,  phone  number,  device  specifications, 
clothing  size,  information  contained  in  government  issued  identification  documents,  photos, 
information  related to  social media  accounts,  etc.  In  this  Marketing  Privacy  Notice the  terms 
“personal data” and “personal information” are used interchangeably. 
This Marketing Privacy Notice applies to the processing of your personal data in connection with 
your participation in any promotional initiative organized by or on behalf of Crypto.com that aims 
to  promote  the  Crypto.com  products  and  services,  including  but  not  limited  to  campaigns, 
giveaways,  sweepstakes,  draws,  physical  and  online  events,  games,  surveys,  competitions, 
targeted email marketing (“Campaign”).  
Please note that any such Campaign is not intended for minors below the age of 18 years and we 
do not knowingly collect data relating to minors. 

2. Purpose

This Marketing Privacy Notice aims to give you information on why and how we collect and

process your personal data, as well as what your privacy rights are and how the data protection

principles set out in the applicable privacy legislation protect you.

It is important that you read this Marketing Privacy Notice together with any other notice or policy

we may provide on specific occasions when we are collecting or processing personal data about

you so that you are fully aware of why and how we are using your data.

3. Who we are

3.1. Data Controllers

The controller of your personal data is the legal entity that determines the “means” and the

“purposes” of any processing activities that it carries out. Since Crypto.com is operating around

the globe, this Marketing Privacy Notice applies to the processing of personal data by the following

entities within the Crypto.com group. One or more of those entities might be involved in organizing

the Campaign depending on your residency and/or used services: (“Crypto.com”, “we”, “us”,

“our”)

Data Controller

Contact Details

Foris DAX Global Limited

Kilmore House, Park

Lane, Spencer Dock,

Dublin 1, D01 XN99,

Ireland

Foris DAX Inc.

Suite 2725, Sabadell Financial Center

Building, 1111 Brickell

Avenue, Miami, FL 33131

Foris Inc.

Suite 2725, Sabadell Financial Center

Building, 1111 Brickell

Avenue, Miami, FL 33131

Foris DAX MT Limited

St. Julians, SPK

1000, level 7, Spinola

park, Triq Mikiel ang

Borg, Malta

Foris MT Limited

St. Julians, SPK

1000, level 7, Spinola

park, Triq Mikiel ang

Borg, Malta

Foris DAX AU Pty. Ltd.

Tricor Services (Australia) Pty Ltd, Level 3,

1049 Victoria Road, West Ryde NSW 2114,

Australia

Foris DAX Asia Pte. Ltd.

1 Raffles Quay, #25-01 Singapore 048583

CRO DAX Limited

94 Solaris Avenue Camana Bay PO Box

1348 Grand Cayman KY1-1108 Cayman

Islands.

Foris DAX UK Limited

Suite 5, 7th Floor 50 Broadway, London,

United Kingdom, SW1H 0DB

or the relevant Crypto.com entity that provides you with relevant Crypto.com services.

3.2. Data Protection Officer

We have appointed a Data Protection Officer (“DPO”) who is responsible for overseeing

questions in relation to this Marketing Privacy Notice. If you have any questions or complaints

related to this Marketing Privacy Notice or our privacy practices, or if you want to exercise your

legal rights, please contact our DPO at dpo@crypto.com.

4. What data we collect about you

Depending on the particular Campaign and its stage, as defined in the applicable written rules,

we will collect, use, store and transfer different kinds of personal data about you which we have

grouped in categories as follows:

Category of

Personal Data

Examples of specific pieces of personal data

Identity Data

● first name,

● maiden name,

● last name,

● username or similar identifier,

● title,

● date of birth and gender,

● information contained in an identification document,

● information relating to your physical well being,

● information relating to your personal preferences (e.g. clothing

size, dietary preferences).

Social Identity

Data

● information on referrals related to you,

● information made publicly available by you on social media with

regards to the applicable campaign (e.g. publicly shared social

media posts).

Contact Data

● delivery address,

● email address and telephone number.

Financial Data

● virtual currency account,

● stored value account,

● amounts associated with accounts,

● external account details.

Transactional Data

● details about payments to and from you,

● other details of any transactions you enter into using the

Services.

Technical Data

● internet connectivity data,

● internet protocol (IP) address,

● login data,

● device type,

● time zone setting and location data,

● language data,

● other information stored on or available regarding the devices

you allow us access to when you participate in a Campaign.

Profile Data

● your username,

● your identification number as our user,

● information on whether you have Crypto.com App account and

the email associated with your accounts,

● requests by you for products or services,

● your interests, preferences and feedback,

● other information generated by you when you communicate with

us.

Marketing and

Communications

Data

● your preferences in receiving marketing from us or third parties,

○ your communication preferences,

○ your survey responses.

5. How we collect your data

We may get information about you from the following sources:

● directly from you, including by filling in forms, by email or otherwise;

● in case you have been selected as a guest by the winner of the Campaign, your personal

data will by provided by the winner using the above means;

● where applicable, third parties or publicly available sources, such as social media.

You are not obliged to provide your personal data. However, if the requested data is not provided,

you will not be able to participate in the Campaign.

6. How we use your data

6.1. Lawful basis

We will only use your personal data when the applicable legislation allows us to. In other words,

we have to ensure that we have a lawful basis for such use.

We process your personal data relying on the following lawful bases:

● processing is necessary for performance of a contract or in order to take steps at your

request prior to entering into a contract; when you participate in the Campaign a

contractual relationship is formed between you and Crypto.com;

● processing is necessary for compliance with a legal obligation to which we are subject;

● processing is necessary for the purposes of the legitimate interests pursued by us as a

contracting entity and our interests do not contradict your interests, fundamental rights or

freedoms (for instance, the interest in assessing your eligibility to participate in the

Campaign);

● consent, if required.

We do not usually need your consent for processing personal data concerning you. If we need it,

we will ask for it and provide you with the respective information as required by law. Depending

on the applicable data protection framework, for example, if you are a resident of the European

Economic Area (“EEA”) or the United Kingdom (“UK”), you may also have the right to withdraw

your consent at any time, but please note that this will not affect the lawfulness of processing

based on your consent before its withdrawal.

If the prize of a Campaign includes passes to an event for you and a guest of your choosing, you

guarantee that your guest who will receive a pass has acknowledged and agreed for their

information to be used for the purposes listed herein. In addition, you guarantee that you and your

guest have acknowledged and shall adhere to the event-specific rules as provided by the event

organizer.

6.2. Purposes for which we will use your personal data

When you participate in the Campaign, we use the personal data you provide to conduct the

Campaign. Namely, we collect and use your personal data for the purposes of carrying out the

Campaign, monitoring for compliance with the applicable written rules, assessing your

eligibility to participate in the Campaign, prize draw, identity verification and prize delivery.

Further information on the purposes can be found in the respective written rules governing the

Campaign.

Note that we may process your personal data for more than one lawful basis depending on the

specific purpose for which we are using your personal data. Please contact us if you need details

about the specific legal ground we are relying on to process your personal data.

7. Disclosures of your data

We share your personal data with our third-party service providers, agents, subcontractors and

other associated organizations, our group companies, and affiliates (as described below) in order

to organize and carry out the Campaign. When using third party service providers, they are

required to respect the security of your personal data and to treat it in accordance with the law.

We may pass your personal data to the following third parties:

● entities organizing the event related to the Campaign in cases of giveaways and

sweepstakes;

● entities assisting us with the organization of the Campaign;

● companies and organizations that assist us in processing, verifying or refunding

transactions/orders you make in relation to the Campaign;

● anyone to whom we lawfully transfer or may transfer our rights and duties under the

relevant terms and conditions governing the Campaign;

● any third party because of any restructure, sale or acquisition of our group or any affiliates,

provided that any recipient uses your information for the same purposes as it was originally

supplied to us and/or used by us; and

● regulatory and law enforcement authorities, whether they are outside or inside of the EEA,

where the law allows or requires us to do so.

We disclose collected personal data to the relevant internal departments on a “need to know”

basis. We may also provide personal data to other affiliated companies within the Group or to

external service providers, contract processors (e.g. platform, hosting, shipping service providers)

in order to carry out the campaign. Platform and hosting service providers may have access to

personal data from a country outside the EEA. Where needed, as an appropriate safeguard we

have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers.

More information on this topic is published here (attention: a link to a third-party website).

8. International transfers

We share your personal data within our group. This will involve transferring your personal data outside

Hong Kong, EEA, the UK or the origin of where your data is collected.

We follow the specific legal framework applicable to such transfers. For example, whenever we

transfer your personal data out of the EEA or the UK, we ensure a similar degree of protection is

afforded to it by ensuring at least one of the following safeguards is implemented:

● the country to which we transfer your personal data has been deemed to provide an adequate

level of protection (attention: a link to a third-party website) for personal data by the European

Commission or the UK government, as applicable to your particular case;

● a specific contract approved by the European Commission or the UK government, which

gives safeguards to the processing of personal data, the so-called Standard Contractual

Clauses, as applicable to your particular case.

Please contact our Data Protection Officer at dpo@crypto.com if you want further information on the

specific mechanism used by us when transferring your personal data out of the EEA or the UK.

9. Data security

While there is an inherent risk in any data being shared over the internet, we have put in place

appropriate security measures to prevent your personal data from being accidentally lost, used,

damaged, or accessed in an unauthorised or unlawful way, altered, or disclosed. In addition, we

limit access to your personal data to those employees, agents, contractors and other third parties

who have a legitimate business need to know. They will only process your personal data on our

instructions, and they are subject to a duty of confidentiality.

Depending on the nature of the risks presented by the proposed processing of your personal data,

we will have in place the following appropriate security measures:

● organisational measures (including but not limited to staff training and policy

development);

● technical measures (including but not limited to physical protection of data,

pseudonymization and encryption); and

● securing ongoing availability, integrity, and accessibility (including but not limited to

ensuring appropriate back-ups of personal data are held).

We have put in place procedures to deal with any suspected personal data breach and will notify

you and any relevant regulator of a breach where we are legally required to do so.

If you want to know more about our security practice, please visit this link.

10. Data retention

To determine the appropriate retention period for personal data, we consider the amount, nature

and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure

of your personal data, the purposes for which we process your personal data and whether we can

achieve those purposes through other means, and the applicable legal, regulatory, tax,

accounting or other requirements.

Here are some exemplary factors which we usually consider when determining how long we need

to retain your personal data:

● in the event of a complaint;

● if we reasonably believe there is a prospect of litigation in respect to our relationship with

you or if we consider that we need to keep information to defend possible future legal

claims;

● to comply with any applicable legal and/or regulatory requirements with respect to certain

types of personal data;

● if information is needed for audit purposes;

● in accordance with relevant industry standards or guidelines;

● in accordance with our legitimate business need to prevent abuse of the Campaign. We

will retain your personal data for the time of the Campaign to prevent the appearance of

abusive behavior. For the same purpose we may also retain your’ personal data for a

certain period after the Campaign’s end.

Please note that under certain condition(s), you can ask us to delete your data: see your legal

rights below for further information. We will honor your deletion request ONLY if the condition(s)

is met.

11. Your legal rights

You have rights we need to make you aware of. The rights available to you depend on our reason

for processing your personal data. If you need more detailed information or wish to exercise any

of the rights set out below, please contact us.

You may:

● request access to your personal data, which enables you to obtain confirmation of whether

we are processing your personal data, to receive a copy of the personal data we hold

about you and information regarding how your personal data is being used by us;

● request rectification of your personal data by asking us to rectify information you think is

inaccurate and to complete information you think is incomplete, though we may need to

verify the accuracy of the new data you provide to us;

● request erasure of your personal data by asking us to delete or remove personal data we

hold about you; note, however, that we may not always be able to comply with your request

of erasure for specific legal reasons which will be notified to you;

● object to the processing of your personal data, where we are relying on a legitimate

interest (or those of a third party) and there is something about your particular situation

which makes you want to object to processing on this ground as you feel it impacts on

your fundamental rights and freedoms; in some cases, we may demonstrate that we have

compelling legitimate grounds to process your information which override your rights and

freedoms; you also have the right to object where we are processing your personal data

for direct marketing purposes;

● require that decisions be reconsidered if they are made solely by automated means,

without human involvement; we use automated tools to make sure that you are eligible to

participate in the Campaign taking into account our interests and legal obligations; if these

automated tools indicate that you do not meet our acceptance criteria, you shall not be

considered eligible to participate in the Campaign;

● request restriction of processing your personal data, which enables you to ask us to

suspend the processing of your personal data, if you want us to establish the data

accuracy; where our use of the data is unlawful, but you do not want us to erase it; where

you need us to hold the data even if we no longer require it as you need it to establish,

exercise or defend legal claims, or if you have objected to our use of your data, but we

need to verify whether we have overriding legitimate grounds to use it;

● request the transfer of your personal data to you or to a third party, and we will provide to

you, or a third party you have chosen (where technically feasible), your personal data in a

structured, commonly used, machine-readable format; note that this right only applies to

automated information which you initially provided consent for us to use or where we used

the information to perform a contract with you;

● withdraw consent at any time where we are relying on consent to process your personal

data; however, this will not affect the lawfulness of any processing carried out before you

withdraw your consent; if you withdraw your consent, we may not be able to provide certain

products or services to you, but we will advise you if this is the case at the time you

withdraw your consent;

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).

However, we may charge a reasonable fee if your request is manifestly unfounded or excessive.

Alternatively, we could refuse to comply with your request in these circumstances.

Period for replying to a legitimate request

We shall reply to a legitimate request within the legally prescribed period according to the

applicable legislation. If you are a resident of the EEA or the UK, the statutory period for us to

reply to a legitimate request is one month. That period may be extended by two further months

where necessary, taking into account the complexity and number of the requests.

Please note that we may request that you provide some details necessary to verify your identity

when you request to exercise a legal right regarding your personal data.

Complaints

You have the right to make a complaint about the way we process your personal data to a

supervisory authority. If you reside in an EEA Member State, you have the right to make a

complaint about the way we process your personal data to the supervisory authority in the EEA

Member State of your habitual residence, place of work or place of the alleged infringement.

Information about your supervisory authority could be found here.

● You may contact the Information and Data Protection Commissioner (IDPC), Malta's

supervisory authority for data protection matters, if you are a customer of Foris DAX MT

Limited or Foris MT Limited.

● You may contact the Data Protection Commission (DPC), Ireland’s supervisory authority

for data protection matters, if you are a customer of Foris DAX Global Limited.

● You may contact the Office of the Australian Information Commissioner, Australia’s

supervisory authority for data protection matters, if you are a customer of Foris DAX AU

Pty. Ltd.

● You may contact the California Privacy Protection Agency (CPPA), California’s

supervisory authority for data protection matters, and/or the U.S. Federal Trade

Commission (FTC), United States of America’s federal supervisory authority for data

protection matters, if you are a customer of Foris DAX Inc. or Foris Inc.

● You may contact the Personal Data Protection Commission Singapore (PDPC),

Singapore’s supervisory authority for data protection matters, if you are a customer of

Foris DAX Asia Pte. Ltd.

● You may contact the Office of the Privacy Commissioner (OPC), Canada’s supervisory

authority for data protection matters, if you are a customer of Foris DAX Inc. or Foris Inc.

● You may contact the Cayman Islands Ombudsman, the Cayman Islands’ supervisory

authority for data protection matters, if you are a customer of CRO DAX Limited.

● You may contact the Information Commissioner’s Office, United Kingdom’s supervisory

authority for data protection matters, if you are a customer of Foris DAX UK Limited.

● If you are not required to be our customer in order to participate in the Campaign or you

are a customer of another Crypto.com entity that is not listed in Section 3. Who we are,

you may also contact your local data protection regulatory authority.

We would, however, appreciate the chance to deal with your concerns before you approach a

data protection regulatory authority, so please feel free to contact us in the first instance.

EU Representative

Our EU representative is Fix Lab EOOD, with registered address 40, Anton P. Chehov Str., Sofia,

1113, Bulgaria. You may also contact it at fixlabltd@gmail.com.

UK Representative

Our UK representative is Fix Lab UK Ltd, with registered address 86-90 Paul Street, London,

England, EC2A 4NE. You may also contact it at fixlabl[email protected].