DigiCrypto OÜ Privacy Policy

THIS PRIVACY POLICY (THE "PRIVACY POLICY") APPLIES TO HOW WE COLLECT, USE AND PROCESS YOUR PERSONAL INFORMATION.  PLEASE READ THIS PRIVACY POLICY CAREFULLY.

All of the provisions of this Privacy Policy are important, but please pay special attention to the parts that are in bold writing. These parts contain information about provisions that have special consequences for you. These parts are only intended to bring such provisions to your attention, and, where necessary, to explain their fact, nature and effect. Where explanations are given, they may be contained in a box. Such boxed explanations are aids to understanding only and are not provisions themselves. They do not limit the meaning or application of the provisions, and do not apply only to the situations and examples described in the boxes or only to similar situations or examples.

1. SCOPE OF THIS PRIVACY POLICY
   
   1. Introduction and scope 
      
      1. DigiCrypto OÜ ("DigiPay" or "we" or "us" or "our") is a financial technology company registered as a Virtual Asset Service Provider (VASP) that offers payment and virtual asset-related services.
      2. DigiPay strives to ensure that our use of the Personal Information of data subjects (a person to whom Personal Information relates, which includes you) is lawful, reasonable, relevant to our business activities, and compliant with applicable data protection laws, with the ultimate goal of improving our offerings and your experience.
      3. We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this Privacy Policy and ensuring our compliance with the General Data Protection Regulation (GDPR) and other applicable laws. You may contact our Data Protection Officer at compliance@digipay.group to discuss this Privacy Policy or your rights under data protection laws.
      4. This Privacy Policy describes how we will treat your Personal Information whether provided by you to us, or collected by us through other means in your ordinary use of our products and/or services, which includes access to our website (“the Website").  
      5. This Privacy Policy must be read together with our Website Terms of Use and any other documents or agreements that describe the manner in which we, in specific circumstances, collect or process Personal Information about you.  This will enable you to understand the manner in which DigiPay will process your Personal Information. This Privacy Policy supplements such other documents and agreements but does not supersede them and in the event of any conflict, ambiguity or inconsistency between this Privacy Policy and such other documents and agreements, the terms of the particular document or agreement will prevail. 
2. THE PERSONAL INFORMATION THAT WE COLLECT ABOUT YOU?
   
   1. DigiPay may collect, acquire, receive, record, organise, collate, store, update, change, retrieve, read, process, analyse, use and share your Personal Information in the manner as set out in this Privacy Policy.  When we perform one or more of these actions, we are "Processing" your Personal Information.  
   2. "Personal Information" refers to any information relating to an identified or identifiable natural person (‘data subject’).  Personal Information does not include information that does not identify a person (including in instances where that information has been anonymised).  The Personal Information that we collect about you may differ on the basis of the products and services that you receive from DigiPay.
   3. We may process various types of Personal Information as follows:
      
      1. Identity Information, which includes information concerning your name, the name of your business or association, unique identifiers that are associated with you (such as user identity numbers allocated to you by us and third parties), date of birth, gender, and nationality;
      2. Contact Information, which includes your physical and postal addresses, email addresses and telephone numbers, as well as company secretarial information that has been disclosed in relation to you; 
      3. Financial and Transaction Information, which includes bank account details, virtual asset wallet addresses, payment card details, the details of third parties that receive payments from you (or make payments to you), transaction history, source of funds information, and financial statements;
      4. Technical and Usage Information, which may include information such as your IP address, unique device identifier, the nature of the devices ("Access Device”) which you use to access or use our services (or the Website), browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website;
      5. Profile and Usage Data, which includes information about how you use our Website and services, preferences, feedback, and survey responses; and
      6. Marketing and Communications Data, which includes your preferences in receiving marketing from us and our third parties and your communication preferences.
   4. DigiPay may also process, collect, store and/or use aggregated data, which may include historical or statistical data ("Aggregated Data") for any purpose.  Aggregated Data may be derived from your Personal Information but is not considered Personal Information, as this data does not directly or indirectly reveal your identity.  However, if we combine or connect Aggregated Data with your Personal Information in a manner that has the result that it can directly or indirectly identify you, we will treat the combined data as Personal Information, which will be managed in accordance with this Privacy Policy.
3. HOW WE COLLECT YOUR PERSONAL INFORMATION 
   
   1. We collect your Personal Information in three ways, namely:
      
      1. through direct or active interactions with you;
      2. through automated or passive interactions with you; and
      3. from third parties, including third party service providers.
   2. Direct or active collection from you 
      
      1. We may require that you submit certain information to enable you to access portion of the Website, to make use of our services, to facilitate the conclusion of an agreement with us, or that is necessary for our fulfilment of our statutory or regulatory obligations.  We also collect Personal Information directly from you when you communicate directly with us, for example via e-mail, telephone calls, feedback forms, site comments or forums. 
      2. If you contact us, we reserve the right to retain a record of that correspondence, which may include Personal Information.
      3. The Personal Information that we actively collect from you may include any of the Personal Information listed in paragraph 2 of this Privacy Policy.
   3. Passive collection from your Access Device
      
      1. We may passively collect certain of your Personal Information from the Access Device that you use to access and navigate the Website and/or to receive or use our services, by way of various technological applications, for instance, using server logs to collect and maintain log information.
      2. We also use cookies and similar tracking technologies which enable our computer system to recognise you when you next visit the Website to distinguish you from other users and to improve our service to you, and which can be used to enhance the content of the Website and make it more user-friendly, as well as to give you a more personalised experience. 
      3. A cookie is a small piece of data (an alphanumeric identifier) which our computer system transfers to your Access Device through your web browser when you visit the Website and which is stored in your web browser.  When you visit the Website again, the cookie allows the site to recognise your browser.  Cookies may store user preferences and other information.
      4. You may disable the use of cookies by configuring your browser to refuse all cookies or to indicate when a cookie is being sent.  However, if you do so, you may not be able to enjoy all of the features and functionality of the Website.
      5. The Personal Information that we passively collect from your Access Device may include any of the Personal Information listed in paragraph 2 of this Privacy Policy.
   4. Personal Information collected from third parties
      
      1. DigiPay receives Personal Information about you from various third parties and public sources, including:
         
         1. our clients (merchants) to whom we provide payment and VASP services;
         2. third party service providers, such as identity verification and fraud prevention services;
         3. payment processors and financial institutions;
         4. advertising networks and analytics providers; and
         5. publicly available sources and databases for compliance and due diligence purposes.
4. HOW WE USE YOUR PERSONAL INFORMATION
   
   1. We use the Personal Information we collect from you to maintain and improve the Website and to improve the experience of our users, to facilitate the sale of our products and the provision of our services and to fulfil our statutory and regulatory obligations.  
   2. We may also use your Personal Information to: 
      
      1. create and manage your user account;
      2. provide, operate, and secure our services and the Website;
      3. process transactions and payments, and prevent transactional fraud;
      4. verify your identity and perform necessary compliance checks (including anti-money laundering and counter-terrorist financing checks);
      5. communicate with you about your account, transactions, and our services;
      6. send you administrative information, such as updates to our terms, conditions, and policies;
      7. personalize your experience on our Website and recommend features or services that may be of interest to you;
      8. provide customer support and respond to your inquiries;
      9. conduct research and analysis to improve our services and develop new ones;
      10. detect, prevent, and address technical issues, security breaches, and fraudulent activities;
      11. comply with legal and regulatory obligations applicable to us as a VASP and payment service provider;
      12. enforce our Terms of Use and other agreements; and
      13. for other legitimate business purposes, provided they are compatible with the original purpose of collection.
   3. DigiPay will restrict its processing of your Personal Information to the original purpose for which it was collected, unless we reasonably consider that it is necessary to process it for another purpose that is compatible with the original purpose or we have obtained your consent for the new purpose. 
   4. DigiPay may, where permitted or required to do so by applicable law, process your Personal Information without your knowledge or consent, and will do so in accordance with the further provisions of this Privacy Policy.
5. LEGAL BASIS FOR PROCESSING (EEA & UK USERS)
   
   1. For users in the European Economic Area (EEA) and the United Kingdom, we process your Personal Information on one or more of the following legal bases:
      
      1. Performance of a Contract: The processing is necessary for the performance of the contract with you or to take steps at your request before entering into such a contract.
      2. Legitimate Interests: The processing is necessary for our legitimate interests (or those of a third party), provided your interests and fundamental rights do not override those interests. Our legitimate interests include operating our business, providing and improving our services, marketing, and fraud prevention.
      3. Legal Obligation: The processing is necessary for compliance with a legal obligation to which we are subject (e.g., anti-money laundering regulations).
      4. Consent: Where required by law, we will obtain your explicit consent before processing your Personal Information for specific purposes (e.g., for certain types of direct marketing). You have the right to withdraw your consent at any time.
6. CONSENT FOR PAYMENT PROCESSING AND ACCOUNT ACCESS
   
   1. Request for Consent
      
      1. Before DigiPay can proceed with initiating a payment instruction or accessing account information on your behalf, we require your explicit consent to the following terms:
         
         1. You acknowledge that, by initiating a payment instruction via a DigiPay platform, you may provide credentials or authorization for us to access relevant financial information to issue the relevant instruction on your behalf.
         2. Your credentials and authorization will be processed and safeguarded in accordance with applicable information and data privacy legislation, including strong encryption and security protocols.
         3. You acknowledge that certain payments, particularly those involving virtual assets, may be final and irrevocable.
         4. You explicitly authorise us to use your provided credentials and authorizations solely for the purpose of facilitating the requested payment or service on your behalf. We will not use these for any other purpose without your further consent.
   2. Consent for Each Service
      Your use of specific services constitutes your consent for the associated processing. For recurring services, your initial consent covers ongoing processing unless you withdraw it.
7. Right to Withdraw Consent
   
   1. You retain the right to withdraw your consent for processing based on consent at any time by contacting us at support@digipay.group. However, withdrawal of consent may prevent us from providing certain services to you.  It is important to note that your withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
8. Security and Privacy
   
   1. We are committed to ensuring the confidentiality, integrity, and security of your Personal Information, and we implement appropriate technical and organisational safeguards in compliance with applicable data protection laws.
   2. We have implemented information security measures designed to protect your data from unauthorised access, disclosure, alteration, and destruction. We use encryption for sensitive data both in transit and at rest.
   3. We adhere to the principle of data minimisation and do not store sensitive credentials longer than necessary to complete the authorised transaction or as required by law.

6. COMPULSORY PERSONAL INFORMATION AND CONSEQUENCES OF NOT SHARING WITH US
   Where DigiPay is required to process certain Personal Information by law (such as for anti-money laundering and identity verification), or in terms of a contract that we have with you, and you fail to provide such Personal Information when requested to do so, DigiPay may be unable to perform the contract we have or are trying to enter into with you. In this case, DigiPay may be required to refuse service or terminate the contract and/or relationship, upon notification to you, which termination will be done in accordance with the terms of the contract and all applicable legislation. 

In the paragraph above, you agree and accept that there is certain compulsory Personal Information you must provide us with if you want to use our regulated services.  If you decide not to provide us with such compulsory Personal Information, we may be unable to provide you with our services.

7. SHARING OF YOUR PERSONAL INFORMATION 
   
   1. We will not intentionally disclose your Personal Information, whether for commercial gain or otherwise, other than with your permission, as permitted by applicable law or in the manner as set out in this Privacy Policy. 
   2. DigiPay may share your Personal Information under the following circumstances:
      
      1. with our service providers, suppliers, and professional advisors (such as legal, audit, and consulting firms) that have agreed to confidentiality and data protection terms consistent with this Privacy Policy;
      2. with our group companies, employees, contractors and agents if and to the extent that they require such Personal Information in the provision of services for or to us. These services include, but are not limited to, hosting, development and administration, technical support, compliance, and other support services relating to the Website or the operation of DigiPay's business; 
      3. to enable us to enforce or apply any contract between you and us;
      4. to protect our rights, property or safety or that of our customers, employees, contractors, suppliers, service providers, agents and any other third party;
      5. to mitigate any actual or reasonably perceived risk to us, our customers, employees, contractors, agents or any other third party;
      6. with governmental agencies, regulatory bodies, law enforcement, financial intelligence units, and other authorities, if required to do so by law or if we reasonably believe that such action is necessary to:
         
         1. comply with legal obligations, court orders, or regulatory requests;
         2. protect and defend our legal rights, property, or safety, or that of our users or others;
         3. detect, prevent, or manage actual or alleged fraud, security breaches, money laundering, terrorist financing, or other illegal activities; and
         4. protect the vital interests of any person.
      7. in connection with a merger, acquisition, sale of assets, or financing transaction, where Personal Information may be transferred to the relevant third party involved, subject to their agreement to maintain the confidentiality of your information.
   3. Where we appoint a third party to process your Personal Information on our behalf (a "processor"), we enter into contracts that require them to protect your information and process it only in accordance with our instructions and applicable law.
8. INTERNATIONAL TRANSFERS OF YOUR PERSONAL INFORMATION 
   
   1. We operate globally and may transfer, store, and process your Personal Information in countries other than your country of residence, including outside the European Economic Area (EEA).
   2. When we transfer your Personal Information internationally, we ensure an adequate level of protection is afforded to it by implementing appropriate safeguards as required by data protection laws. These may include:
      
      1. Transferring to countries that have been deemed to provide an adequate level of protection by the European Commission.
      2. Using specific contracts approved by the European Commission (Standard Contractual Clauses) which give Personal Information the same protection it has in Europe.
      3. For transfers involving the United States, relying on the EU-U.S. Data Privacy Framework where the recipient is certified.
   3. You may contact us using the details below to obtain more information on the specific mechanisms used by us when transferring your Personal Information outside the EEA.
9. SECURITY
   
   1. We take appropriate technical and organisational measures to secure the integrity and confidentiality of your Personal Information and protect it from unauthorised access, disclosure, alteration, and destruction. These measures include encryption, access controls, secure development practices, and regular security assessments.
   2. While we strive to protect your Personal Information, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.
   3. We have procedures in place to deal with any suspected Personal Information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

In this paragraph, you acknowledge that you know and you accept that the transmission of information via the internet is not completely secure. We do not guarantee the absolute security of your Personal Information.  You will not be able to take action against us for security breaches that occur despite our implementation of reasonable security measures.

10. DATA RETENTION
    
    1. We will retain your Personal Information only for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.
    2. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.
    3. In specific contexts, we are required by law (e.g., anti-money laundering regulations) to retain certain information for extended periods (e.g., 5 to 10 years after the end of our relationship).
    4. Upon expiry of the applicable retention period, we will securely destroy or anonymise your Personal Information.
11. DATA ACCURACY
    
    1. It is important that the Personal Information we hold about you is accurate and current. Please keep us informed if your Personal Information changes during your relationship with us.
    2. You can review and update certain Personal Information through your account settings or by contacting us at the details below.
12. YOUR DATA PROTECTION RIGHTS
    
    1. Depending on your location and applicable data protection laws (such as the GDPR), you may have the following rights regarding your Personal Information:
       
       1. Right to Access: You have the right to request a copy of the Personal Information we hold about you.
       2. Right to Rectification: You have the right to request correction of inaccurate or incomplete Personal Information.
       3. Right to Erasure (Right to be Forgotten): You have the right to request deletion of your Personal Information under certain circumstances.
       4. Right to Restrict Processing: You have the right to request that we restrict the processing of your Personal Information under certain conditions.
       5. Right to Object to Processing: You have the right to object to our processing of your Personal Information based on our legitimate interests, and to object to direct marketing.
       6. Right to Data Portability: You have the right to receive your Personal Information in a structured, commonly used, and machine-readable format and to transmit it to another controller where technically feasible.
       7. Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
    2. To exercise any of these rights, please contact us using the details in the "Contact Us" section. We may need to verify your identity before processing your request. We will respond to your request within the timeframe required by applicable law.
    3. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
13. CHANGES TO THIS PRIVACY POLICY
    We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. The updated version will be indicated by a revised "Last Updated" date at the top of the policy. We will take reasonably practicable steps to inform you of material changes. We encourage you to review this Privacy Policy periodically.
14. CHILDREN
    Our Website and services are not directed to individuals under the age of 18. We do not knowingly collect Personal Information from children. If you are a parent or guardian and believe we have collected information about your child, please contact us. If we learn that we have collected Personal Information from a child without parental consent, we will take steps to delete that information.
15. THIRD PARTY LINKS
    
    1. Our Website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
    2. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy policy of every website you visit.

We are not liable for any losses or damages you may suffer when visiting third party websites by following a link from our Website.  You access such third-party sites at your own risk.

16. GOVERNING LAW AND DISPUTE RESOLUTION
    
    1. This Privacy Policy and any dispute arising out of it shall be governed by and construed in accordance with the laws of the Republic of Estonia.
    2. You agree that the courts of Estonia shall have non-exclusive jurisdiction to settle any such dispute.
17. CONTACT US
    
    1. If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a privacy concern, please contact us at:
       Data Protection Officer
       DigiCrypto OÜ
       Registration number: 14935792
       Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Veskiposti tn 2-1002, 11415, Estonia
       Email: compliance@digipay.group
       General Support: support@digipay.group
       Tel: +44 7418 602401
    2. If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.