Last updated: 12 March, 2026
Ceffu (“Ceffu”, “we”, or “us”) is committed to protecting the privacy of our customers, and we take our data protection responsibilities seriously.
We provide Institutional Digital Asset Infrastructure to our Business Customers to enable their end-users to access digital asset custody services (“Services”). This Privacy Notice describes the Personal Data that we collect, use, and share about you when you explore, sign up or access Ceffu websites and applications, how it is used, when and how it is shared, the rights and choices that you have, and how you can contact us about our privacy practices. This Privacy Notice also outlines your data subject rights, including the right that you have to object to certain uses of your Personal Data. In addition, we may also process your Personal Data for specific purposes, where applicable, such as processing your job applications or administering your employment with us.
This Privacy Notice applies to all Personal Data processing activities carried out by us, across our platform websites and departments. We are a platform that provides Institutional Digital Asset Infrastructure Custody Services, and in order to provide our Services to our Business Customers, we collect and process personal data. Business Customers are entities which directly and indirectly directs its users to Ceffu in connection with its business and activities. End Customers are those customers that are leveraging services directly from Ceffu.
To the extent that you are not a relevant stakeholder, customer or user of our Services, but are using our website, this Privacy Notice also applies to you together with our Cookie Notice.
This Notice should therefore be read together with our Cookie Notice, which provides further details on our use of cookies on the website. Our Cookie Notice can be accessed here.
1. What Personal Data does Ceffu collect and process?
Personal Data means any information that relates to an identified or identifiable individual, and can include information that you provide to us and that we collect about you, such as when you engage with our websites (e.g. device information, IP address).
Personal Data You Provide to Us
When we refer to “Personal Data you provide to us”, this means any information that you or your authorised representative provide to us about yourself. This may include Personal Data submitted directly by you, or indirectly through the authorised person of your organisation or our Business Customer. This information is either required by law (e.g., to verify your identity and comply with “Know Your Business” obligations), necessary to provide the requested Services (e.g., you will need to provide your contact details in order to open your account), or is relevant for certain specified purposes, described in greater detail below.
A. For Business Customers and Users:
If you are our Business Customers, we present a table that outlines the Personal Data that our Services use and the purposes for processing that information. Failure in providing the data required implies that Ceffu will not be able to offer you our Services. Failure in providing the data required implies that Ceffu will not be able to offer you our Services.
Personal Data does Ceffu collect and process? | Why does Ceffu process my Personal Data? | Legal Basis for our use of Personal Data |
|---|---|---|
Personal Data related to company Directors, UBOs and Authorised persons, including: | Managing our contractual relationship with you, to create and maintain your account. | Performance of a contract when we provide you with products or services or communicate with you about them. This includes when we use your Personal Data to take and handle orders, and process payments. The consequences of not processing your Personal Data for such purposes is the inability to open an account with us or the termination of your account where one is already open. |
Personal Data related to company Directors, UBOs and Authorised persons, including: | Personal Data provided by you during Know-Your-Business activity to comply with applicable Anti-Money Laundering rules and regulations in jurisdictions where Ceffu is being used by institutional clients. | Processing is necessary to comply with our legal obligations under applicable laws and regulations, including Anti-Money Laundering laws or sanctions rules. |
Personal Data related to originator / beneficiary of digital asset transfer - Name - Country of Domicile - Date of birth - Distributed ledger address | To comply with applicable “Travel Rule” involved in a digital asset transfer. | Processing is necessary to comply with our legal obligations under applicable laws and regulations. |
- Corporate Email Address | To communicate with you on services and transaction related matters. We use your Personal Data to communicate with you in relation to our services on administrative or account related information. We will communicate with you to keep you updated about our Services, for example, to inform you of relevant security issues, updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our Services. You may not opt-out of receiving critical service communications, such as emails or mobile notifications sent for legal, compliance or security purposes. | Performance of a contract when we provide you with products or services, or communicate with you about them. This includes when we use your Personal Data to take and handle orders, and process payments. |
- Corporate Email Address | To provide customer support services. We process your Personal Data when you contact us in order to provide support with respect to questions, disputes, complaints, troubleshoot problems, etc. Without processing this Personal Data for this purpose, we can’t respond to your requests. | Performance of a contract. Processing is necessary for the performance of a contract to which you are a party. |
- IP address | - To maintain the safety, security and integrity of our platform. We process your Personal Data in order to enhance security, monitor and verify identity or service access, combat malware or security risks and to comply with applicable security laws and regulations. We process your Personal Data to verify accounts and related activity, find and address violations of our Terms and Conditions, investigate suspicious activity, detect, present and combat unlawful behavior, detect fraud and maintain the integrity of our Services. Without processing your Personal Data, we may not be able to ensure the security of our Services. We use your Personal Data to provide functionality, analyze performance, fix errors, and improve the usability and effectiveness of Ceffu Services | Performance of a contract. Processing is necessary for the performance of a contract of which you are a party. |
- IP address | - To promote safety, security, and integrity of our Services. Fraud prevention and detection and credit risks. We process your Personal Data to prevent and detect, prevent and mitigate fraud and abuse of our Services and in order to protect you against account compromise or funds loss and in order to ensure the security of our users, our Services and others. We may also use scoring methods to assess and manage credit risks. | Our Legitimate Interests. Processing is necessary for the purpose of the legitimate interests pursued by us and the interests of our users when, for example, we detect and prevent fraud and abuse in order to protect the security of our users, ourselves, or others. |
- IP address | To provide you with our Services. We process your Personal Data to provide the Services to you and process your orders. | Performance of a Contract. Processing is necessary for the performance of a contract to which you are a party. |
- Corporate Email Address | To improve our Services. We process your Personal Data to improve our services, for example, when we want to enhance your experience when navigating our site. | Our Legitimate Interests. Processing is necessary for the purpose of the legitimate interest pursued by us to improve our Services and enhance our user experience. |
- Corporate Email Address. | To do research and innovate. We carry out surveys to learn more about your experience using our Services. In that way we can support research and drive innovations of our Services and products. | We rely on your consent to process your Personal Data. You may withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. |
- Corporate Email Address | We use your contact information for responding to and communicating with you regarding your inquiry. | We rely on your consent to process your Personal Data. You may withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. |
Ceffu does not allow anyone under the age of 18 to use our Services and does not knowingly collect Personal Data from children under 18. If we learn that Personal Data from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any Personal Data we may have collected from children under age 18, please contact us using the contact information below.
B. For Job Applicants or Employees
If you apply for a position with us or become employed by us, we collect and process your Personal Data for purposes including recruitment, onboarding, employment administration, compliance with legal obligations, and other employment-related activities. Personal Data may be collected directly from you, from third-party recruitment agencies, or from publicly available sources such as LinkedIn.
We process the following categories of Personal Data for recruitment and employment purposes:
Contact Information: We will collect your name, email address, and other relevant contact details to communicate with you about your job application and, where applicable, your employment.
Education and Employment Information: We collect your Curriculum Vitae (CV), resume, LinkedIn profile, academic certificates and transcripts, employment history, and (where relevant) salary and bonus details. We use this information to assess your suitability, process your application, conduct background checks, and manage your employment relationship.
During recruitment, we rely on your consent to process your Personal Data. Once employed, we rely on the necessity to perform your contract, comply with legal obligations, and our legitimate interests in managing the employment relationship.
Personal Data collected automatically from you:
In some cases we may collect Personal Data automatically from you, to the extent permitted under the applicable law, we may collect certain types of Personal Data automatically, for example whenever you interact with us or use the Services, when we process your usage data of the platform and when we review your browsing information. This information helps us address customer support issues, improve the performance of our sites and Services, maintain and or improve your user experience, and protect your account from fraud by detecting unauthorized access. Our legal basis for processing this data is our legitimate interest in improving our Services, ensuring the security of our Services, and maintaining a safe environment for our users, including fraud monitoring and prevention.
2. What about cookies and other identifiers?
We use cookies and similar tools to enhance your user experience, provide our Services, and enhance our efforts and understand how customers use our Services so we can make improvements. Depending on applicable laws in the region you are located in, the cookie banner on your browser will tell you how to accept or refuse cookies. A copy of our cookie policy is available here.
3. How and why Ceffu shares your Personal Data
We may share your Personal Data with third parties (including other Ceffu entities) if we believe that sharing your Personal Data is in accordance with, or required by, any contractual relationship with you or us, applicable law, regulation or legal process. When sharing your Personal Data with other Ceffu entities, we will use our best endeavors to ensure that such entities are either subject to this Privacy Notice, or follow practices at least as protective as those described in this Privacy Notice.
We may also share personal data with the following persons or in the following circumstances:
Affiliates
Personal Data that we process and collect may be transferred between companies, Services, and employees affiliates with us as a normal part of conducting business and offering our Services to you.
Third party service providers
We employ other companies and individuals to perform functions on our behalf. Examples include analysing data, providing marketing assistance, processing payments, transmitting content, and assessing and managing credit risk. These third-party service providers only have access to Personal Data needed to perform their functions, but may not use it for other purposes. Further, they must process the Personal Data in accordance with our contractual agreements and only as permitted by applicable data protection laws.
Virtual Asset Service Provider (VASP) or Crypto-Asset Service Provider (CASP)
In accordance with applicable regulatory requirements commonly referred to as the “Travel Rule,” we may share certain information about you and the counterparty when you send digital assets to, or receive digital assets from, a wallet or account held with another virtual asset or crypto-asset service provider. Such sharing is carried out to comply with legal obligations, prevent financial crime.
Legal Authorities
We may be required by law or by Court to disclose certain information about you or any engagement we may have with you to relevant regulatory, law enforcement and/or other competent authorities. We will disclose information about you to legal authorities to the extent we are obliged to do so according to the law. We may also need to share your information in order to enforce or apply our legal rights or to prevent fraud.
Business transfers
As we continue to develop our business, we might sell or buy other businesses or services. In such transactions, user information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the user consents otherwise). Also, in the unlikely event that Ceffu or substantially all of its assets are acquired by a third party, user information will be one of the transferred assets.
Protection of Ceffu and others
We release accounts and other personal data when we believe release is appropriate to comply with the law or with our regulatory obligations; enforce or apply our Terms of Use and other agreements; or protect the rights, property or safety of Ceffu, our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction.
4. International transfers of Personal Data
To facilitate our global operations, we may transfer, store and process within our Affiliates, third-party partners, and service providers based throughout the world. The EEA includes the European Union countries as well as Iceland, Liechtenstein, and Norway. Transfers outside of the EEA are sometimes referred to as “third country transfers”.
In cases where we intend to transfer Personal Data to third countries or international organisations outside of the EEA, we put in place suitable technical, organizational and contractual safeguards (including Standard Contractual Clauses), to ensure that such transfer is carried out in compliance with applicable data protection rules, except where the country to which the Personal Data is transferred has already been determined by the European Commission to provide an adequate level of protection.
We also rely on decisions from the European Commission where they recognise that certain countries and territories outside of the European Economic Area ensure an adequate level of protection for Personal Data. These decisions are referred to as “adequacy decisions”.
5. How secure is my information?
We design our systems with your security and privacy in mind. We have appropriate security measures in place to prevent your information being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We work to protect the security of your Personal Data during transmission and while stored by using encryption protocols and softwares. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your Personal Data. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know.
Our security procedures mean that we may ask you to verify your identity to protect you against unauthorised access to your account. We recommend using a unique password for your Ceffu account that is not utilized for other online accounts and to sign off when you finish using a shared computer.
6. What about advertising?
In order for us to provide you with the best user experience, we may share your Personal Data with our marketing partners for the purposes of targeting, modeling, and/or analytics as well as marketing and advertising. You have a right to object at any time to processing of your personal data for direct marketing purposes (see Section 7 “What Rights Do I Have”? below).
7. What rights do I have?
Subject to applicable law, as outlined below, you have a number of rights in relation to your privacy and the protection of your Personal Data. You have the right to request access to, correct, and delete your Personal Data, and to ask for data portability. You may also object to our processing of your Personal Data or ask that we restrict the processing of your Personal Data in certain instances. In addition, when you consent to our processing of your Personal Data for a specified purpose, you may withdraw your consent at any time. If you want to exercise any of your rights please contact us via our online form. These rights may be limited in some situations - for example, where we can demonstrate we have a legal requirement to process your Personal Data.
Right to access: you have the right to obtain confirmation that your Personal Data are processed and to obtain a copy of it as well as certain information related to its processing;
Right to rectify: you can request the rectification of your Personal Data which are inaccurate, and also add to it. You can also change your Personal Data in your account at any time.
Right to delete: you can, in some cases, have your Personal Data deleted;
Right to object: you can object, for reasons relating to your particular situation, to the processing of your Personal Data. For instance, you have the right to object where we rely on legitimate interest or where we process your data for direct marketing purposes;
Right to restrict processing: You have the right, in certain cases, to temporarily restrict the processing of your Personal Data by us, provided there are valid grounds for doing so. We may continue to process your Personal Data if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law;
Right to portability: in some cases, you can ask to receive your Personal Data which you have provided to us in a structured, commonly used and machine-readable format, or, when this is possible, that we communicate your Personal Data on your behalf directly to another data controller;
Right to withdraw your consent: for processing requiring your consent, you have the right to withdraw your consent at any time. Exercising this right does not affect the lawfulness of the processing based on the consent given before the withdrawal of the latter;
Right to lodge a complaint with the relevant data protection authority: We hope that we can satisfy any queries you may have about the way in which we process your Personal Data. However, if you have unresolved concerns, you also have the right to complain to the data protection authority in the location in which you live, work or believe a data protection breach has occurred.
If you have any questions or objections as to how we collect and process your Personal Data, please contact us via our online form.
8. How long is my Personal Data kept?
We keep your Personal Data to enable your continued use of theServices, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice, and as may be required by law such as for tax and accounting purposes, compliance with Anti-Money Laundering laws, or as otherwise communicated to you.
9. Contact information
Our data protection officer can be contacted via our online form, and will work to address any questions or issues that you have with respect to the collection and processing of your Personal Data.
10. Ceffu's relationship to you
The Ceffu group operates through multiple legal entities. The legal entity that provides you with the Services is responsible for determining how and why your Personal Data is processed and therefore acts as your Data Controller.
If you enter into a contract with, or receive the Services from, or apply for a position with our Poland entity, the Poland entity identified below will act as your Data Controller.
CH Europe Digital Solutions Sp. z.o.o. legal entity code: 0001031451, registered office address: Powstańców Śląskich street 103, Warszawa (01-355), Poland.
11. Notices and revisions
If you have any concerns about privacy at Ceffu, please contact us, and we will try to resolve them. You also have the right to contact your local Data Protection Authority.
Our business changes regularly, and our Privacy Notice may change also. You should check our websites frequently to see recent changes. Unless stated otherwise, our current Privacy Notice applies to all information that we have about you and your account.