Last updated: 30 November, 2023
Ceffu (“Ceffu”, “we”, or “us”) is committed to protecting the privacy of our customers, and we take our data protection responsibilities seriously.
We provide Institutional Digital Asset Infrastructure to our Business Customers to enable their end-users to access digital asset custody services (“Services”). This Privacy Notice describes the Personal Data that we collect, use, and share about you when you explore, sign up or access Ceffu websites and applications, how it is used, when and how it is shared, the rights and choices that you have, and how you can contact us about our privacy practices. This Privacy Notice also outlines your data subject rights, including the right that you have to object to certain uses of your Personal Data.
This Privacy Notice applies to all Personal Data processing activities carried out by us, across our platform websites and departments. We are a platform that provides Institutional Digital Asset Infrastructure Custody Services, and in order to provide our Services to our Business Customers, we collect and process personal data. Business Customers are entities which directly and indirectly directs its users to Ceffu in connection with its business and activities. End Customers are those customers that are leveraging services directly from Ceffu.
To the extent that you are not a relevant stakeholder, customer or user of our Services, but are using our website, this Privacy Notice also applies to you together with our Cookie Notice.
1. What personal data does Ceffu collect and process?
Personal Data means any information that relates to an identified or identifiable individual, and can include information that you provide to us and that we collect about you, such as when you engage with our websites (e.g. device information, IP address).
Personal Data You Provide to Us
When we refer to “Personal Data you provide to us”, this means any information that you provide to us about yourself. This information is either required by law (e.g., to verify your identity and comply with “Know Your Business” obligations), necessary to provide the requested Services (e.g., you will need to provide your contact details in order to open your account), or is relevant for certain specified purposes, described in greater detail below.
Failure in providing the data required implies that Ceffu will not be able to offer you our Services.
Personal Data collected automatically from you:
In some cases we may collect personal data automatically from you, to the extent permitted under the applicable law, we may collect certain types of personal data automatically, for example whenever you interact with us or use the Services, when we process your usage data of the platform and when we review your browsing information. This information helps us address customer support issues, improve the performance of our sites and Services, maintain and or improve your user experience, and protect your account from fraud by detecting unauthorized access.
Ceffu does not allow anyone under the age of 18 to use our Services and does not knowingly collect personal data from children under 18.
2. What about cookies and other identifiers?
3. How and why Ceffu shares your personal data
We may share your Personal Data with third parties (including other Ceffu entities) if we believe that sharing your Personal Data is in accordance with, or required by, any contractual relationship with you or us, applicable law, regulation or legal process. When sharing your Personal Data with other Ceffu entities, we will use our best endeavors to ensure that such entities are either subject to this Privacy Notice, or follow practices at least as protective as those described in this Privacy Notice.
We may also share personal data with the following persons or in the following circumstances:
Personal Data that we process and collect may be transferred between companies, Services, and employees affiliates with us as a normal part of conducting business and offering our Services to you.
Third party service providers
We employ other companies and individuals to perform functions on our behalf. Examples include analysing data, providing marketing assistance, processing payments, transmitting content, and assessing and managing credit risk. These third-party service providers only have access to personal data needed to perform their functions, but may not use it for other purposes. Further, they must process the personal data in accordance with our contractual agreements and only as permitted by applicable data protection laws.
We may be required by law or by Court to disclose certain information about you or any engagement we may have with you to relevant regulatory, law enforcement and/or other competent authorities. We will disclose information about you to legal authorities to the extent we are obliged to do so according to the law. We may also need to share your information in order to enforce or apply our legal rights or to prevent fraud.
As we continue to develop our business, we might sell or buy other businesses or services. In such transactions, user information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the user consents otherwise). Also, in the unlikely event that Ceffu or substantially all of its assets are acquired by a third party, user information will be one of the transferred assets.
Protection of Ceffu and others
4. International transfers of personal information
To facilitate our global operations, we may transfer, store and process within our Affiliates, third-party partners, and service providers based throughout the world. The EEA includes the European Union countries as well as Iceland, Liechtenstein, and Norway. Transfers outside of the EEA are sometimes referred to as “third country transfers”.
In cases where we intend to transfer personal data to third countries or international organisations outside of the EEA, we put in place suitable technical, organizational and contractual safeguards (including Standard Contractual Clauses), to ensure that such transfer is carried out in compliance with applicable data protection rules, except where the country to which the personal data is transferred has already been determined by the European Commission to provide an adequate level of protection.
We also rely on decisions from the European Commission where they recognise that certain countries and territories outside of the European Economic Area ensure an adequate level of protection for personal data. These decisions are referred to as “adequacy decisions”.
5. How secure is my information?
We design our systems with your security and privacy in mind. We have appropriate security measures in place to prevent your information being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We work to protect the security of your personal data during transmission and while stored by using encryption protocols and softwares. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.
Our security procedures mean that we may ask you to verify your identity to protect you against unauthorised access to your account. We recommend using a unique password for your Ceffu account that is not utilized for other online accounts and to sign off when you finish using a shared computer.
6. What about advertising?
In order for us to provide you with the best user experience, we may share your Personal Data with our marketing partners for the purposes of targeting, modeling, and/or analytics as well as marketing and advertising. You have a right to object at any time to processing of your personal data for direct marketing purposes (see Section 7 “What Rights Do I Have”? below).
7. What rights do I have?
Subject to applicable law, as outlined below, you have a number of rights in relation to your privacy and the protection of your personal data. You have the right to request access to, correct, and delete your personal data, and to ask for data portability. You may also object to our processing of your personal data or ask that we restrict the processing of your personal data in certain instances. In addition, when you consent to our processing of your personal information for a specified purpose, you may withdraw your consent at any time. If you want to exercise any of your rights please contact firstname.lastname@example.org. These rights may be limited in some situations - for example, where we can demonstrate we have a legal requirement to process your personal information.
Right to access: you have the right to obtain confirmation that your Personal Data are processed and to obtain a copy of it as well as certain information related to its processing;
Right to rectify: you can request the rectification of your Personal Data which are inaccurate, and also add to it. You can also change your Personal Data in your account at any time.
Right to delete: you can, in some cases, have your Personal Data deleted;
Right to object: you can object, for reasons relating to your particular situation, to the processing of your Personal Data. For instance, you have the right to object where we rely on legitimate interest or where we process your data for direct marketing purposes;
Right to restrict processing: You have the right, in certain cases, to temporarily restrict the processing of your Personal Data by us, provided there are valid grounds for doing so. We may continue to process your personal data if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law;
Right to portability: in some cases, you can ask to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format, or, when this is possible, that we communicate your Personal Data on your behalf directly to another data controller;
Right to withdraw your consent: for processing requiring your consent, you have the right to withdraw your consent at any time. Exercising this right does not affect the lawfulness of the processing based on the consent given before the withdrawal of the latter;
Right to lodge a complaint with the relevant data protection authority: We hope that we can satisfy any queries you may have about the way in which we process your personal data. However, if you have unresolved concerns, you also have the right to complain to the data protection authority in the location in which you live, work or believe a data protection breach has occurred.
If you have any questions or objections as to how we collect and process your personal data, please contact email@example.com.
8. How long is my personal data kept?
We keep your Personal Data to enable your continued use of theServices, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice, and as may be required by law such as for tax and accounting purposes, compliance with Anti-Money Laundering laws, or as otherwise communicated to you.
9. Contact information
Our data protection officer can be contacted at firstname.lastname@example.org, and will work to address any questions or issues that you have with respect to the collection and processing of your Personal Data.
10. Ceffu's relationship to you
The Data Controller for the personal data collected and processed in connection with the provision of the Services is CH Europe Digital Solutions Sp. z.o.o. legal entity code: 0001031451, registered office address: ul. Bartycka, no 22B, lok. 21A, Warszawa, 00-716, Poland.
11. Notices and revisions
If you have any concerns about privacy at Ceffu, please contact us, and we will try to resolve them. You also have the right to contact your local Data Protection Authority.
Our business changes regularly, and our Privacy Notice may change also. You should check our websites frequently to see recent changes. Unless stated otherwise, our current Privacy Notice applies to all information that we have about you and your account.