- What personal information about you we may collect
- How we may use your personal information
- Whom we may disclose your personal information to
- Our use of automated decision-making
- How we protect your personal information
- How to contact us
- Your rights to prevent marketing and to access and update your personal information
- Our Cookies Policy
- Information We May Collect About You
2.1. We may collect the following personal information from you when you open a Paxos Account:
- Contact Information: name, address, email address
- Account information: username and password
- Financial Information: bank and bank account numbers
- Identity Verification Information: date of birth, tax ID number, images of government issued ID, passport, national ID or driving license
- Tax identification number
- Residence Verification Information: Utility bill details or similar information
- In addition, for institutional customers:
- Organizational Information: proof of legal existence, business licenses
- Identification Information for beneficial owners, principals and executive management (as applicable)
2.2. We also automatically collect certain computer, device and browsing information when you access the Paxos website:
- Computer or mobile device information, including IP address, operating system, browser type
- Website usage information
- Location information
2.3. We also may collect personal information about you (including your beneficial owners, principals and executive management, as applicable) from public databases and ID verification partners, including:
- public employment profile
- criminal history
- credit history
- status on any politically exposed person and sanctions lists
- other information to help validate your identity
2.4. We also collect personal information disclosed by you when you contact us or respond to our communications (e.g., email, telephone, other writing).
2.5. We also collect the following personal information from your usage of our products and services:
- Account Information: information that is generated by your account activity, including, but not limited to, purchases and redemptions, deposits, withdrawals and account balances.
When we require certain personal information from you, it is because we are required by applicable law to collect this information or it is relevant for specified purposes. We may not be able to serve you as effectively or offer you all of our services if you elect not to provide certain types of information.
- Uses Made of Your Personal Information
We may use your personal information in the ways listed below.
If you are based in the European Economic Area (EEA), use of personal information under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the grounds in respect of each use in this policy. An explanation of the scope of the grounds available can be found in the table below. We note the grounds we use to justify each use of your information next to the use below.
These are the principal legal grounds that justify our use of your personal information:
|Consent: where you have consented to our use of your information (you will have been presented with a consent form in relation to any such use).|
|Contract performance: where your information is necessary to enter into or perform our contract with you.|
|Legal obligation: where we need to use your information to comply with our legal obligations.|
|Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.|
|Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.|
These are the principal legal grounds that justify our use of your special categories of personal information:1
|Legal claims: where your information is necessary for us to establish, defend, prosecute or make a claim against you, us or a third party.|
|In the substantial public interest: Processing is necessary for reasons of substantial public interest, on the basis of EU or local law.|
|Explicit consent: You have given your explicit consent to the processing of those personal information for one or more specified purposes. You are free to withdraw your consent by contacting us in as per section 6 below. If you do so, we may be unable to provide a service that requires the use of such data.|
We may use your personal information for our core business purposes, including:
- To provide our services effectively to our clients and conduct our business ► to administer our services, including to carry out our obligations arising from any agreements entered into between our clients and us, which may include passing your data to third parties such as agents or contractors or to our advisors (e.g., legal, financial, business or other advisors). We may also use your personal information to develop our products and services, to evaluate new products and services and to improve our service quality, including by performing statistical analysis and reporting on transactions and site usage. In addition, we may use your personal information for financial reporting, management reporting, audit and record keeping purposes.
Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide our services to you)
- To manage our risk ► We may use your personal information in managing the risk of our client base, including for assessing and processing applications, instructions or requests from you, maintaining credit and risk related models, managing our infrastructure and business operations and complying with internal policies and procedures and monitoring the use of our products and services.
Use justification: contract performance, legitimate interests (to manage the risk of our client base and to ensure you fall within our acceptable risk profile). Where this includes special categories of personal information, we will usually rely on substantial public interests (processing for the prevention and detection of fraud/crime), or very rarely where necessary, explicit consent.
- To receive services from our vendors and conduct our business ► to receive services, including to carry out our obligations arising from any agreements entered into between our vendors and us, which may include passing your data to third parties such as agents or contractors or to our advisors (e.g., legal, financial, business or other advisors). This includes vendors that provide ID verification and sanctions tools, which we use to help verify your identity and comply with our legal obligations, such as anti-money laundering laws. ID verification partners use a combination of government records and publicly available information to verify identity. This also includes the financial institutions with which we partner to process payments you have authorized. Our contracts require these vendors to only use your information in connection with the services they perform for us, and prohibit them from selling your information to anyone else.
Use justification: legal obligations, legitimate interests (to enable us to perform our obligations and receive services from vendors). Where this includes special categories of personal information, we will usually rely on substantial public interests (processing for the prevention and detection of fraud/crime), or very rarely where necessary, explicit consent.
Use justification: legal obligation, contract performance, legitimate interests (to enable us to manager client risk). Where this includes special categories of personal information, we will usually rely on substantial public interests (processing for the prevention and detection of fraud/crime), or very rarely where necessary, explicit consent.
Use justification: legal obligations, legitimate interests (to ensure that your organization falls within our acceptable risk profile and to assist with the prevention of crime and fraud). Where this includes special categories of personal information, we will usually rely on substantial public interests (processing for the prevention and detection of fraud/crime), or very rarely where necessary, explicit consent.
- To reorganise or make changes to our business ► In the event that we are (i) subject to negotiations for the sale of our business or part thereof to a third party, (ii) sold to a third party or (iii) undergo a reorganization, we may need to transfer some or all of your personal information to the relevant third party (or its advisors) as part of any due diligence process or transferred to that reorganized entity or third party and used for the same purposes as set out in this policy or for the purpose of analysing any proposed sale or reorganization.
Use justification: legitimate interests (in order to allow us to change our business)
- In connection with legal or regulatory obligations ► Law enforcement, regulators and the court service ► We may share your information with law enforcement, regulatory authorities, tax authorities (including the US Internal Revenue Service pursuant to the Foreign Account Tax Compliance Act, to the extent this applies), self regulatory organizations (such as those that operate virtual currency derivative exchanges) and officials, or other third parties when we are compelled to do so by a subpoena, court order, or similar legal procedure, or when we believe in good faith that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our Terms and Conditions or any other applicable policies. We may also use your personal information to otherwise comply with all applicable laws, regulations, rules, directives and orders.
Use justification: legal obligations, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities). Where this includes special categories of personal information, we will usually rely on legal claims, substantial public interests (processing for the prevention and detection of fraud/crime), or very rarely where necessary, explicit consent.
- In order to communicate with you ► We may use your personal information to communicate with you, including providing you with updates on changes to products, services and banking facilities (whether made available by us or through us) including any additions, expansions, suspensions and replacements of or to such products, services and banking facilities and their terms and conditions.
Use justification: contract performance, legitimate interests (to enable us to perform our obligations and provide our services to you)
- In connection with disputes ► We may use your personal information to address or investigate any complaints, claims or disputes and to enforce obligations owed to us.
Use justification: legal claims, contract performance, legitimate interests (to enforce our rights under our agreements with you). Where this includes special categories of personal information, we will usually rely on legal claims, or very rarely where necessary, explicit consent.
- For advertising ► Subject to applicable laws and regulations, we may use your personal information to inform our advertising and marketing strategy and to tailor our messaging to your needs. Where required by law, we will ask for your consent at the time we collect your data to conduct such marketing. An opt-out mechanism will be provided to you in each communication to enable you to exercise your right to opt out of any direct marketing. We never sell your information. You may withdraw this consent/opt-out at any time without affecting the lawfulness of processing based on your prior consent.
Use justification: consent, legitimate interest (to keep you updated with news in relation to our products and services)
- Automated Decision-Making
We may use criteria such as your identifying information (e.g., your name, tax id number or date of birth) to validate your identity against public records on an automated basis or without human/manual intervention.
We do this on the basis that it is necessary for us to enter into a contract with you. If you fail to meet these criteria, your application to use the Paxos platform will be rejected.
You may also request that we provide information about our methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime. However, generally in these circumstances we will verify (or request the relevant third party to verify) that the algorithm and source data are functioning as anticipated without error or bias.
- Transmission, Storage and Security of Your Personal Information
Security over the internet
5.1. No data transmission over the Internet or website can be guaranteed to be secure from intrusion. However, we maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislative requirements.
5.2. All information you provide to us is stored on our or our subcontractors’ secure servers and accessed and used subject to our security policies and standards. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our websites, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password with anyone.
Export outside the EEA (this section only applies if you are based in the EEA)
5.3. Your personal information may be accessed by staff or suppliers in, transferred to, and/or stored at, a destination outside the EEA in which data protection laws may be of a lower standard than in the EEA. Regardless of location or whether the person is an employee or contractor, we will impose the same data protection safeguards that we deploy inside the EEA.
5.4. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions. In countries that have not had these approvals, (see the full list here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm), we will either ask for your consent to the transfer or transfer it subject to European Commission approved contractual terms that impose equivalent data protection obligations directly on the recipient unless we are permitted under applicable data protection law to make such transfers without such formalities.
5.5. Please contact us as set out in section 6.4 below if you would like to see a copy of the specific safeguards applied to the export of your personal information.
5.6. We will retain your personal information for as long as is necessary for the processing purpose(s) for which they were collected and any other permitted linked purpose (for example certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). So if information is used for two purposes, we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires.
5.7. We restrict access to your personal information to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs, and your information that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed. By way of example:
- use to perform a contract: in relation to your personal information used to perform any contractual obligation to you, we may retain that personal information whilst the contract remains in force plus a further period (depending on jurisdiction and other factors) to deal with any queries or claims thereafter;
- copies of evidence obtained in relation to AML checks: in relation to your personal information obtained in relation to AML checks, we may retain that personal information whilst our client relationship remains in force plus a further 5 years to deal with any queries or claims thereafter; and
- where claims are contemplated: in relation to any information where we reasonably believe it will be necessary to defend or prosecute or make a claim against you, us or a third party, we may retain that information for as long as that claim could be pursued.
5.8. PAX and other virtual currencies may not be fully anonymous as a result of the public digital ledgers reflecting these currencies. Generally, anyone can view the balance and transaction history of any public wallet address. We, and others who are able to can match your public wallet address to other information about you, and also may be able to identify you from a blockchain transaction. Furthermore, third parties may use data analytics to identify other information about you. Please note that such third parties have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information.
- Your Rights & Contacting Us
6.1. You have the right to ask us not to process your personal information for marketing purposes. We will inform you if we intend to use your information for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by not checking certain boxes on our marketing consent form. You can also exercise the right at any time by contacting us as set out below.
6.2. We will use reasonable endeavours to ensure that your personal information is accurate. In order to assist us with this, you should notify us of any changes to the personal information that you have provided to us by contacting us as set out below.
Your Rights (this section only applies if you are based in the EEA):
6.3. Where you are based in the EEA, under certain conditions under EU data protection law, you may have the right to require us to:
- provide you with further details on the use we make of your information;
- provide you with a copy of information that you have provided to us;
- update any inaccuracies in the personal information we hold (please see paragraph 6.2);
- delete any personal information the we no longer have a lawful ground to use;
- where processing is based on consent, to withdraw your consent so that we stop that particular processing (see section 6.1 for marketing);
- transmit the personal information you have provided to us and we still hold about you to a third party electronically;
- object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
- restrict how we use your information whilst a complaint is being investigated.
Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g., the prevention or detection of crime) and our interests (e.g., the maintenance of legal privilege). If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.
If we are unable to resolve an inquiry or a complaint, you have the right to contact the data protection regulator in the EEA country in which you are based. A list of the data protection regulators and their contact details can be found at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
6.4. If you have any questions in relation to this policy or your personal information, please contact: firstname.lastname@example.org, via our support page or by writing to us at Paxos Trust Company: Legal Department, 450 Lexington Ave, Suite 3952, New York, NY 10017.
6.5. In addition to the details at section 6.4, where you are based in the EEA, you can also contact our EU Representative, Paxos Technology Limited at 1 Wework Mark Square, London, Greater London, EC2A 4EG, United Kingdom; email: email@example.com.
- Processing for Fraud Prevention and Detection Purposes
7.1 Before we provide our services to you, we undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process personal information about you.
7.2. The personal information you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering and to verify your identity.
7.3 In order to do so, we may provide information to, obtain information from, and verify information with fraud prevention and debt collection agencies and credit reference agencies (in their role as fraud prevention agents). We will continue to exchange information with such parties while you have a relationship with us.
7.4. We, fraud prevention and debt collection agencies and credit reference agencies may also enable law enforcement agencies to access and use your personal information to detect, investigate and prevent crime.
7.5. Fraud prevention agencies and credit reference agencies can hold your personal information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
7.6. As part of the processing of your personal information, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making as set out in section 4 of this policy.
7.7. As a consequence of processing, if we, or a fraud prevention agency or credit reference agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services you have requested or we may stop providing existing services to you.
7.8. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and credit reference agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us as per section 6 of this policy.
7.9. If you are based in the EEA, whenever fraud prevention agencies transfer your personal data outside of the EEA, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EEA. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
- Cookies Policy
1“Special categories of personal information” means personal information which include personal data that may reveal racial/ethnic origin, religion/belief, health, sexual orientation, political affiliation, trade union membership and criminal convictions.