Privacy Notice

This privacy notice explains how your personal data is used in connection with the KYC in accordance with the General Data Protection Regulation 2016/678 (“GDPR”).

1. Controller: VOTTUN, S.L. with its registered office in Spain, is the controller of your personal data (“Controller”, “we”, “us”, “our” etc.).
2. Data Protection Officer: We have appointed Marta Valles Tomas as the Data Protection Officer (“DPO”). You can contact DPO by email at:  [email protected].
3. Contact details: You can contact the Controller to submit your privacy request through the following channels:
   1. By writing an email: [email protected]
   2. By sending a letter by post, indicating in the request which right is being exercised, to the address: C. Aribau, 230 6-1, 08006 Barcelona (Spain).
4. Purpose of the processing and its legal basis: We are processing your personal data in order to perform Know-Your-Customer identity verification and checks (“KYC”) in connection with the Simple Agreement for Future Tokens (“SAFT”) executed between you and the Controller. The legal grounds for the processing of your personal data are:
   1. necessity of processing for the performance of the SAFT (Art. 6(1)(b) of the GDPR) – as regards your personal data contained in the documentation provided by you; and
   2. if applicable, your explicit consent for processing of your biometric data for the purpose of uniquely identifying you by using capturing face and processing of the biometric identification solutions (Art. 9(2)(a) of the GDPR) – as regards your biometric data; and
   3. our legitimate interest (Article 6(1)(f) GDPR), which consists of fraud detection and compliance with industry standards as regards KYC and anti-money laundering or counter-terrorist financing – as regards your other personal data not set out in letters a)-b) above.
5. Data sources: We process your personal data provided by you, such as your email address, name and surname, current address (as determined on the basis of the proof of address provided by you) and so on. We also process personal data obtained by our KYC service provider acting on our behalf or by us from relevant publicly accessible sources, such as public registers, sanction lists or lists of persons entrusted with prominent public functions (so-called “politically exposed persons” or “PEP”).
6. Data categories: We process the following categories of your personal data in connection with KYC:
   1. general data – such as full name, sex, personal identification code or number, date of birth, legal capacity, nationality, and citizenship,
   2. ID document data – such as document type, issuing country, number, expiry date, security features; 
   3. contact data – such as e-mail address, address (e.g. street, city, country, postcode);
   4. biometric data – such as data obtained by extracting your facial features from uploaded or recorded facial images on government-issued identity documents submitted by you;
   5. facial image data – such as photos or videos of your face;
   6. KYC-related data – such as information about whether you are on an international sanction list, whether you are a PEP etc.;
   7. technical data – such as IP address, information about your operating system or other software used by your device, hardware details or statistics derived from this data.
7. Data storage: We store your personal data for the term of the SAFT. The duration of storage or use of your data may be extended in certain situations. For example, we may store your personal data after you terminate the agreement with us when required by law. We may also continue to store and use the same dataset if we use it for a different purpose and on a different legal basis, if admissible by law. For example, if the SAFT is terminated or expires, we may continue to use personal data provided by you when necessary to establish and assert possible claims or to defend against claims.
8. Data recipients: We share your personal data is with Sum and Substance Ltd registered in England, London (“SumSub”) – our KYC service provider and processor who is processing your personal data on our behalf. In some cases, SumSub may act as an independent controller of your personal data. To understand more about the services SumSub provides to us, you can consult the SumSub Privacy Notice available at: https://sumsub.com/privacy-notice-service. We may also share your personal data with the following categories of recipients: data storage providers, our affiliates and subsidiaries, or professional advisors, such as lawyers, accountants, and tax advisors. We do not share your personal data unless it is necessary. We require data recipients to keep your data secure and confidential.
9. Data recipients outside the EEA: The level of protection for the personal data outside the European Economic Area (“EEA”) may differ from that provided by the EU law. For this reason, we transfer your personal outside the EEA only when necessary and with an adequate level of protection, primarily by cooperating with processors of the personal data in countries for which there has been a relevant European Commission decision finding an adequate level of protection for the personal data. Alternatively, we may use the standard contractual clauses issued by the European Commission. If you want to learn more about these safeguards, obtain a copy of them or learn where they have been made available, contact us.
10. Requirement to provide data: You are contractually obligated to provide us with your personal data for KYC purposes in accordance with SAFT’s terms and conditions, except for biometric data, which is voluntary. If you do not provide us with biometric data, we will not be able to use liveness or similar features to establish and verify your identity. In such a situation, we may ask for additional information by other means, such as a visit to our office for on-site identification.
11. Automated decision-making: The KYC verification involves semi-automated decision-making and automated means of processing. For example, our KYC service providers may make automated checks of your personal data against the information in multiple databases, including sanction lists or lists of PEPs to verify your presence in such databases and the authenticity of provided documents. This includes also automatic face comparison from the photo of an identity document and the facial image, facial scans connected with liveness and so on. However, we manually check all the results of semi-automated processing. The results of the KYC determine whether we can perform the SAFT. If the results of the KYC are positive, we will perform the SAFT. If the results of the KYC are negative, you will be flagged for additional manual review by us. If the result of the additional manual review is also negative, we will have the right to settle with you as per the terms of the SAFT. Should we want to use solely automated decision-making process as regards your personal data, we will collect your prior consent for such processing.
12. Right to withdraw consent: You have the right to withdraw your consent to the processing of your personal data. You can do this at any time. If you withdraw consent, we will stop using your personal data where the basis for processing is consent. Withdrawal of consent does not affect the lawfulness of processing your data based on consent before withdrawal. The right to withdraw consent applies only to the extent that your personal data is processed based on consent.
13. Right to object: You have the right to object to the processing of your personal data based on legitimate interest(s), our or those of a third party. You can do this at any time. If you raise an objection, we will stop using your personal data where the basis for processing is our legitimate interest. In exceptional circumstances, we may continue to use your data despite your objection. This exception does not apply when you object to the processing of data for direct marketing purposes, i.e., if you object to it, we will stop processing your personal data on this basis.
14. Rights related to automated decision-making: Should we use fully automated decision-making process as regards your personal data with your prior consent, you will have the right to contest the decision, the right to express your point of view and the right to have your case analysed and to have the decision taken by our employee.
15. Right to lodge a complaint: You can lodge a complaint with the supervisory authority dealing with the protection of personal data. You can lodge such complaint with your local data protection authority. You can find a list of data protection authorities in the EU and their contact details at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
16. Other rights: You have a right to request from us access to and rectification or erasure of personal data or restriction of processing concerning you and to object to processing as well as the right to data portability.