Policy

Privacy Policy

  • BitFlow
  • 16 Jun 2025
  • Important
  1. Introduction
    1. This Privacy Policy specifies the Bitflow’s policies and procedures regarding the collection, use, disclosure and other processing of the User’s Personal Data (Personal Information) when using Our Bitflow Website, Wallet, Platform and/or Services.
    2. Bitflow is committed to protecting the Personal Data (Personal Information) that the Users share with Us. Any Personal Data (Personal Information) stored on Bitflow Wallet, Website, Platform and/or Services is treated as Confidential Information, and all such information is stored securely and is accessed by the Bitflow’s authorized personnel only in accordance with the GDPR requirements and principles.
    3. Bitflow implements and maintains appropriate technical, security and organizational measures to protect Personal Data (Personal Information) against unauthorised and/or unlawful processing, disclosure and use, including but not limited to accidental loss, destruction, damage, theft or disclosure of collected Personal Data (Personal Information).
    4. Bitflow provides a platform for exchanging Virtual Assets, as well as providing other Services, specified in the Bitflow’s Terms of Use. In this regard, this Privacy Policy explains how Bitflow processes Personal Data (Personal Information) that can be used to directly or indirectly identify our Users collected through the use of Bitflow’s Website, Platform and/or Services.
    5. This Policy applies where We are acting as a Data Controller with respect to the Personal Data (Personal Information) of Our Website Visitors and Service Users. In other words, where We determine the purposes and means of the processing of that Personal Data (Personal Information).
    6. We will also ask You to agree to Our use of cookies in accordance with Our Cookies Policy of when You first visit Our Website.
    7. This Privacy Policy is a binding, mandatory and integral part of the Terms of Use and constitutes an Additional Documents specified in the Bitflow’s Terms of Use.
    8. For the purposes of this Privacy Policy, Bitflow defines the terms “User” or “You” as a natural or legal person, either a User-Visitor of Our Website and/or as the User specified in the Terms of Use. The term “We”, “Us”, and/or “Our” refers to Bitflow.
  2. Definitions
    1. Terms used in this Privacy Policy shall be interpreted in accordance with the definitions provided below:
      • “Bitflow” means means Bitflow Lab s.r.o., i.e. a company registered and incorporated under the laws of the Czech Republic with the business registration number (Identifikační číslo): 19305800, having its registered office at: Chudenická 1059/30, Hostivař, 102 00 Praha 10, Czech Republic. Bitflow Lab s.r.o. has been granted a trade license (authorisation) for providing services related to virtual assets.
      • “Data subject” means the User-natural person, i.e. an identifiable natural person is one who can be directly or indirectly identified.
      • “User-Visitor” means the User-natural person who only visits the Bitflow’s Website.
      • “DPAs” mean legally binding documents that outline the terms and conditions under which Personal Data (Personal Information) is processed by a third party on behalf of a Data Controller that ensures compliance with the GDPR and other applicable EU data protection laws.
      • “ePrivacy Directive” means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
      • “Data Controller” means Bitflow, i.e. the legal person which determines the purposes and means of the Processing of Personal Data.
      • “Third-Party Processor” means a person, which processes Personal Data (Personal Information) under the direct authority and on behalf of the Data Controller.
      • “Third-Party Services” mean the services provided by an external natural or legal person that is not part of Bitflow.
      • “AML” or “AML/CFT” means a set of applicable laws, regulations and procedures aimed at preventing money laundering, terrorist financing and any other criminal activity by using funds as legitimate income.
      • “KYC” means is a process used by Bitflow as an AML/CFT Obliged Person to verify the identity of their clients (Users).
      • “KYT” means is a process used by Bitflow as an AML/CFT Obliged Person to verify, monitor, and/or analyse individual transactions to detect suspicious and/or unusual activity that may indicate fraudulent behavior or illicit financial activities.
      • “Cookies” mean small text files that is saved on the User’s device when accessing the Website. They allow Bitflow to recognize Your device, store some information about Your preferences or past actions on the Website, and facilitate Bitflow in improving the Website.
      • “AML/CFT Obliged Person” means Bitflow, i.e. the person who under applicable AML laws is obliged to prevent money laundering, terrorist financing and any other criminal activity by using funds as legitimate income.
      • “Standard Contractual Clauses” or “SCCs” mean the legal bases that Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council allow data transfer towards third countries in the absence of an adequacy decision.
    2. All other terms and expressions not used in this Privacy Policy shall be interpreted in accordance with the definitions provided in the Terms of Use (including Additional Documents) and/or in the GDPR.
  3. Legal requirements applicable to this Privacy Policy.
    1. The processing of Personal Data is performed in accordance with Regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the General Data Protection Regulation (“GDPR”), and our processing will take place in accordance with the GDPR.
    2. In any its activities regarding processing Personal Data (Personal Information) of its Users, Bitflow will comply with the following principles:
      • Lawfulness: Any Processing of Personal Data carried out by Bitflow as a Controller has a legal basis under the GDPR, as well as compliant with the requirements of the GDPR and other applicable AML/CFT laws (see in particular Articles 6, 7, 8, and 9 of the GDPR), and not involve any otherwise unlawful processing or use of personal data.
      • Fairness: Any Processing of Personal Data carried out by Bitflow as a Data Controller is fair towards the Users whose personal data are concerned, and avoid being unduly detrimental, unexpected, misleading, or deceptive.
      • Transparency: Bitflow as a Data Controller ensures that processing of personal data is clear and transparent to Users and regulators
      • Purpose limitation: Personal data is collected by the Bitflow as a Data Controller for specified, explicit and legitimate purposes, which are determined at the time of the collection of the personal data, and not further processed in a manner that is incompatible with those purposes.
      • Data minimisation: Bitflow as a Data Controller only collects and processes personal data that are adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
      • Accuracy: Bitflow as a Data Controller ensures Personal Data (Personal Information) are accurate and, where necessary, kept up-to-date.
      • Storage limitation: Bitflow as a Data Controller holds personal data, in a form which permits the identification of Users, for no longer than is necessary for the purposes for which the personal data are processed.
      • Integrity and confidentiality: Personal Data (Personal Information) is processed by Bitflow as a Data Controller only in a manner that ensures the appropriate level of security and confidentiality for the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
      • Accountability: Bitflow as a Data Controller takes responsibility for, and will be able to demonstrate compliance with the other principles of data processing, specified herein
    3. In the data processing activities regarding any AML/CFT, KYC and/or KYT procedures, the Bitflow’s AML/KYC Policy will be applicable mutatis mutandis.
  4. Acceptance of these Privacy Policy
    1. Bitflow assumes that all Users (including Users-Visitors) of Our Website, Platform, and/or Services have carefully read this Privacy Policy and completely agree to its contents. If someone does not agree with this Privacy Policy, he/she should refrain from using our Website, Platform, and/or Services.
    2. By continuing to browse our Website after seeing the cookies banner and without changing the default settings, You consent to the processing of Your personal data as described in this Privacy Policy and our Cookies Policy.
    3. During the account creation process, Users must actively check a box confirming they have read and agree to the Privacy Policy, Cookies Policy, and Terms of Use. Account creation cannot be completed without providing such consent.
    4. Use of our Website without creating an account (including browsing pages, interacting with content, or sending messages) implies that the Visitor consents to the use of cookies and similar technologies in accordance with our Cookies Policy. Upon their first visit to the Website, Visitors are presented with a cookie notice with the option to manage their preferences.
    5. For users who create an account and use Bitflow's Services, consent to the processing of personal data - including data required for KYC/AML and other procedures - is given through explicit confirmation (by ticking a checkbox) during the account registration process, as well as through continued use of our Services. This consent covers the processing of data in accordance with this Privacy Policy, the Cookies Policy, and the Terms of Use.
    6. Bitflow reserves the right to change this Policy as necessity dictates and/or with the change of its Platform and/or Services.
    7. This Privacy Policy may be revised, modified, updated and/or supplemented at any time and at the Bitflow’s sole discretion. When We make changes to this Privacy Policy, We will make the amended Privacy Policy available on Our Website.
    8. By using Our Website, Wallet, Platform and/or Services for buying, selling, and/or storing Virtual Assets, You agree with the implied changes.
    9. The Users acknowledge and agree that they are responsible for periodically reviewing Our Website (including this Privacy Policy) to remain informed of any changes and/or modifications.
    10. Any use of the Website, Wallet, Platform and/or Services following the posting of an amendment to Our Privacy Policy constitutes Your acceptance of the revised or amended agreement.
    11. In case of the change in the types or purpose or processing procedure of Your Personal Data, Bitflow will ask for Your consent if required by EU and national regulations.
    12. Please note: For website visitors, only cookies and voluntarily submitted data are processed. For registered Users, additional personal data such as identification, transaction, and AML/KYC-related data is processed.
  5. Data Controller and Third-Party Processors
    • Bitflow processes Personal Data as a Data Controller, as defined in the GDPR.
    • The Users Data shall be processed by a Third-Party Processor to use, collect and process Users data on behalf of Bitflow.
    • Some services in the Bitflow Wallet are provided by third-party organizations (processors), such as processing bank cards when buying Virtual Assets, paying to the addresses of projects that provide services by accepting Virtual Assets as payment, which requires mandatory AML/KYC procedures, which in turn are carried out by a certified third-party service, collecting, transmitting and storing Users' personal information on their resources.
    • In accordance with Article 13(1)(e) GDPR, I.e. information about the recipients or categories of recipients of the personal data, Bitflow engages the following categories of third-party processors:
      1. Cloud infrastructure and hosting providers;
      2. Payment processors and banking partners;
      3. AML/KYC and sanctions screening providers;
      4. Analytics and user behavior tracking tools;
      5. Identity verification and fraud prevention service providers;
      6. Customer support and ticketing platforms.
      7. Legal and audit consultants, if necessary for the fulfillment of Bitflow's obligations.
      All engaged Processors operate strictly within the scope of contractual obligations and GDPR requirements.
    • Some Third-Party Processors as experienced identity and transaction verification companies will process Personal Data for the purposes of the necessary AML/KYC procedures. Such third-party Processors will obtain and process the following Users:
      • Name and Surname;
      • Address;
      • Residency;
      • Date and place of birth;
      • ID number;
      • Copy ID;
      • Users’ picture;
      • E-mail address;
      • Phone number;
      • Utility bill; and
      • Other Personal Information.
    • Bitflow only uses such Third-Pary Processors that have sufficient guarantees to implement appropriate technical and organisational measures in such a manner that data processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject (Users).
    • Bitflow as a Data Controller has DPAs in place with such Third-Party Processors, ensuring compliance with GDPR. All transfers of data internally are done in accordance with this Data Processing Agreement (DPAs) and other applicable GDPR requirements and industry standards.
    • Bitflow may share Your Personal Information with our employees, contractors, agents, service providers and designees to enable them to provide certain services exclusively for us.
    • In respect of operations involving the collection and disclosure of the data Bitflow can be considered as a joint controller with Facebook, Instagram, and Google in respect of the collection and transmission of a certain personal data of visitors to its Website.
  6. Third-Party Websites and Services
    1. Our website may contain links to other third-party websites.
    2. If You click on such link, You will be directed to that site.
    3. Please note that these external websites are not operated by Bitflow.
    4. We strongly advise You to review the Privacy Policy of the third-party websites that You visit.
    5. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
    6. By submitting personal information to third-party services, You consent to the processing of Personal Data (Personal Information) about You by these Third-Party Services. Please note that Your use of these Third-Party Services is subject to their respective Terms of Use and Privacy Policy. We use and disclose any information collected in accordance with Our own Privacy Policy.
  7. Security of Personal Data (Personal Information)
    1. We are committed to protecting your information and employ several physical and electronic safeguards to keep Your information secure, including encrypted user passwords, two-factor verification and password authentication where possible, and securing all connections with industry-standard transport layer security. Even with all of these precautions, We cannot fully guarantee against access, disclosure, alteration or deletion of data as a result of events, including, but not limited to, hardware or software failure or unauthorized use. Any information You provide to us is transmitted solely at your own risk.
    2. We use a variety of security measures to ensure the confidentiality, integrity, availability and privacy of your Personal Information and to protect your Personal Information from loss, theft, unauthorised access, misuse, alteration or destruction.
    3. These security measures include, among others:
      • Password protected databases;
      • Secure Sockets Layered (SSL) technology to ensure that Your Personal Data (Personal Information) is fully encrypted and sent across the Internet securely;
      • Vulnerability Scanning to actively protect our servers from hackers and other vulnerabilities;
      • Regular penetration testing;
      • Secure coding principles;
      • Encryption of sensitive data during transfer and at rest;
      • Two-factor authentication;
      • Logging of activities performed in the platform;
      • Access controls; and
      • Other measures to mitigate risks identified during the risk assessment process.
    4. All financially sensitive and/or credit information is transmitted via SSL technology and encrypted in Our database.
    5. Only authorized Bitflow personnel are permitted access to your Personal Information, and these personnel are required to treat the information as highly confidential. The security measures will be reviewed regularly in light of new and relevant legal and technical developments.
  8. Legal Basis and Principles of Processing Your Personal Data (Personal Information)
    1. Processing means any operation or set of operations which is performed by Bitflow on personal data or on sets of personal data. Bitflow will carry out the following processing activities:
      • Collection,
      • Organisation,
      • Structuring,
      • Storage,
      • Adaptation or Alteration,
      • Consultation,
      • Use,
      • Disclosure by Transmission,
      • Restriction,
      • Erasure, and/or
      • Destruction;
    2. Processing shall be lawful only if and to the extent that at least one of the following applies:
      • The data subject (User) has given consent to the processing of his or her Personal Data for one or more specific purposes;
      • Processing is necessary for the performance of a contract to which the data subject (User) is a party or in order to take steps at the request of the data subject prior to entering into a contract;
      • Processing is necessary for compliance with a legal obligation to which the controller is subject;
      • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
      • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data.
  9. Use, collection and other processing of Personal Data (Personal Information) from the User-Visitor
    1. By using the Bitflow’s Wallet, Website, Platform and/or Services, You consent to the use, disclosure and other processing practices and activities, set forth in this Privacy Policy in accordance with the GDPR requirements and other applicable laws.
    2. If You are solely a User-Visitor to Our Website, and not a User of Our Wallet, Platform, and/or Services, and if You do not agree with Our Terms of Use and any and all of the provisions set out herein, We request that You refrain from visiting Our Website.
    3. Your consent to the collection and processing of Personal Data as a User-Visitor is obtained through the following procedure:
      1. Upon first visit to the Website, You are presented with a clear and prominent cookie and privacy banner.
      2. This banner informs You about the use of cookies and data collection, and includes a link to this Privacy Policy and the Cookie Policy.
      3. You give Your explicit consent by actively clicking “Accept” or a similar button on the banner.
      4. If You continue to browse the Website without providing consent to non-essential cookies, only strictly necessary cookies will be placed based on Our legitimate interest, and no other personal data will be processed until You give further consent.
      5. By interacting with Our Website after being presented with the cookie/privacy banner (e.g., by navigating to another page, submitting forms, or using interactive features), You acknowledge that You have been informed about the data processing and, where applicable, consented to it.
    4. In cases required by the applicable laws, We will ask for Your clear and explicit consent to process Your Personal Data (Personal Information), which shall be collected on this Website and/or volunteered by You.
    5. Please note that any consent of Our Users will be entirely free and voluntary. However, if You do not grant the requested free, clear and explicit consent to the processing of Your Personal Data (Personal Information) by Bitflow, the use of Our Website may not be possible and/or may be limited.
    6. Personal Data (Personal Information) collected from You as a User-Visitor, may comprise:
      • Your IP address;
      • First and Last Name;
      • Your postal and Email address;
      • Your phone number;
      • Your job title;
      • Your occupation data;
      • Your data for social networks;
      • Your geo-location data;
      • Numbers of Visitors;
      • Length of time spent on the Website;
      • Data on Your interests in our Platform and/or Services;
      • Pages clicked on or where Users-Visitors came from.
      • Cookies and similar tracking technologies;
      • Browser type, device type, and operating system;
      • Pages visited and interaction data (e.g. clicks, scrolls, time spent);
      • Voluntarily submitted information (e.g. messages via contact forms).
    7. The source of the usage data is Our analytics tracking system. This usage data may be processed for the purposes of analysing the use of the Website, Platform and/or Services and improving Users’ experience, performance and future development of our Service. The legal basis for this processing is legitimate interest (Art. 6(1)(f) of the GDPR) and the user’s consent (Art. 6(1)(a) of the GDPR), which is provided when continuing to use the website without adjusting cookies preferences after being notified. Please note: The primary legal basis for such processing is the User-Visitor’s consent, in accordance with Article 6(1)(a) of the GDPR, which is deemed to be granted when the User continues using the Website after being presented with the cookie banner and does not change cookie preferences. In limited cases, and only where strictly necessary (e.g. for ensuring platform security, preventing abuse, or maintaining basic website functionality), we may rely on our legitimate interest as a legal basis under Article 6(1)(f) of the GDPR, always ensuring that such interests are not overridden by the fundamental rights and freedoms of the data subjects. In such cases, we also adhere strictly to the principles of data minimization and purpose limitation.
    8. Data collected from non-registered visitors will be processed for:
      1. Providing basic website functionality (language settings, security, etc.) (Legal basis: Legitimate Interest (Art. 6(1)(f)) to ensure the website operates properly; Performance of a Contract (Art. 6(1)(b)) if necessary for delivering core services; Legal Obligation (Art. 6(1)(c)) in case of security-related processing (logs for detecting misuse));
      2. Monitoring and improving Website, Platform and/or Services (Legal basis: Legitimate Interest (Art. 6(1)(f)) to ensure quality and improve services.);
      3. Performing traffic and usage analytics (Legal basis: Consent (Art. 6(1)(a)) if analytics involve cookies or similar tracking technologies (per ePrivacy Directive); Legitimate Interest for aggregated, non-identifiable analytics, possibly without cookies);
      4. Responding to submitted inquiries (Legal basis: Performance of a Contract (Art. 6(1)(b)) if inquiries relate to user services; Legitimate Interest (Art. 6(1)(f)) for general communications and user support);
      5. Analysing Visitors behaviour (Please note: Bitflow may also share such Personal Information with Our service vendors and/or contractors to achieve this purpose) (Legal basis: Consent (Art. 6(1)(a)) if tracking technologies or profiling are used; Legitimate Interest (Art. 6(1)(f)) for limited analytics without intrusive tracking);
      6. Improving its Website by analysing how Users-Visitors navigate its Website (Legal basis: Consent (Art. 6(1)(a)) if based on tracking cookies; Legitimate Interest (Art. 6(1)(f)) if data is anonymised or aggregated);
      7. Ensuring the proper functioning and technical delivery of our Website and Platform (Legal basis: Legitimate Interest (Art. 6(1)(f)) to ensure availability and integrity of services; Legal Obligation (Art. 6(1)(c)) and Legal Obligation (Art. 6(1)(c)) in relation to cybersecurity obligations);
      8. Improving user experience and optimizing performance (Legal basis: Consent (Art. 6(1)(a)) if cookies or personalization tools are involved; Legitimate Interest (Art. 6(1)(f)) for technical improvements not involving tracking);
      9. Performing analytics and statistical reporting (Legal basis: Consent (Art. 6(1)(a)) for identifiable user-level tracking; Legitimate Interest (Art. 6(1)(f)) for internal aggregated statistics);
      10. Responding to visitor inquiries or requests (Legal basis: Performance of a Contract (Art. 6(1)(b)); Legitimate Interest (Art. 6(1)(f)) if not strictly contractual);
      11. Complying with legal obligations where applicable, as well as ensuring security and preventing misuse or fraud (Legal basis: Legal Obligation (Art. 6(1)(c)) and Legitimate Interest (Art. 6(1)(f)), especially for fraud prevention.);
      12. Managing consent preferences and compliance with ePrivacy rules (Legal basis: Legal Obligation (Art. 6(1)(c)) – to comply with ePrivacy and GDPR rules);
      13. Customizing content for Users-Visitors (Legal basis: Consent (Art. 6(1)(a)) if personalization relies on tracking/profiling; Legitimate Interest (Art. 6(1)(f)) if customization is minimal or contextual);
      14. Showing ads on other Websites to Users-Visitors (Legal basis: Consent (Art. 6(1)(a)) required under GDPR and ePrivacy for behavioral advertising.);
      15. Communicating with the Users (Legal basis: Performance of a Contract (Art. 6(1)(b)) for account-related or service communications; Legitimate Interest (Art. 6(1)(f)) for general platform updates; Consent if for marketing communications (Art. 6(1)(a) + ePrivacy));
    9. The use and processing of cookies and similar technologies is governed by our separate Cookies Policy, which Visitors are invited to review upon first visit to the Website. A cookie banner is provided to allow Visitors to manage their preferences in accordance with applicable law. The cookie banner is presented to obtain and manage consent in compliance with applicable laws. Cookies are used to enhance Website functionality, analyze usage, and provide personalized content and advertising.
    10. For more detailed information on the use and types of cookies, please refer to our Cookies Policy. This Cookie Policy forms an integral part of Bitflow’s Privacy Policy and must be read in conjunction with it. Together, they govern the use of cookies and similar technologies on Our Website.
  10. Use, collection and other processing of Personal Data (Personal Information) from the User of Bitflow’s Wallet, Platform and/or Services
    1. In order to provide its Services to its Users, Bitflow collects certain types of Personal Data (Personal Information) from Our Users. Bitflow processes the following personal data from registered users:
      1. Identity data (e.g., full name, date of birth, nationality). For the purposes of this Privacy Policy and pursuant to § 5 of the Czech AML Act No. 253/2008 Sb.,“identity data” shall be understood as follows:

        For natural persons (individuals):
        1. All given names and surnames;
        2. Birth number, or if none assigned, date of birth and gender;
        3. Place of birth;
        4. Permanent or other residence;
        5. Nationality;
        6. Number and type of identity document, issuing state or authority, and validity period;
        7. If the individual is a sole trader, also their trade name, distinguishing addition or other designation, registered office, and identification number.


        For legal entities (companies):
        1. Basic identification data such as company name (including distinguishing additions or other designation), registered office, and company identification number or an equivalent number assigned abroad;
        2. Identification details of any natural person who is a member of the company’s statutory body;
        3. Identification details of any legal entity that is a member of the statutory body, including the natural persons representing that legal entity.
      2. Contact details (Email address, phone number, mailing address);
      3. KYC/KYB documents (Scans or photos of government-issued ID, proof of address, liveness/selfie checks);
      4. Transaction data (Details of transactions, dates, amounts, counterparties, status, first verification payment, etc.);
      5. Financial data (Details on payment method used, as well as masked card numbers, bank account informaton, IBAN/account number for fiat transactions, payment processor identifiers, transaction references, bank statements, trading information, etc.).
      6. Account-related information and technical data (Login data, IP address, location, device type, operating system, geolocation, browser type, user settings);
      7. Communication data (Contents of messages exchanged with support, complaints submitted, messages or inquiries sent, etc.);
      8. Behavioral and usage data (User interactions with the Website or Platform, time spent on pages, click behavior, session logs, browser/device info, operating system, other traffic data, etc.).
      9. Sanctions and risk screening data (Results of sanctions list checks, PEP status, adverse media, internal risk scoring, fraud indicators, etc.).
      10. Data processed for AML compliance purposes, including additional identification data where required under risk-based approach, such as employment status, occupation, employer name, income level, source of funds, or source of wealth.
      11. Residence verification information (Utility bill details, proof of address; phone bill and/or similar document);
    2. Personal Data (Personal Information) collected by Bitflow from its Users remain as a property of the User and may not be shared with a third party by Bitflow without express consent from the User, unless otherwise provided in this Privacy Policy and/or applicable laws.
    3. Bitflow uses the collected Personal Data:
      • to provide its Platform and/or Services to the Users, as well as improve them (Legal basis: Performance of a contract (Art. 6(1)(b) GDPR);
      • to provide access to the functionality of the wallet and exchange services (Legal basis: Performance of a contract (Art. 6(1)(b) GDPR);
      • to improve analytics, Services and functions related to the performance of maintenance (Legal basis: Consent Art. 6(1)(a) GDPR and Legitimate interest (Art. 6(1)(f) GDPR);
      • to improve the operation of the Wallet and to keep Your assets safe (Legal basis: Legitimate interest (Art. 6(1)(f) GDPR), Performance of a contract (Art. 6(1)(b) GDPR) and Legal obligation (Art. 6(1)(c) GDPR);
      • to provide technical support and maintain the proper functioning of the Services (Legal basis: Performance of a contract (Art. 6(1)(b) GDPR);
      • to fulfil its legal and regulatory compliance obligations (including AML/KYC requirements and tax regulations). Please note: For the purposes of the maintaining Users’ accounts and reviewing users for the purposes of AML/KYC compliance, Bitflow will collect and process the same data that Third-Party Processors will collect in the process of User and/or transaction verification procedures (KYC/KYT) (Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR), including obligations under Czech AML Act No. 253/2008 Sb.);
      • to detect and prevent fraud and other illegal activities (Legal basis: Legal obligation (Art. 6(1)(c) GDPR);
      • to verify the user's identity (Legal basis: Legal obligation (Art. 6(1)(c)), and Performance of a contract (Art. 6(1)(b));
      • to comply with the law or court order (Legal basis: Legal obligation (Art. 6(1)(c) GDPR);
      • to cooperate with law enforcement agencies (Legal basis: Legal obligation (Art. 6(1)(c) GDPR);
      • to enforce the signed agreement (Legal basis: Performance of a contract (Art. 6(1)(b) GDPR);
      • to protect the rights, property, or safety of us, our employees, our users, and/or others (Legal basis: Legitimate interest (Art. 6(1)(f) GDPR));
      • to send marketing communications (only where separate consent has been obtained) (Legal basis: Consent (Art. 6(1)(a) GDPR).
  11. Rights of the Users as Data Subjects
    1. You may have the rights as set out below, which You may exercise by contacting us at [email protected]:
      • Right to Access: You are entitled to ask us if We are processing Your information and, if We are, You can request access to Your Personal Data. This enables You to receive a copy of the personal data We hold about You and certain other information about it to check that We are lawfully processing it. We process a large quantity of information, and can thus request that before the information is delivered, You specify the information or processing activities to which Your request relates.
      • Right to Correction (Right to Rectification): You are entitled to request that any incomplete or inaccurate personal data We hold about You is corrected
      • Right to Erasure (Right to be Forgotten): You are entitled to ask Us to delete or remove Personal Data in certain circumstances. There are also certain exceptions where We may refuse a request for erasure, for example, where the personal data is required for compliance with law or in connection with claims.
      • Right to Restriction: You are entitled to ask us to suspend the processing of certain of your personal data about you, for example if You want Us to establish its accuracy or the reason for processing it.
      • Right to Transfer (Right to Data Portability): You may request the transfer of certain of your personal data to another party
      • Right to Objection: where We are processing your personal data based on legitimate interests (or those of a third party) You may challenge this. However, We may be entitled to continue processing Your information based on our legitimate interests or where this is relevant to legal claims. You also have the right to object where We are processing your personal data for direct marketing purposes. If these rights apply, they may however be limited, for example if fulfilling your request would reveal personal data about another person, would infringe the rights of another person or legal entity (including our rights), or if You ask us to delete or change data which We are required by law to keep (or have other compelling legitimate interests in keeping). We will inform You of relevant exemptions We rely upon when responding to any request You make.
      • Right to lodge a complaint with supervisory authority: You may enforce Your rights, specified above. You can find out how to do this at the Office for Personal Data Protection of the Czech Republic (Úřad pro ochranu osobních údajů) (https://uoou.gov.cz/en ) or European Data Protection Supervisor (https://edps.europa.eu/ ).
    2. If You wish to stop receiving promotional and marketing communications from us, please contact us at [email protected] to opt-out.
    3. You can update Your opt-out preferences at any time by contacting Us. We will process Your request as soon as reasonably possible, but please note that you may still receive communications or data collection activities for a short period while We process Your request.
    4. Users may have the right to opt out of certain data collection and processing activities and/or practices. If you do not want Us to collect or process Your Personal Data (Personal Information) in a particular way, please contact Us. We will provide options to limit the use of your data where feasible, subject to regulatory requirements.
    5. Certain opt-out requests may be subject to regulatory requirements and may not be fully honored if they conflict with legal obligations.
    6. For security purposes, We may need to verify Your identity before processing certain opt-out requests.
    7. It has to be noted that Bitflow is a platform that offers buying, selling and storing Virtual Assets. Trading Virtual Assets take place on the Blockchains, which are decentralized databases software platforms for Virtual Assets. Blockchains are a list of records, called blocks, which are linked and secured using cryptography. Each block typically contains a cryptographic hash of the previous block, a timestamp and transaction data. By design, a Blockchain is inherently resistant to modification of the data. Therefore, Data cannot be modified or deleted, since there are no servers involved. Data are dispersed among computer all around the world in an encrypted version.
    8. You acknowledge and expressly agree that by the nature of the technology it is not possible to delete personal data from the blockchain and invoke the right to be forgotten. You also agree that by the nature of the technology it is not possible to keep personal data within the EU borders.
  12. Data Retention
    1. Bitflow will not retain data longer than is necessary to fulfil the purposes for which it was obtained for or as required by applicable laws or regulations.
    2. In any case, Bitflow will not retain User data longer than is necessary to fulfil the purposes for which it was collected or as required by the applicable laws and regulations.
    3. When a Users’ Account is terminated or expired, all Personal Data collected through the platform will be deleted, as required by applicable law.
    4. You will receive Our Answer to Your Request within one month from receiving Your Request by Bitflow.
    5. Bitflow Lab s.r.o. retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, accounting, and reporting obligations. The retention periods are determined based on the type of data, the purpose of processing, and legal requirements, particularly under the GDPR and Czech AML legislation.
    6. Data Retention Periods applicable to Visitors and Users are as follows:
      1. User and third-party data for contractual purposes - 5 years after termination(Contractual necessity, legal obligation, legitimate interest);
      2. Cookies, analytics, marketing, optimization - 2 years after the relevant activity;
      3. AML-related data and fraud monitoring - 5 to 10 years after the relevant activity (Legal obligation (Czech AML Act No. 253/2008 Coll.));
      4. Account and service provision - 5 years after termination of the user relationship (Contractual necessity, legal obligation, legitimate interest);
      5. Fraud monitoring and security - 5 years after the relevant activity (Legitimate interest, legal obligation);
      6. Marketing communications - Until consent is withdrawn or user becomes inactive (max. 2 years after last activity); opt-out data retained indefinitely(Consent, legitimate interest);
      7. Analytics and website optimization - 2 years after the relevant activity (Consent, legitimate interest);
      8. Support inquiries - 5 years after inquiry closure (Legitimate interest).
      After the applicable retention period expires, your data will be securely deleted or anonymized unless we are legally required to retain it longer.
  13. Geographical location and International Users.
    1. The Bitflow’s Wallet is hosted in the European Union (EU) or European Economic Area (EEA) zone.
    2. The Personal Data (Personal Information) that We collect from You is stored within the territories of the European Union (EU).
    3. In the event that We transfer Your Personal Data (Personal Information) outside the European Union (EU) or European Economic Area (EEA), We ensure that such transfers are conducted in accordance with applicable data protection laws. Specifically, any transfer of Your Personal Data (Personal Information) will be governed by DPAs that incorporate the European Commission’s Standard Contractual Clauses (SCCs) or other legally approved mechanisms to ensure that your data is adequately protected.
    4. If You are a User accessing the Services from Asia, or any other region where the laws or regulations governing the collection, use and disclosure of personal data are different from EU laws, please note that by continuing to use the Services, You are transferring your Personal Information in the EU and consent to such transfer.
    5. In processing your transactions, We may share some of your Personal Information with third party service providers who help with our business operations. Your information will not be sold, exchanged, or shared with any third parties without your consent, except to provide Bitflow’s Services or as required by law. By using our Services and accepting our Terms of Service, You consent to the disclosure of your Personal Information as described in this Privacy Policy.
  14. Lawful disclosure of User’s Personal Data (Personal Information)
    1. Bitflow will disclose Your Personal Data (Personal Information) without Your prior permission only if it believes that doing so is necessary to identify, contact, and/or take legal action against someone who:
      • is suspected of violating Bitflow's or others' rights or property, or
      • if someone could be harmed by Your activities or might infringe upon these rights and property, whether intentionally or not.
    2. We are permitted to disclose Personal Data (Personal Information) when We have good reason to believe that this is legally required and when the competent authorities have required to present them with such Personal Data (Personal Information).
  15. Contact Us
    If You have any further questions, concerns and requests regarding the Personal Data (Personal Information) that We collect, or how We use it, then please feel free to contact Us at: [email protected].