Legal notice
Bitstack, a French simplified joint-stock company with share capital of 4,758,724.64 euros, registered with the Aix-en-Provence Trade and Companies Register (France) under the number 899 125 090, domiciled at 100 Impasse des Houillères - Le Pontet 13590 Meyreuil (“the Company”), has the following characteristics;
Services
1) The holding of digital assets (FMFC, Art. L. 54-10-2, 1°)
2) The purchase or sale of digital assets that are legal tender (FMFC, Art. L. 54-10-2, 2°)
Digital assets offered: Bitcoin
Country of operation: France, Europe and Third Countries
Targeted customers: Individuals and legal entities
Proposed services: Rounding, recurring purchase and one-off/occasional purchase, sale, withdrawal
Distribution channel: Mobile application
The company is registered with the French Financial Markets Authority ("AMF") as a Digital Asset Service Provider ("DASP"), under the number 899 125 090, dated 9 November 2021.
Bitstack complies with all applicable French and European regulations on the protection of personal data, in particular the European Regulation of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as the "GDPR") and the Law of 6 January 1978 on data protection (known as the "French Data Protection Act").
1. Purpose and objective of this Policy
In its capacity as the controller of your personal data (hereinafter referred to as "Personal Data"), Bitstack wishes to inform you through this Data Protection Policy about:
•The categories of your Personal Data we collect and process;
•The objectives pursued by the processing of your Data (its purposes) and the data retention periods associated with each processing operation;
•The legal bases on which the processing carried out is based;
•The recipients and categories of recipients;
•Transfers outside the European Economic Area;
•Your rights Regarding Your Personal Data;
•The security of your personal data
This Data Protection Policy is intended for and applies to you as individual customers and prospective customers of Bitstack. It also applies to you if you are
•A person interested in our Bitstack products, services or content, who subscribes to Bitstack news alerts, who interacts directly or indirectly with Bitstack (via customer support or chat);
The Data Protection Policy is updated regularly to reflect changes in Bitstack's practices, as well as potential changes in the regulations applicable to Personal Data. Bitstack invites you to consult it regularly in order to be aware of any changes or updates made.
2. Personal data collected and processed
Bitstack may be required to collect and process the following categories of Personal Data (non-exhaustive list):
•Civil status data and identification data: surname, first name(s), date and place of birth, nationality, proof of identity, authentication videos;
•Contact details: email addresses, phone numbers;
•Data related to your personal situation: family situation;
•Data related to your professional situation: professional situation;
•Economic and financial information: income, assets, financial situation, etc.
•Financial and transaction data: nature of the transaction (purchase or sale of BTC, transfer, payment by credit card, recurring purchase, rounding, etc.;
•Login data related to the use of our services: identification and authentication data, logs, cookies and other trackers, website navigation data and applications belonging to Bitstack;
•Data from correspondence and communications between you and us, carried out remotely: emails, instant messaging, social media communications, complaints or any other type of communication;
•Login data: data from the device used to connect to the application or website and data associated with the use of the application belonging to Bitstack (access dates and times to the service, hardware data, data associated with the use of the device, unique identifiers, crash data or cookies);
•Geolocation data; IP address or GPS data of the device used;
•Any other information or document: necessary to find the origin and destination of the funds of the transactions carried out with your account.
This Personal Data is collected, either directly from you by Bitstack, or, if necessary, indirectly:
•Through publications and databases made accessible by the official authorities or by authorised third parties, or
•Through websites and social media sites containing information that you wanted to make public.
As part of our legal and regulatory obligations to monitor the business relationship, we may also collect and process information from people with whom we do not have a direct relationship: a family member, a relative, your employer, your legal representative, personal contacts, etc. The collection and processing of this information is necessary for the purpose of finding the origin and destination of the funds from the transactions carried out with your account.
Certain categories of data or Personal Data collected by Bitstack may be reconciled, in order to better meet the purposes described in Article 4. These reconciliations are carried out by Bitstack taking care to use only the data strictly necessary for the achievement of the purpose of the processing (in application of the principle of data minimisation, provided for by the GDPR).
3. Processing purposes and personal data retention period
a) General provisions
Bitstack processes the categories of Personal Data referred to in Article 3 depending on the circumstances, to meet different objectives or purposes. Each of these categories is associated with a data retention period beyond which it is no longer used, archived and then anonymised and/or deleted. The purposes that justify the processing of your Personal Data are as follows:
•Management of the business relationship, the electronic money account opened in Bitstack's books and/or the products and services subscribed to. Your Personal Data may be retained for a period of five (5) years from the end of the business relationship or, where applicable, from the end of any legal proceedings and/or the expiry of the applicable limitation periods.
•Conducting opinion and satisfaction surveys and statistical studies. Your Personal Data may be retained for a period of three (3) years from the completion of the study.
•Fighting fraud (examples: establishing ratings or scores, detecting unusual transactions). Your personal data may be retained for a maximum period of five (5) years from the closure of the confirmed fraud case or the issue of an alert in our systems.
•Compliance with Bitstack's legal and regulatory obligations, including Know Your Customer obligations, operational risk management (including computer network security, customer protection, supervision and internal control, transaction security), financial security obligations (anti-money laundering and terrorist financing and sanctions and embargoes obligations), obligations related to compliance with associated tax regulations, ethics and anti-corruption; data protection and any other obligations relating to the management and oversight of compliance risks. Your Personal Data will be retained for a period of five (5) years from the triggering event provided for by the regulations in force.
•The prevention and detection of criminal offences and/or taking legal action (e.g. to identify serious misconduct or acts such as violence against Bitstack staff). Your Personal Data may be retained for a period of five (5) to twenty (20) years, depending on the nature of the offence, from the date of its discovery. When legal proceedings are initiated, the data is retained until the conclusion of these proceedings and the expiration of the applicable limitation periods.
•Management of dormant accounts and data related to locating the individuals concerned. Your Personal Data may be retained for a maximum period of thirty (30) years depending on the cases provided for by the regulations in force.
•Recording your conversations with Bitstack, regardless of the medium (emails, letters, chat, etc.). According to applicable regulations, your Personal Data may be retained for varying periods, but in no case will exceed five (5) years from the date of its recording. The recording media or their reproductions will be kept for periods proportionate to the purpose of the recording in question (from 6 months for staff training purposes, up to 5 years when a telephone recording may be used as evidence).
•Accounting procedures: accounting data may be retained for a period of ten (10) years in accordance with the legal provisions in force.
•Cookies and other trackers. The lifespan of the trackers is a maximum of thirteen (13) months.
•Research or analysis activities for the purpose of process improvement and model development. Your Personal Data may be used to improve our internal control procedures or contribute to risk and compliance management. This Personal Data is kept for a specified period for each of these sub-purposes.
•Commercial canvassing, proposing commercial offers tailored to your situation and consumption profile, creating promotional offers and games, sales events and advertising campaigns. Personal Data may be retained for a period of three (3) years from the end of the business relationship or for prospective Customers, from the last contact. This Personal Data may be anonymised and aggregated in order to draw up statistical reports.
Your Personal Data collected and processed in accordance with the aforementioned purposes may be retained for an additional period if the defence of a right or an interest so requires, or in order to meet the requirements of French or European authorities such as the ACPR or the French Financial Markets Authority ("AMF"). In this
case, your Personal Data will not be used for other purposes, it will be kept in intermediate archiving and will be accessible only to authorised persons with a need to know it (examples: legal department, compliance department, audit and inspection bodies).
b) Specific provisions for remote identity verification
In order to verify your identity remotely and to comply with its legal and regulatory obligations relating to the identification, verification of identity and knowledge of its customers, Bitstack is required to collect the following Personal Data directly from you:
•A double-sided and colour photo of your official identity document (national identity card or European passport or valid residence permit) and,
•An authentication video, or a video of your face called a "selfie video", made in colour with the front camera of your mobile phone, of sufficient quality and brightness and without digital alteration (presence of filters).
To do this, you must allow Bitstack access to your mobile phone’s microphone and front and back cameras, then film yourself for a few seconds while saying numbers out loud. The videos thus recorded are viewed by one of our specially authorised employees for the purpose of authenticating you. Once your authentication has been completed, the video is no longer accessible by our employee: it is automatically kept in semi-intermediate archiving.
N.B.: Specific technical processing of biometric data (within the meaning of Article 4.14 of the GDPR), captured during the video of your face, is carried out by Bitstack for the purpose of verifying your identity remotely. This specific technical processing of facial images makes it possible to confirm the unique identification of a customer based on their physical, physiological or behavioural characteristics. It also allows the detection of the "living" character of the customer's face to verify that it has not been physically or digitally altered. This biometric data is considered sensitive within the meaning of the GDPR. In order to use this processing in accordance with Article 9 of the GDPR, we justify a specific need to identify our customers to allow access to our services, under the control of the French Data Protection Authority (CNIL).
c) Provisions specific to fully automated decisions
In cases where Bitstack implements data processing involving fully automated decision-making that produces legal effects concerning you or significantly affecting you, such processing is based on one of the following legal bases: your consent, the performance of a contract, Bitstack's legitimate interest or a legal obligation. These processing operations are carried out in accordance with the applicable regulations, and accompanied by appropriate guarantees.
In the event that this decision-making has legal consequences for you, you may request the intervention of a human being, in particular to request a review of your situation, to express your own point of view, to obtain an explanation about the decision made, or to challenge the decision.
d) Provisions specific to cookies and other trackers
Cookies or other trackers refer to trackers placed and read, for example, while visiting a website, reading an email, installing or using software or a mobile application, regardless of the type of device used.
You are informed that during your visits to our websites or when using one of our applications, cookies and trackers may be installed on your device.
Where necessary we collect your consent prior to the installation of such trackers on your device, but also when we access data stored on your equipment.
At any time, for more information, you can consult the Cookies Policy .
4. Legal basis for the processing carried out
The processing carried out by Bitstack is based on one of the following legal bases:
•The performance of the contract entered into with you (examples: the management of an electronic money account, information relating to transactions carried out via Bitstack).
•This legal basis is the basis for the processing of the following data: civil status data, identification data, contact details, data related to your personal and professional situation and economic and financial information, financial and transactional data, data related to the products and services subscribed to and data resulting from correspondence and communications between you and us.
•The purposes of this processing are: the management of the business relationship, the account opened in the books of Bitstack and/or the products and services subscribed to, its management as well as providing information concerning Bitstack’s services.
•Compliance with the legal and regulatory obligations incumbent on Bitstack as a digital asset service provider.
•This legal basis is the basis for the processing of the following data: civil status data, identification data, contact details, data related to your personal and professional situation, economic and financial information, financial and transactional data, data related to the products and services subscribed to and data resulting from correspondence and communications between you and us, any other information or document necessary for the search for the origin and destination of the funds of the transactions carried out with your account.
•The purposes of this processing are: customer knowledge, operational risk management, constant vigilance over the business relationship, the fight against money laundering and the financing of terrorism, the application of sanctions and embargoes, the obligations related to the determination of your tax status and compliance with the associated tax regulations, ethics and the fight against corruption, the management of dormant accounts and data related to locating the individuals concerned, data protection and any other obligations relating to the management and oversight of compliance risks.
•Pursuing Bitstack's legitimate interests (examples: conducting surveys and sending personalised communications, preventing fraud, analysing customers' use of Bitstack's services and the application).
•This legal basis is the basis for the processing of the following data: civil status data, identification data, contact details, data related to your personal and professional situation, economic and financial information, financial and transactional data, data related to the products and services subscribed to, login data related to the use of our services, cookies, data resulting from correspondence and communications between you and us and geolocation data.
•The purposes of this processing are: fraud prevention, prevention of unpaid debts, debt collection and dispute management (amicable and judicial disputes), complaints management, combating financial crime, prevention and management of abuse of employees, security of our networks, monitoring of our premises, in particular by a video surveillance system, analysis of our risk in terms of entering into a business relationship, the management of statistical studies and satisfaction surveys for the purpose of improving customer knowledge, etc.
•The choice of this legal basis is made after a rigorous balancing of the interests pursued by Bitstack with your interests, if you are affected by the processing and an assessment of reasonable expectations in this regard. We put in place safeguards to preserve your interests, rights and fundamental freedoms (examples: right to information, right to object to and limit processing).
•Consent for specific processing operations.
•This legal basis is the basis for the processing of the following data: civil status data, identification data, contact details, data related to your personal and professional situation, economic and financial information, financial and transactional data, data related to the products and services subscribed to, login data related to the use of our services, data resulting from correspondence and communications between you and us, geolocation data, data and other information intended to be communicated to the public and shared with other customers within any application belonging to Bitstack.
•The purposes of this processing are: commercial canvassing by mail or email, by SMS/MMS, by telephone call, the placement and reading of advertising cookies, the management of promotional offers and games and the hosting of public communication areas within any application belonging to Bitstack.
•The legitimate interest of the customer (example: recording part of the customer communications in order to assess the level of quality of our services, the fight against fraud)
•This legal basis establishes the processing on the following data: civil status data, identification data, contact details, data relating to your personal and professional situation, records of part of customer communications.
•The purpose of this processing is to: assess the quality of Bitstack's services, improve the user experience, prevent fraud, communicate with Bitstack's support and anti-fraud teams.
•The choice of this legal basis is made after a rigorous balancing of the interests pursued by Bitstack with your interests, if you are affected by the processing and an assessment of reasonable expectations in this regard. We put in place safeguards to preserve your interests, rights and fundamental freedoms (examples: right to information, right to object to and limit processing).
�
5. Recipients
Depending on the purposes pursued, your Personal Data may be disclosed:
•To Bitstack's partners, principals, agents, intermediaries and insurers, subcontractors and service providers. This communication takes place only in the context of processing that pursues one of the purposes described in Article 2;
•In compliance with the applicable regulations, to third parties in France or abroad for the purpose of establishing, safeguarding or defending a legal right, in the context of administrative or criminal investigations by one or more regulators, compliance with commitments made to them or in the context of legal proceedings of any kind.
•To certain regulated professions such as auditors, lawyers, in order to provide regulatory reports or to act in defence of our rights.
•To payment initiators and account information service providers, only if you consent or at your request.
Pursuant to Article L. 511-34 of the French Monetary and Financial Code, the personal information collected may be transmitted by our partners to other entities belonging to the same group of companies (branches and subsidiaries).
6. Your rights
Under the conditions and within the limits permitted by the applicable regulations, you have the following rights:
Access to your Personal Data,
The right to have your Personal Data your Personal Data corrected, updated, and deleted, it being specified that deletion may only take place when:
•The Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed,
•You withdraw your consent on which the processing was based and there is no other legal basis justifying it,
•You object to the processing of your Personal Data for reasons relating to your particular situation and there is no compelling legitimate reason to process it,
Personal Data has been unlawfully processed,
Personal Data must be erased to comply with a legal obligation that is provided for by European Union law or by French law to which Bitstack is subject,
You object to the processing of your Personal Data for reasons relating to your particular situation and there is no compelling legitimate reason to process it,
You object to the processing of your Personal Data for the purpose of commercial canvassing, including profiling related to such canvassing (see Article 8);
To receive your Personal Data that you have provided to us, for automated processing based on your consent or on the performance of a
contract and to request the portability of this data from a third party,
To request a limitation of the processing of your Personal Data that we carry out when:
•You dispute the accuracy of the Personal Data for a period allowing the data controller to verify the accuracy of the Personal Data,
•You object to the deletion of your Personal Data when the processing is unlawful,
•We no longer need the Personal Data, but it is still necessary for you to establish, exercise or defend legal claims,
You objected to the processing of your Personal Data, during the verification of whether the legitimate grounds pursued by Bitstack prevail over your own.
When processing is based on your consent, you withdraw that consent at any time and there is no other legal basis justifying the processing.
In addition, you have the option to provide us with instructions regarding the retention, deletion, and sharing of your data after your death, which can also be registered with "a certified digital trusted third party". These guidelines may designate a person responsible for their execution. However, these rights cannot have the effect of infringing on the rights of the heirs or allowing the disclosure of information to which only they are legitimately entitled.
You can exercise your rights and contact the Bitstack Data Protection Officer as follows:
•By post to the following address:
Bitstack - DPO
5 Parvis Alan Turing
75013 Paris
•Or by email: dpo@bitstack-app.com
You also have the right to lodge a complaint with the CNIL (3, place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 - www.cnil.fr), the supervisory authority in charge of compliance with personal data obligations in France.
7. Commercial canvassing
a) Commercial canvassing by email and automated call
If you are an individual not acting for professional purposes, we may canvass you by email, automated call or SMS/MMS when you have given your consent at the time of collection of your email address or personal details, or when you are already a customer and the canvassing concerns products or services similar to those already subscribed to.
Each commercial canvassing email message contains a link to unsubscribe.
If you are a natural person acting in a professional capacity, your email address may be used to send you commercial prospecting by email for subjects related to your profession. You may assert your right to object to commercial canvassing at any time.
Generic business addresses assigned to a legal person (company) are not subject to the principles of consent or prior information and do not benefit from the right to object.
Messages and notifications related to the administrative management of a product or service previously subscribed to (alerts, changes to contractual and pricing documentation, etc.) do not fall within the scope of commercial canvassing.
The settings for messages and notifications that you may receive from us can be managed within the scope of the subscribed service, it being understood that some of these notifications may be subject to regulatory requirements and are mandatory.
b) Telephone canvassing
We may also canvass you by phone. In accordance with Article L.223-2 of the French Consumer Code, you are informed that you can register on the list to opt out of telephone canvassing known as Bloctel. However, despite this registration, we can canvass you by phone when there are ongoing contractual relations, unless you have previously objected to this or if you object to this during the call.
8. Security
Bitstack takes all necessary physical, technical and organisational measures to protect the confidentiality, integrity and availability of your Personal Data, in particular against loss, accidental destruction, alteration and unauthorised access.
Bitstack also strives with the utmost vigilance to maintain a high standard of security and confidentiality of your Personal Data by raising awareness among our employees and business partners and training our staff in data protection, by setting up content controls, by implementing tools and practices aimed at obfuscating, anonymising, encrypting and encoding data in order to ensure the protection of your Personal Data against the internal and external risks of data leakage.
In the event of a breach of your Personal Data, presenting a risk to your rights and freedoms, we will notify the CNIL in compliance with the regulatory deadline. In the event that this breach presents a high risk to your rights and freedoms, we will inform you as soon as possible of the nature of this breach and the measures taken to remedy it.
