Last Updated 26 September 2024
We take our data protection responsibilities with the utmost seriousness, and are committed to respecting your privacy and keeping your data secure.
1. Summary of how we use your personal data
Gnosis Pay uses your personal data to onboard users, provide the services and manage the relationship with users, and to fulfil our contractual obligations with our regulated partners.
Your personal data is shared with third party services providers to enable us to provide you with the services and fulfil our contractual obligations.
Where we rely on your consent (such as for email marketing) you can withdraw this consent at any time.
You have a number of rights in relation to your personal data, including the right to object to some of the processing Gnosis Pay carries out.
2. What does this Privacy Policy cover?
This Privacy and Cookies Policy (Policy) sets out information about our processing of your personal data, including what we collect, how we process it and how long we retain it, as well as information about the cookies and similar technologies that we use on our platforms. It also describes your data protection rights, including the right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the “Your rights as a data subject” section.
Our website, app and services are not intended for children, and we do not knowingly collect data relating to children.
In this Policy, “Gnosis Pay”, "we", "us" and "our" refer to: (i) where you are a resident in the European Economic Area (“EEA”), Gnosis P. Tech, Unipessoal Lda (a company registered in Portugal with its registered office at Rua António Maria Cardoso, no 25, 4o, 1200-027, Lisbon); and (ii) where you are resident in a non-EEA country, Gnosis Pay Co Ltd (a company incorporated in England and Wales with its registered address at 12 New Fetter Lane, London, United Kingdom, EC4A 1JP). We operate the “gnosispay.com” website and, through it, the Gnosis Pay website application (the “Platforms”). For more information about us, see the “Our Details” section of this Policy.
3. Your Information and the blockchain
The decision to transact on a blockchain network such as Gnosis Chain, and how you use and manage your cryptocurrency wallet address, rests solely with you.
The blockchain operates as a public distributed ledger. Please do your own research regarding the nature of information on the blockchain, including, without limitation, the public and immutable nature of information on the blockchain.
4. Categories of personal data we process
Category | Details |
Identification Information | Name, nationality, country of residence, home address, IP address, date of birth, place of birth, identification and KYC documents (including, without limitation, ID proof and proof of address), user ID, EOA or signing wallet address(es), username and password, and may include media/public record insights |
Biometric Information | Photo |
Contact Information | Your shipping address, your billing address, email address and phone number |
Financial Information | Safe wallet address; source of wealth; expected card spending |
Transaction Information | Transaction amount, originator data, account reference or routing number;, beneficiary, recipient or destination data or receiving address |
Marketing Information | Your marketing preferences, including any consents you have given us; responses to surveys and user feedback requests |
Device Information | Information related to the browser or device you use to access our Platforms:
|
Customer Support and Communication Data | Feedback and interactions with our customer support teams, the relevant details which you provide, including your enquiry description or support request and the outcome sought, the date and time that the issue arose and other communications you have with us |
We also identify data categories in the “How we use your personal data” section below.
We collect personal data from you directly. Sometimes, we receive information about you from third parties. In particular, in order to obtain a Gnosis Pay card, you will need to undertake ‘know your client’ checks (“KYC”) with our KYC service provider (“KYC Provider”), and the KYC Provider will need to store your Personal Data to support us in meeting our ongoing legal and compliance obligations. Our current KYC Providers are is SUM AND SUBSTANCE LTD (“SumSub”) and Fractal ID. Sumsub’s privacy policy is available here. Fractal ID’s privacy policy is available here. We will notify you if we change KYC Provider.
Where we collect personal data to administer our contract with you or to comply with our legal obligations, this is mandatory and we will not be able to provide our services without this information. In other cases, provision of the requested personal data is optional, but this may affect your ability to procure or access certain functionalities or services where the information is needed for those purposes.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.
5. How we use personal data
This section sets out the purposes for which we use your personal data, the categories of personal data we process and our legal basis for processing your personal data.
Purpose | Purpose (detailed) | Categories of personal data | Legal basis |
Providing products and services | We collect, use and store your personal data to provide you with the products and services, onboard new customers, send you required product and service information (including if you join our waitlist) and otherwise performing our obligations under our contract with you. | Identification Information, Contact Information, Financial Information and Transaction Information | It is necessary for us to process your personal data in order to perform our contract with you, or to take steps at your request prior to entering into a contract with you.
Where the services are provided under your contract with our regulated partner, we have a legitimate interest in enabling our regulated partner to perform our contract with you, or to take steps at your request prior to entering into a contract with you. |
Enabling our regulated partners to comply with legal and regulatory obligations, including checking your eligibility | We collect, use, analyse and store your personal data to enable our regulated partners to comply with legal requirements, namely identity checking; KYC and anti-money laundering (AML) checks and related screening at onboarding and on an ongoing basis; compliance with anti-terrorism laws and regulations and fighting crime (including financial crime); audit and reporting; and maintenance of accounting records.
We collect, use, analyse and store your personal data to check your eligibility to use our products and services when you join our waitlist or sign up to our products and services in order to enable our regulated partner to comply with KYC and AML obligations under law. | In relation to ‘know your customer’ checks in particular: Identification Information, Contact Information, Biometric Information, Financial Information, Transaction Information and:
| In relation to Biometric Information, we obtain your consent.
We have a legitimate interest in enabling our regulated partner to comply with the legal obligations they are subject to.
|
Managing our relationship | We collect, use and store your personal data to manage our relationship with you, which includes notifying you about access to the services (including if you joined our waitlist), and changes to our terms or this Policy. | Contact Information and Customer Support and Communications Data | We have a legitimate interest in managing our business and providing products and services to our customers and waitlist contacts. |
Providing user support and handling communications | When you contact us (including our user support team) e.g. via email or through our Platform chat system, we collect, use, analyse and store your personal data for the purpose of responding to your inquiry and developing or improving our responses to future queries and requests. | Identification Information, Contact information, Transaction Information and Customer Support and Communications Data | We have a legitimate interest in providing user support services and handling communications we receive.
|
Protecting our business interests | We store, use, analyse and transmit your personal data to protect our business interests, to establish, exercise, or defend legal claims and to protect and enforce the rights, property, security or safety of us, our business, our customers or others, including investigating and helping to prevent fraud or other unlawful activity.
Our business interests can sometimes involve undertaking mergers, acquisitions, reorganisations or disposals, as permitted/required in accordance with applicable law. | All categories of personal data as relevant. | We have a legitimate interest in protecting our business interests and the interests of others,
We have a legitimate interest in carrying out corporate transactions.
|
Operating and improving our Platforms | We collect, use, analyse and store personal data about your use of our Platforms in order to manage and operate our Platforms, including to keep our Platforms updated, improve our Platforms, and to improve or modify our existing products and services. | Transaction Information, Device Information, Customer Support and Communication Data | We obtain your consent in relation to the use of cookies and similar technologies that are not strictly necessary.
Otherwise, we have a legitimate interest in operating our Platforms, improving the operation of our Platforms and determining how best to market our products and services. |
Maintaining security | We collect, use, analyse and store your personal data in order to maintain the security of our Platforms and to detect, investigate, monitor, remediate and/or prevent security or cyber incidents. | All categories of personal data as relevant. | It is in our legitimate interests to maintain the security of our Platforms. |
Conducting system testing | We collect, analyse, use and store your personal data for the purposes of system administration, operation, testing and support | All categories of personal data as relevant. | It is in our legitimate interests to maintain the functioning of our systems and Platforms. |
Responding to third party requests | We collect, use, analyse and transmit your personal data to meet requests and requirements to disclose from any regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals | All categories of personal data as relevant. | Where we have EEA or UK legal obligations to meet these requests, it is necessary for us to comply with our legal obligations.
Otherwise, it is in our legitimate interests to meet the requests from these sources. |
Sending direct marketing | We collect, use and store your personal data to send you direct marketing by email, including newsletters, product announcements, partner offerings, surveys, contests or limited offers, giveaways, events, or announcements | Contact Information | We obtain your consent when required under law.
Otherwise, it is in our legitimate interests to promote and market our business. |
Enabling a third party to provide you with a service or direct benefit | We use and analyse and transfer your personal data to enable third parties to provide you with a service or direct benefit | Safe Wallet Address; Transaction Information; Marketing Information | We obtain your consent when required under law. You can opt-out at any time by contacting our customer support team.
It is also in our legitimate interests to enable you to benefit from features or services provided by third parties which you have opted into. |
Using cookies and similar technologies | We collect, use, analyse and store information from cookies or similar technologies for the purposes in the section on “Cookies” below. | Information from cookies or similar technologies | For strictly necessary cookies and similar technologies, it is in our legitimate interests to provide the service requested by the user.
For other cookies and similar technologies, we obtain your consent. |
There are instances where we have a legitimate interest to use your data. Our legitimate interest will vary depending on what we are using your data for, and we explain above what the interest is and how it relates to the processing operations that we are carrying out. Where we process personal data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of this Policy.
6. Third party links
Our website/app may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website/app you visit.
7. Sharing your personal data
We share your personal data with the following recipients:
Recipient | Purpose |
Gnosis Pay group of companies | We may share all categories of personal data as relevant within our group companies, to enable us to deliver our contractual obligations to you and provide you with the services. |
Our regulated partners | We share Identification Information, Contact Information, Biometric Information, Contact Information, Financial Information, Transaction Information, Device Information and Customer Support and Communication Data to ensure our contractual obligations towards our regulated partners are fulfilled and to support them in performing their obligations under their contract with you and in complying with their direct regulatory and licensing requirements in relation to the services you receive. |
Third party service providers | We engage other companies and individuals to provide services to us that involve the processing of personal data, including on our behalf. These service providers are as follows:
|
Third parties providing you with a direct benefit | We transmit certain Financial Information and Transaction Information to third parties where this would enable you to receive a direct benefit provided by the third party or feature you have opted into; and/or where this is necessary to withdraw you from such benefit/feature where you have communicated to us your decision to opt out. You can always opt-out of this data sharing, but note that the third party would cease to provide you with the direct benefit or feature. |
Third parties in relation to legal claims | We transmit personal data to third parties as required in order to establish, exercise or defend or to protect legal claims, including in relation to our contracts with our customers and in order to protect the rights, property or safety of us, our business, our customers or others, including to legal advisors, government and law enforcement authorities, courts and tribunals and with other parties involved in, or contemplating, legal proceedings. |
Regulatory, prosecuting, law enforcement, tax or governmental authorities, courts or tribunals | We transmit information about you to these third parties upon their request or as required by law as set out in the “How we use your personal data” section above. |
Prospective buyer/seller | In the event that our business or our assets (or any part thereof) is/are sold or integrated with another business or company or there is a restructuring or reorganisation, your details will be disclosed to our advisers and any prospective purchaser’s advisers and will be passed to the new owners. |
8. Where we transfer your personal data
If we transfer any personal data outside the EEA or UK, where a country is not subject to an adequacy decision by the European Commission/UK government or considered adequate as determined by applicable data protection laws, we take steps to ensure your personal data is adequately protected. We will ensure your Personal Data is protected by using specific standard contractual terms approved for use in the UK or in the EU which give the transferred Personal Data the same protection as it has under the Data Protection Legislation, namely the 2021 EU standard contractual clauses (EU SCCs) or the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under S119A(1) of the Data Protection Act 2018.
A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.
9. Your rights as a data subject
You have the right to:
request information about how your personal data is processed;
request a copy of your personal data;
request that anything inaccurate in your personal data is corrected;
request we transfer the personal data you provided to a third party or give you copy so that you can transfer it to a third party;
raise an objection about how your personal data is processed in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement);
request that your personal data is erased in certain circumstances; and
ask that the processing of your personal data is restricted in certain circumstances
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.
To exercise any of these rights, get in contact with [email protected].
Wherever we rely on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message or by contacting us at [email protected].
We do not make use of any automated decision making.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
You have the right to make a complaint to the relevant data protection supervisory authority. In the UK, you may contact the Information Commissioner’s Office: https://ico.org.uk/global/contact-us/. In the EU, you may contact the relevant data protection authority. You can find details of the supervisory here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
10. How long we retain your personal data
We keep personal data obtained from cookies and similar technologies for the periods set out in the section on “Cookies”.
In connection to our products and services:
In relation to other information that relates to your contract with us, we keep this data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal requirements.
To comply with our contractual obligations to our regulated partners, and to comply with legal obligations or legitimate interests, such as preventing fraud and responding to potential law enforcement requests, we may retain your Identification Information, Biometric Information, Contact Information, Financial Information, Transaction Information, Device Information and Customer Support and Communication Data for a period of up to a maximum of 8 years.
Where we process personal data only for marketing and advertising purposes, we keep the personal data until our relationship with you is terminated or you object to processing for direct marketing purposes, in which case we will stop processing the relevant personal data after having implemented your request. Additionally, we keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
11. Cookies
This section applies to all our Platforms.
11.1. What are cookies?
We use cookies on our Platforms. A cookie is a very small text document, which often includes an anonymous unique identifier. Cookies are created when your browser loads a particular website. The website sends information to the browser which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the website's server. Find out more about the use of cookies on www.allaboutcookies.org.
We also use other forms of technology (such as web beacons and, in apps, software development kits (usually referred to as SDKs)) which serve a similar purpose to cookies, and which allow us to monitor and improve our Platforms and email communications. When we talk about cookies in this Policy, this term includes these similar technologies.
11.2 What cookies do we use, what information to they collect and how long are they stored for?
We use the following types of cookies:
Strictly necessary cookies. These are cookies that are required for the operation of our Platforms. These essential cookies are always enabled because our Platforms won’t work properly without them. They include, for example, cookies that enable you to log into secure areas of our Platforms. You can switch off these cookies in your browser settings but you may then not be able to access or use all or parts of our Platforms. These cookies are stored for up to 13 months.
Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our Platforms when they are using them. This helps us to improve the way our Platforms work, for example, by ensuring that users are finding what they are looking for easily. These cookies are used to collect technical information such as the last visited Platform, the number of pages visited, whether or not email communications are opened, which parts of our Platforms or email communication are clicked on and the length of time between clicks. These cookies are stored for up to 13 months.
Functionality cookies. These are cookies that are not essential but enable various helpful features on our Platforms. These are used to recognise you when you return to our Platforms. This enables us to personalise our content for you and remember your preferences (for example, your choice of region). These cookies are stored for up to 13 months.
Advertising and targeting cookies. These cookies record your visit to our Platforms, the pages you have visited and the links you have followed. We will use this information to make our Platforms and the advertising displayed on it more relevant to your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. These cookies are stored for up to 13 months.
11.3 Third party cookies
Your use of the Platforms may result in some cookies being stored that are not controlled by us – please see the information below. You should review the privacy and cookie policies of these services to find out how these third parties use cookies and whether your cookie data will be transferred to a third country.
Purpose | Third party |
Analytics – tracking and monitoring the use of our Platforms | PostHog |
Analytics – tracking and monitoring the use of our Platforms | Spindl |
Advertising - Twitter may use the collected data to contextualise and personalise the ads of its own advertising network. |
11.4. How you can manage these cookies
We keep information collected from cookies for a maximum of 13 months.
When you first visit our Platforms, you will have the opportunity to accept cookies or reject them if you do not agree to our use of cookies.
Additionally, if you do not agree to our use of Cookies, you can set your browser settings accordingly or not use our Services. Methods vary for doing so, but you can see information about managing cookies at the following links:
12. Changes to this Policy
We keep our Policy under regular review, and we may make changes to this Policy from time to time. Where we do so, we will change the ‘Last Updated’ date above. Where a material change is made, we will provide you with a new privacy notice if required. We may also notify you in other ways from time to time about the processing of your personal data.
13. Contact details
Our Data Protection Officer’s contact details:
Bird & Bird Privacy Solutions,
Bird & Bird DPO Services SRL,
Avenue Louise 235 Box 1 1050 Brussels Belgium.
Our details:
Gnosis Pay Co Ltd.
12 New Fetter Lane
London
United Kingdom EC4A 1JP
Gnosis P. Tech, Unipessoal Lda
Rua António Maria Cardoso,
no 25, 4o 1200-027, Lisbon
Portugal
If you have any queries concerning your personal data or this Policy, please contact us at [email protected].