Privacy Policy

GENERAL PROVISIONS

This Privacy Policy (the Policy) of Centaurify Custodial UAB (the Company) sets applicable standards and processes for data processing within the Company, acting as a crypto exchange operator

The Company shall be committed to processing personal information reasonably, securely and in compliance with the requirements of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR).

PERSONAL DATA PROCESSING PRINCIPLES

2.1.

Personal data processing within the Company shall be based on these main principles:

Lawfulness, fairness and transparency

which means that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation

which means that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation

which means that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

which means that personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation

which means that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality

which means that personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability

which means that the Company, where it acts as the controller of personal data, shall be responsible for, and be able to demonstrate compliance with all the above-mentioned principles of data processing.

LAWFULNESS OF PROCESSING

3.1

The Company shall process personal data only if and to the extent that at least one of the following bases applies:

3.1.1

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

3.1.2

processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;

3.1.3

processing is necessary for compliance with a legal obligation to which the Company, as data controller, is subject;

3.1.4

processing is necessary to protect the vital interests of the data subject or of another natural person;

3.1.5

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company, as a data controller;

3.1.6

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

3.2.

The Company shall process the following data:

Processing purposes	Processed data
Provision of services Communication with clients Implementation of “you’re your client” (KYC) requirements	email address name gender date of birth home address phone number nationality device ID a video recording transactional information
Provision of technical support	internet protocol (IP) address used to connect your computer to the Internet login, e-mail address, password and location of device or computer services metrics (e.g., the occurrences of technical errors, your interactions with service features and content, and your settings preferences) version and time zone settings
Fraud prevention and credit risks	transaction history information from other sources (e.g., credit history information from credit bureaus)
Improvement of services Providing recommendations and personalization of services	information about data subjects’ behaviour email address name

The legal ground for the processing
Contract concluded with the Company Legal obligations for the Company arising out of anti-money laundering related laws and regulations
Legitimate interests of data subjects and the Company
Legitimate interests of data subjects and the Company
Legitimate interests of data subjects and the Company (in respect of improvement of services) Consent of data subject in case of providing recommendations and personalization of services (data subject may withdraw the consent at any time and the Company will stop processing data for that purpose)

3.3.

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

DATA SHARING WITH THIRD PARTIES

4.1.

The Company shall engage third parties as data processors only in cases where such third parties capable of ensuring the processing of personal data in accordance with the requirements of the GDPR. The Company shall take measure to ensure that its data processors have adequate technical and organizational arrangements in place.

4.2.

The Company shall conclude agreements with its data processors, which should include at least the following matters:

4.2.1

subject and duration of data processing;

4.2.2

purpose of the data processing;

4.2.3

personal data (their types) and data subjects (their categories);

4.2.4

rights and obligation of the Company, as data controller;

4.2.5

specific obligations of data processor as they are defined in the GDPR;

4.2.6

conditions and requirements for the engagement of data sub-processors.

4.3.

Requirements specified in Clauses 4.1 and 4.2, shall also apply in cases when personal data is transferred/shared with companies belonging to the same group as the Company.

DATA RETENTION

5.1.

The Company shall keep data in a form, which permits identification of data subjects for no longer than it is necessary for the purposes for which personal data is processed (storage limitation principle). The Company shall ensure that data is not kept longer than necessary, thus, the established retention periods shall be followed.

5.2.

The Company shall define specific retention limits for data in accordance with the requirements of legal acts, applicable in different areas, such as anti-money laundering, archiving, employment, tax, data protection, etc. In case retention period of certain data is not regulated, the Company shall define such limits itself based on storage limitation principle.

5.3.

The Company shall ensure that data which retention period is completed, is no longer processed. At the end of the defined retention period, the Company shall either destroy personal data or shall anonymize it.

ORGANISATIONAL MEASURES

6.1.

The Company shall implement and continuously adhere to the following organizational measures aimed to implemented information security principles in practice:

Organizational measure	Implementation of measure
1 Personal data security policies and procedures	The security of personal data and its processing within the Company shall be always documented in this Policy and other documents of the Company.
2 Roles and responsibilities	Roles and responsibilities related to the processing of personal data within the Company shall be clearly defined and allocated.
3 Access management	Each role related to the processing of personal data within the Company shall be assigned specific access control rights.
4 Resource and asset management	The Company shall have a register of the IT resources used to process personal data, and the management of the register must be assigned to a specific person.
5 Change management	The Company shall ensure that all changes to IT systems used by the Company are monitored and recorded.
6 Data processors	Prior engaging third parties as data processors, the Company shall define, document, and reconcile all necessary formalities with such data processors. Data processors shall be obliged to immediately notify the Company of any breaches of personal data security that have been identified.
7 Personal data security breaches and incidents	All incidents shall be immediately reported to the management of the Company. Clear process for reporting data security breaches to competent authorities and other response activities shall be established.
8 Business continuity	The Company shall establish basic procedures to be followed in the event of an incident or personal data breach to ensure the necessary continuity and availability of the processing of personal data by IT systems.
9 Personnel confidentiality	The Company shall ensure that all employees understand their responsibilities and obligations regarding the processing of personal data.
10 Training	The Company shall ensure that all employees are adequately informed about the security controls of their IT systems in relation to their day-to-day work. Employees involved in the processing of personal data shall be trained in the relevant data processing requirements and legal obligations through regular training, information events or briefings.

PERSONAL DATA PROCESSING PRINCIPLES

7.1.

The Company shall implement and continuously adhere to the following technical measures aimed to implemented information security principles in practice:

Technical measure	Implementation of measure
1 Access control and authentication	Access control system shall be installed and implemented and applied to all users of the IT system within the Company. The access control system shall allow the creation, approval, review, and deletion of user accounts. The use of shared user accounts shall be avoided. In cases where a shared user account is required, it shall be ensured that all users of the shared account have the same rights and responsibilities. The minimum requirement for the user to connect to the IT system shall be login name and password. The access control system shall detect and prevent the use of passwords that do not meet a certain level of complexity. The organization shall ensure that all employees are adequately informed about the security controls of their IT systems in relation to their day-to-day work. Employees involved in the processing of personal data shall be trained in the relevant data processing requirements and legal obligations through regular training, information events or briefings.
2 Technical log entries and monitoring	Technical log entries shall be implemented for each IT system, and application used to process personal data. The technical logs shall show all possible types of access to personal data records (e.g. date, time, review, modification, deletion) for the period of at least 6 months. The entries in the technical logs shall be time-stamped and protected against possible damage, falsification, or unauthorized access. The time accounting mechanisms used in IT systems shall be synchronized according to a common time reference source.
3 Protection of servers and databases	Databases and application servers shall be configured to run correctly and use a separate account with the lowest operating system privileges assigned. Databases and application servers shall process only those personal data that are necessary for the purpose of the data processing.
4 Workstation protection	Users shall not be able to disable or bypass, or avoid security settings. Antivirus applications and their virus information databases shall be updated at least weekly. Users shall not have privileges to install, uninstall, or administer unauthorized software. IT systems shall have a set session time (no more than 15 minutes), i.e., if the user is inactive for the time specified in the system, his session shall be terminated. Critical security updates for the operating system shall be installed regularly and immediately.
5 Network and communication security	When access to the IT systems used is via the Internet, the use of an encrypted communication channel shall be mandatory, i.e., cryptographic protocols (e.g. TLS, SSL).
6 Backups	Backups and data recovery procedures shall be defined, documented, and clearly linked to roles and responsibilities. Backup media shall be provided with an appropriate level of physical and environmental security, depending on the data being stored. The backup process shall be monitored to ensure completeness and completeness. Full data backups shall be made regularly (daily - add-on; weekly full copy).
7 Mobile, portable devices	Procedures for the administration of mobile and portable devices shall be established and documented, clearly describing the proper use of such devices. Mobile, portable devices that are be used to work with information systems shall be registered and authorized before use. Mobile devices shall have an adequate level of access control procedures, as well as other equipment used to process personal data.
8 Software security	The software used in information systems (for processing personal data) shall comply with software security best practices, software development structures and standards. Specific security requirements shall be defined in the early stages of software development. Data security programming standards and best practices shall be followed. The software development, testing, and verification phases shall consider basic safety requirements.
9 Destruction of data	Before removing any data carrier, all data on it shall be destroyed using dedicated software that supports reliable data destruction algorithms. In cases where this is not possible (e.g. CDs, DVDs, etc.), the physical destruction of the data carrier shall be carried out without the possibility of recovery. The paper and the portable data storage media in which the personal data were stored shall be destroyed by shredders.
10 Physical security	Physical protection of the environment, premises containing IT systems infrastructure from unauthorized access shall be implemented.

DATA SUBJECT’S RIGHTS AND REQUESTS

8.1.

The Company shall ensure that data subject’s rights established by the GDPR can be implemented:

Right to be informed

The data subject shall have a right to be informed about their data processing, including the purposed and legal grounds of processing. For implementation of the data subjects’ right to be informed, the Company shall publish this Policy in its website.

Right of access

The data subject shall have the right to get information as to whether personal data concerning him or her are being processed, and, if that is the case, access to the personal data and defined information about such data processing.

Right of rectification

The data subject shall have the right to request to rectify inaccurate personal data concerning him or her or complete the incomplete personal data.

Right to erasure (“right to be forgotten”)

The data subject shall have the right to request the erasure of personal data concerning him or her in the following cases:

the personal data are no longer necessary;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation.

Right to restriction of processing

The data subject shall have the right to request the restriction of processing from the Company in the following cases:

the accuracy of the personal data is contested by the data subject – for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims;
the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller in the following cases:

the processing is based on consent or on a contract pursuant; and
the processing is carried out by automated means.

The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Right to object

The data subject shall have the right to object at any time to processing of personal data concerning him or her which is based on legitimate interest or public interest, including profiling.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to such processing of personal data. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Rights in relation to automated individual decision making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

8.2.

For the implementation of other data subjects’ rights, the Company shall take necessary actions to timely and properly react to the data subjects’ requests. The Company shall take reasonable steps to verify the identity of the data subject and/or its representative.

8.3.

Normally all requests of data subjects shall be managed by the Company free of charge. In cases, their requests are evidently ungrounded or disproportionate, for example, due to their repetitive nature, the Company may consider to (i) charge a reasonable fee based on actual administrative costs; or (ii) to refuse act on the request. In all such cases, the Company shall inform the data subject in writing.

8.4.

The Company shall seek to reply to the data subject’s request immediately, but in all cases no later than within 1 (one) month. In certain cases, for example, an extremely large amount of data, the Company may prolong this term for another 2 (two) months. In such a case, data subjects will be informed about such prolongation in writing.

8.5.

The data subject shall also have the right to make a complaint to the State Data Protection Inspectorate (L. Sapiegos str. 17, 10312, Vilnius, the Republic of Lithuania; e-mail: [email protected]; more information on their website).

FINAL PROVISION

9.1.

All employees of the Company shall be responsible for ensuring that this they comply with this Policy and, therefore, adhere to appropriate practices, processes, and controls.

9.2.

The Policy, their amendments or supplements shall enter into force upon their approval by the order of the General Manager of the Company, unless it specifies another date of entry into force of the Policy, its amendments, or supplements.

9.3.

The Policy shall be reviewed immediately after respective need is determined.