Politique de confidentialité.

This Privacy Policy (this “Policy”) applies to the processing of personal data in connection with all services provided by Cryptonow GmbH, a company registered in the Republic of Austria with its registered address at Marc-Aurel-Str. 10-12, 1010 Vienna, Austria (“Cryptonow,” “the Company,” “we,” “us,” or “our”), via our electronic brokerage platform (including any related mobile applications and websites used to access the same) (collectively, the “Platform”).

This Policy describes how we collect, use, and disclose personal data in the course of providing our services. This includes, without limitation:

  • account creation and management;

  • identity verification (KYC);

  • execution of trades;

  • customer support;

  • promotional campaigns; and

  • any interaction with the Platform (together, the “Services”).

This Policy supplements our other policies and is not intended to override them.

Terms used herein shall have the meanings given in Regulation (EU) 2016/679 (the General Data Protection Regulation – GDPR) and the Austrian Data Protection Act (Datenschutzgesetz – DSG), as applicable.

For the purposes of this Policy:

  • “Personal Data” means any information relating to an identified or identifiable natural person.

  • “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means (such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).

  • "Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

  • “Supervisory Authority” means the Österreichische Datenschutzbehörde, Barichgasse 40–42, 1030 Vienna (T +43 1 52 152-0, M [email protected]).

  • “Data Subject” means an identified or identifiable natural person.

1. Our Relationship with You

Cryptonow acts as the Controller of your Personal Data in relation to the Services, ensuring the security of your personal data and compliance with applicable regulatory requirements.

As we are responsible for the Personal Data processed in the context of providing our Services, we have appointed a Data Protection Officer (DPO), who monitors our compliance with data protection law and acts as the primary point of contact for the Supervisory Authority and for Data Subjects on privacy-related matters.

You may contact us in connection with Services that you are considering or wish to obtain from us (such as conversion between crypto assets and fiat money). By registering for and using the Platform, you acknowledge that your Personal Data will be processed as described in this Policy and in the terms and conditions applicable to the Platform (the “Service Agreement”).

If you have any questions or concerns regarding the Processing of your Personal Data, you may contact our Data Protection Officer at: [email protected]

2. Lawful Basis for Processing Your Personal Data

We may process your Personal Data on one or more of the following legal bases under Article 6 GDPR:

2.1 Performance of a Contract – Art. 6(1)(b) GDPR

Where Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract (e.g. provision of Services via our Platform).

2.2 Compliance with Legal Obligations – Art. 6(1)(c) GDPR

Where Processing is necessary to comply with legal or regulatory obligations to which we are subject (e.g. anti-money laundering (AML), know-your-customer (KYC), tax reporting and other compliance requirements).

2.3 Legitimate Interests – Art. 6(1)(f) GDPR

Where Processing is necessary for the purposes of our legitimate interests (or those of a third party), provided such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests may include:

  • providing, maintaining, and improving our Services;

  • ensuring Platform security, IT and tax compliance, and internal controls;

  • preventing fraud and abuse; and

  • maintaining efficient business operations.

2.4 Consent – Art. 6(1)(a) GDPR

In certain limited cases, we rely on your freely given, specific, informed and unambiguous (and, where required, explicit) consent to process your Personal Data (e.g. for direct marketing or optional features).

Where Processing is based on consent:

  • you are under no obligation to provide consent;

  • you will not suffer any disadvantage if you choose not to consent or later withdraw your consent; and

  • you may withdraw your consent at any time, with effect for the future, by contacting us using the contact details in this Policy.

Withdrawal of consent does not affect the lawfulness of Processing based on consent before its withdrawal.

Please note that we may process your Personal Data on multiple legal bases depending on the specific purpose. If you would like information about the legal basis for a particular Processing activity, you may contact us at any time.

3. Personal Data We Collect and How We Collect It

We ensure that we only process Personal Data which is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed, in accordance with the data minimisation principle in Art. 5(1)(c) GDPR.

3.1 Data Obtained Directly from You

For example:

  • when you register to use the Platform or submit information as part of the KYC process;

  • when you fill in forms or upload documents on the Platform;

  • when you contact us by email or through other communication channels;

  • when you submit support requests, participate in dispute resolution, or request assistance;

  • when you physically visit our offices.

3.2 Data Collected Automatically

  • through your use of the Platform and our Services (e.g. log data, device data, usage data).

3.3 Data Obtained from Third Parties

For example:

  • our partners and affiliates who enable you to use our Services;

  • background screening providers, identity verification services, EU Travel Rule (TFR) service provider, credit reference agencies, PEP and sanctions screening providers;

  • publicly available sources (e.g. official registers or company databases within the EU, on-chain blockchain data);

  • data brokers and aggregators, where legally permissible.

3.4 Categories of Personal Data Processed

In operating our Platform and providing our Services, we may process the following categories of Personal Data:

  • Identification details:

    Full name, date and place of birth, nationality, official identification number, passport/ID data.

  • Contact details:

    Residential address, email address, telephone number.

  • Financial and transactional data:

    Source of funds and wealth, bank account details, payment card details (including card number, expiry date and CVC), tax identification number (TIN), employment status and income information.

  • Verification data:

    Results of PEP/sanctions screening, identity documents, certificates (e.g. employment, inheritance).

  • Employment-related information:

    Employment history, education background, employer references where applicable.

  • Platform usage data:

    Login history, device type, user preferences, interaction history.

  • Device data:

    Device type, operating system, unique device identifiers, crash logs, browser type.

  • Log data:

    IP address, timestamps, login location, user activity logs.

  • Account and transaction data:

    Account balances, trading history, deposit snapshots, verification safeguards.

  • On-site visit data:

    Image or video recordings captured during visits to our office premises.

  • Please note that some of the Personal Data we process is screened against risk profiles and regulatory watchlists to comply with applicable anti-money laundering laws and our internal KYC/AML policies (e.g. checks through credit reference agencies, anti-fraud agencies, sanctions screening and PEP lists).

4. Purposes for Which We Process Your Personal Data

We process your Personal Data for the purposes described below, in accordance with the legal bases set out in Art. 6(1) GDPR:

  • Provision of Services and account management

    To provide and manage access to our Services and your account on the Platform, including processing transactions, user authentication, customer service and technical support

    → Art. 6(1)(b) GDPR – performance of a contract.

  • Compliance with legal and regulatory obligations

    To comply with anti-money laundering (AML) and counter-terrorism financing laws, tax and accounting obligations, and data retention requirements

    → Art. 6(1)(c) GDPR – legal obligation (e.g. Financial Markets Anti-Money Laundering Act, Federal Fiscal Code, Business Code, Federal Act Against Unfair Competition).

  • Security and integrity of systems

    To ensure the security and integrity of our systems, including fraud detection, IT security measures, disaster recovery, and audits

    → Art. 6(1)(f) GDPR – legitimate interests.

  • Service-related communications

    To communicate with you regarding updates, changes, or legal/administrative notices relating to your account or use of the Platform

    → Art. 6(1)(b) or 6(1)(c) GDPR, as applicable.

  • Operation and maintenance of websites and applications

    To operate, maintain, and improve our websites and mobile applications, including user interface customisation, error resolution, and ensuring compatibility across devices and systems

    → Art. 6(1)(f) GDPR – legitimate interests.

  • Social media and community management

    To engage in social media communication and community management, respond to user inquiries, moderate content, and maintain a safe environment on our official channels

    → Art. 6(1)(f) GDPR – legitimate interests.

  • Office video surveillance

    If you visit our offices, to conduct video surveillance for the protection of company property, safety of staff, customers and visitors, and to prevent fraud, vandalism or other unlawful activities

    → Art. 6(1)(f) GDPR – legitimate interests; and where required, Art. 6(1)(a) GDPR – consent (subject to national law, e.g. Sections 12 and 13 DSG).

  • Marketing and promotion

    To promote our Services and products through marketing, user growth initiatives and promotional campaigns (including targeted advertising, performance tracking and outreach), based on your consent where required

    → Art. 6(1)(a) GDPR – consent; or Art. 6(1)(f) GDPR – legitimate interests.

  • Newsletters and optional communications

    Where you have provided your consent, to send newsletters, marketing communications and other optional content

    → Art. 6(1)(a) GDPR – consent (which you may withdraw at any time).

We will only process your Personal Data to the extent necessary for the stated purposes and in line with the principles of data minimisation and purpose limitation.

If you fail to provide Personal Data that is contractually or legally required, we may be unable to provide the Services associated with that data.

5. How We Share Your Personal Data

In accordance with Art. 13(1)(e) and 14(1)(e) GDPR, we may share your Personal Data with the following categories of recipients:

  • Group companies and affiliates

    For the purpose of providing and improving our Services and the Platform.

  • IT service providers

    External providers that host, maintain, and secure our technical systems and infrastructure.

  • Payment and financial services providers

    Providers of payment processing, banking, and financial infrastructure to facilitate transactions.

  • Customer support and communication providers

    Providers of communication platforms, call centres, or ticketing systems used for customer support.

  • Identity verification and compliance providers

    External vendors engaged for identity checks, AML/CTF screening, Travel Rule (TFR), PEP and sanctions list screening, and fraud prevention.

  • Legal advisors and auditors

    Lawyers, auditors, and other professionals where necessary for compliance or for the establishment, exercise or defence of legal claims.

  • Supervisory and public authorities

    Governmental or regulatory bodies and law enforcement agencies, where required by law or upon lawful request.

  • Potential acquirers or investors

    In the context of corporate transactions such as mergers, acquisitions or asset transfers, subject to confidentiality obligations.

  • Cloud and data storage providers

    Providers of cloud infrastructure and secure data storage.

  • External tax advisors

    Where needed for tax compliance and internal controls.

Where such recipients process Personal Data on our behalf, they act as processors under Art. 28 GDPR. We enter into data processing agreements with these processors, requiring them to:

  • act only on our documented instructions;

  • implement appropriate technical and organisational measures; and

  • maintain confidentiality and security of the Personal Data.

In some cases, recipients act as independent controllers, processing Personal Data for their own purposes (e.g. certain financial service providers subject to their own AML obligations). In these cases, data transfers are based on the relevant legal basis under Art. 6 GDPR, and a processing agreement under Art. 28 GDPR is not required.

In specific scenarios, data may also be processed under joint controllership within the meaning of Art. 26 GDPR, where two or more parties jointly determine the purposes and means of Processing. In such cases, we conclude a joint controller agreement setting out the respective responsibilities, particularly with regard to data subject rights and information obligations. The essence of such an arrangement is made available to Data Subjects upon request.

Disclosures to public authorities, courts and regulators are made solely on the basis of a legal obligation within the meaning of Art. 6(1)(c) GDPR, and such entities act as independent controllers.

6. International Data Transfers

Where we engage recipients outside the European Economic Area (EEA), your Personal Data may be transferred to and processed in third countries that may not provide the same level of data protection as the EEA.

In such cases, we ensure that appropriate safeguards are implemented in accordance with Chapter V GDPR, in particular:

  • reliance on an adequacy decision issued by the European Commission (Art. 45 GDPR); or

  • in the absence of an adequacy decision, conclusion of Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR); or

  • other appropriate safeguards under Art. 46 GDPR, where applicable.

We also use reputable cloud providers (for example, infrastructure services whose servers may be located in third countries such as Singapore), which may involve cross-border transfers.

In line with the CJEU ruling in Case C-311/18 (“Schrems II”), we conduct Transfer Impact Assessments (TIAs) to evaluate the legal environment in recipient countries and to ensure an essentially equivalent level of protection for your Personal Data. Where necessary, we implement supplementary measures (such as encryption and strict access controls) to complement SCCs and mitigate risks arising from local laws.

You may request further information or a copy of the relevant safeguards by contacting our DPO at [email protected].

7. Security of Your Personal Data

We take the security of your Personal Data very seriously. In accordance with Art. 32 GDPR, we implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage.

Such measures include, amongst others:

  • access controls;

  • encryption;

  • regular security assessments and audits;

  • secure software development practices.

Our security controls are regularly reviewed and updated in line with industry best practices and technical developments.

To further enhance the security of your account and Personal Data, we strongly recommend that you:

  • choose very strong and unique login credentials (username, password, PIN) and keep them confidential;

  • install and regularly update anti-virus, anti-spyware and firewall software;

  • keep your operating system and security software up to date;

  • disable unnecessary file and printer sharing, especially on internet-connected devices;

  • make regular backups of critical data;

  • consider using encryption technologies for highly sensitive information;

  • fully log off and clear your browser cache after each online session;

  • avoid installing or running software from unknown sources;

  • delete junk or chain emails and avoid opening attachments from unknown senders;

  • avoid disclosing personal or financial data to unverified websites;

  • avoid using computers or devices that cannot be trusted;

  • avoid accessing your account from public or shared computers (e.g. internet cafés).

You should immediately notify us at [email protected] if you become aware of any unauthorised use of, or access to, your account or login credentials.

While we take all appropriate measures under Art. 32 GDPR, you are responsible for maintaining the confidentiality and security of your login credentials. We cannot be held liable for unauthorised access or misuse of your account resulting from your failure to adequately protect your credentials, unless such access results from our own failure to implement appropriate security measures.

8. Your Privacy Rights

Under Articles 13–22 GDPR, you have the following rights in relation to your Personal Data, subject to the conditions and limitations set out in the GDPR:

  • Right of access (Art. 15 GDPR)

    To obtain confirmation as to whether we process Personal Data concerning you and, if so, access to such data and further information (e.g. purposes of Processing, categories of data, recipients).

  • Right to rectification (Art. 16 GDPR)

    To obtain correction of inaccurate Personal Data and completion of incomplete data.

  • Right to erasure (“right to be forgotten”) (Art. 17 GDPR)

    To request deletion of your Personal Data in certain circumstances (e.g. where data is no longer necessary for the purposes collected, or where you withdraw consent and there is no other legal basis).

  • Right to restriction of Processing (Art. 18 GDPR)

    To request restriction of Processing where, for example, the accuracy of the data is contested, or Processing is unlawful and you oppose erasure.

  • Right to data portability (Art. 20 GDPR)

    Where Processing is based on consent or on a contract and carried out by automated means, to receive the Personal Data you provided to us in a structured, commonly used and machine-readable format and to transmit such data to another controller.

  • Right to object (Art. 21 GDPR)

    Where Processing is based on legitimate interests (Art. 6(1)(f) GDPR), to object on grounds relating to your particular situation. We will cease Processing unless we demonstrate compelling legitimate grounds which override your interests, rights and freedoms.

  • Right to withdraw consent

    Where Processing is based on consent (Art. 6(1)(a) GDPR and/or Art. 9(2)(a) GDPR), to withdraw your consent at any time. Withdrawal does not affect the lawfulness of Processing based on consent before withdrawal.

  • Right not to be subject to automated decision-making (Art. 22 GDPR)

    To not be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except in cases permitted by the GDPR.

  • Right to lodge a complaint (Art. 77 GDPR)

    To lodge a complaint with the Supervisory Authority, in particular the Austrian Data Protection Authority (DSB), Barichgasse 40–42, 1030 Vienna, Austria (https://www.dsb.gv.at).

  • Right to compensation (Art. 82 GDPR)

    If you suffer material or non-material damage as a result of a breach of the GDPR, to seek compensation from the controller or processor responsible.

You may exercise these rights free of charge. If requests are manifestly unfounded or excessive (e.g. by reason of their repetitive character), we may:

  • charge a reasonable fee based on administrative costs; or

  • refuse to act on the request.

We will respond without undue delay, and in any event within one month of receipt of your request, in accordance with Art. 12(3) GDPR. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. You will be informed of any such extension and the reasons for the delay.

If we are unable to act on your request, we will inform you within one month of receipt and provide the reasons. Where we have reasonable doubts about your identity, we may request additional information to verify it (Art. 12(6) GDPR).

Please note that in some cases we may not be able to fulfil your request, for example where:

  • we must retain data to comply with statutory retention requirements (e.g. AML, tax, accounting);

  • we must retain or disclose data in connection with civil, criminal or regulatory proceedings;

  • we must retain data to establish, exercise or defend legal claims;

  • deletion or restriction would conflict with legal privilege or proprietary information protected by law.

If you have any concerns about our use of your Personal Data, you can contact us at: [email protected]

9. Use of Cookies

We use cookies to provide a secure, user-friendly and technically optimised browsing experience on our website (the “Website”). In particular, cookies enable us to:

  • maintain user sessions across page requests;

  • remember your preferences;

  • improve usability and performance;

  • facilitate navigation;

  • support features such as login status.

For technically necessary cookies, Processing is carried out to pursue our legitimate interests in providing a properly functioning website

→ Art. 6(1)(f) GDPR.

Where cookies are used for analytics, marketing or personalisation, we only process your data based on your informed and freely given consent (Section 165(3) Telecommunications Act 2021, Art. 6(1)(a) GDPR). You may withdraw your consent at any time with effect for the future.

  • Session cookies are deleted when you close your browser.

  • Persistent cookies remain stored for a defined period or until you delete them.

You have full control over the use of cookies through your browser settings. Most browsers allow you to:

  • block cookies entirely;

  • be notified before a cookie is stored;

  • accept cookies only in certain cases;

  • automatically delete cookies when the browser is closed.

Please note: If you block cookies, some parts of our Website may no longer function as intended.

10. Data Protection in Connection with Crypto Assets and Blockchains

When using our Services involving Crypto Assets, certain Personal Data may be processed via public blockchain networks.

Public blockchains are decentralised ledgers that immutably record transactions across distributed networks. Although public keys or wallet addresses may not directly identify a person, they may qualify as Personal Data under the GDPR, particularly where they can be linked to an individual with additional information.

In line with Art. 5(1)(c) GDPR (data minimisation), we seek to limit the recording of Personal Data on blockchains to what is strictly necessary. Where possible, we store additional identifying data off-chain and only write pseudonymous identifiers (e.g. public keys) on-chain.

Blockchain networks are typically not under our control. In public blockchains, there is no hierarchical relationship between participants. Miners, validators and node operators generally act independently and qualify as separate controllers under the GDPR.

Due to the immutable nature of public blockchains, the erasure or modification of personal data stored on-chain may not be technically feasible. Consequently, certain data subject rights (e.g. rectification or erasure under Arts. 16 and 17 GDPR) may be limited in practice for data written to a blockchain. We will always inform you in advance when blockchain-based Processing is involved and explain any resulting limitations.

Where blockchain-based transactions involve international transfers of personal data, such transfers may be legitimised under Art. 49(1)(b) or (c) GDPR to the extent necessary for the performance of a contract or for the implementation of pre-contractual measures taken at your request.

11. Retention of Your Personal Data

We retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting or reporting requirements.

In particular:

  • Contract-related data – Art. 6(1)(b) GDPR

    Generally retained for the duration of the contractual relationship and until the expiry of applicable limitation periods (typically 3 years under Austrian civil law – Section 1486 General Civil Code), unless longer retention is required (e.g. in ongoing legal disputes). Where the extended 30-year limitation in Section 1487 General Civil Code applies, data may be retained for up to 15 years based on practical enforcement considerations.

  • Tax and accounting data

    Retained for a minimum of 7 years after the end of the relevant calendar year, in accordance with Section 132 Federal Fiscal Code and Section 212 Business Code.

  • Data processed on the basis of consent – Art. 6(1)(a) GDPR

    Retained until consent is withdrawn or the data is no longer required for the original purpose. Any further Processing occurs only where required by law (e.g. tax retention obligations or limitation periods).

  • KYC/AML data

    May be retained beyond standard periods, for example for up to 10 years following termination of the business relationship, in accordance with the Financial Markets Anti-Money Laundering Act and related regulations.

Once the relevant retention period has expired and there is no further legitimate purpose, the data will be securely deleted or anonymised in accordance with applicable law.

12. Automated Decision-Making and Profiling

We do not use your Personal Data for automated decision-making, including profiling, within the meaning of Art. 22(1) and (4) GDPR. You are not subject to any decision based solely on automated Processing which produces legal effects concerning you or similarly significantly affects you.

13. Children Under 14

Our Services are not intended for children under the age of 14.

Where we offer information society services directly to a child and rely on consent under Art. 6(1)(a) GDPR, such consent is only valid if the child is at least 14 years old in accordance with Section 4(4) DSG. If the child is younger than 14, Processing is lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility.

If we become aware that we have collected Personal Data from a child under 14 without valid consent, we will delete such data without undue delay, unless we are legally required to retain it.

14. Contact Us

If you have any questions about this Policy or how we process your Personal Data, or if you wish to exercise your rights under Arts. 15–22 GDPR (e.g. access, rectification, erasure, restriction, objection, data portability), you can contact us at:

Email: [email protected]

15. Policy Changes

This Policy is current as of the effective date set out below. We may amend this Policy from time to time. Any changes will be posted on the Cryptonow Website.

Effective date: 1st of February 2026