Privacy Policy

As of September 2024

1. Introduction

Luso Digital Assets (hereinafter, Luso) respect the privacy of the user and is committed to protecting his personal data. This Privacy Policy (or “Policy”) is issued on behalf of Luso, a company incorporated in Portugal with its registered office address at Rua Princesa D. Amélia, Nº 20 L, Funchal 9000 - 019 Portugal.

This Policy is issued in compliance with Regulation (EU) 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (or General Data Protection Regulation) and other legislation that may be issued on a national and European level regarding these matters.

It is vital that the user read this Policy together with any other policies Luso may issue regarding the collection and processing of personal data, so that the user is fully aware of how and why Luso is using his data.

If the user has any questions about this Policy, including any requests to exercise of any legal rights, he should contact compliance department by using the details set out in Section 9 below.

2. Purpose

The purpose of this Policy is to inform the user– as client, visitor or possible client – as to how Luso handles his personal data when in use of Luso’s services, visits the website and uses the functionalities contained within the same (regardless of where it visits it from), to inform about his privacy rights and how the protection given by law.

This website and all of Luso’s services are not intended for children, or anyone under the age of 18 (eighteen) years old. Luso do not knowingly collect data relating to children or anyone under the age of 18 (eighteen).

3. Collection of personal data

Complying with the obligation to take appropriate measures to provide information in a concise, transparent, intelligible and easily accessible form relating to data processing, please read the chart below where will find further information about this topic.

Question	Further information
What information do Luso’s collect about the user and on what grounds?	Luso may collects, uses, stores and transfer different kinds of personal data. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Luso had grouped together the personal data that might be collected as follows: Identity data includes first name, middle names, last name, username or similar identifier, date of birth, gender, ID number (and full copy of your ID document), tax identification number, photo, nationalities, profession, among others. Contact data a includes physical address (primary and fiscal), email address and telephone numbers. Financial data includes bank account information. Transaction data includes details about payments to the user and transactions performed to selected beneficiaries. This information includes the wallet address, amount, currency, type of transaction, source of funds, exchange rate, recipient name and bank details. Technical data a includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plugin types and versions, operating system and platform, and other technology on the devices the user uses to access the website. Profile data includes interests, preferences, feedback and survey responses. Data imported by the user includes reputation or trade history. Usage data includes information about how the client uses the website. Aggregated data such as statistical or demographic data that is derived from the user’s personal data but is not considered personal data in law as this data will not directly or indirectly reveal his identity. Luso may aggregate his usage data (e.g., information about how the use of the website and related features) to calculate the percentage of users accessing a specific website feature. However, if combine or connect aggregated data with his personal data so that it can directly or indirectly identify him, Luso will treat the combined data as personal data which will be used in accordance with this Policy. If the client is a legal person, besides information and documents regarding the entity/company, Luso may also request the aforementioned data regarding its managers, directors, ultimate beneficial owners, partners, associates, etc., for the purposes of complying with the Anti Money Laundering-Law or other that is applicable. Through the course of the business relationship, Luso may ask for additional evidence in order to comply with legal obligations. These additional evidences can include, but are not limited to, documents required to verify any information provided to Luso or evidence of source of funds and/or or wealth. Luso collects all of the data identified above to comply with national and European legislation regarding Anti-Money Laundering and Counter Terrorist Financing, namely the Portuguese Law no. 83/2017 of August 18th and the Directive (EU) 2015/849 of the European Parliament and of the Council, of 20 May 2015, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. Luso do not collect any details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about user’s health, and genetic and biometric data. Nor do collect any information about criminal convictions and/or offences.
How Luso collects user’s personal data?	Luso uses different methods to collect data from and regarding the user, including: Direct interactions – it may give us personal information by completing the onboarding process and providing supporting information and/or documentation for the purposes of helping Luso follows our compliance obligations, filling in forms or by corresponding with Luso by post, phone, email or otherwise. This includes personal data you provide when you: Apply for Luso’s products or services; Request marketing to be sent to him; Give Luso some feedback. Automated technologies or interactions technical data about user’s equipment, browsing actions and patterns that Luso may automatically collect as the user interacts with our website, by using cookies and other similar technologies. Please see our Cookie Policy for further details. Third parties or publicly available sources – Luso may receive personal data about the user or technical data about him from parties, such as Google Analytics based outside the EU.
Do the user has to provide Luso, his personal data?	Luso requires certain personal data (1) to allow the user to use Luso’s services and the website and (2) when Luso need to collect personal data as imposed by law
How do Luso uses personal data?	Luso will only use personal data when the law allows to, namely laws regarding Anti-Money Laundering and Counter Terrorist Financing or other that may be applicable. Most commonly, Luso will use personal data in the following circumstances: Register as a new customer; To verify the identity; To provide user with Luso’s services To make suggestions and recommendations about the goods or services that may be of interest; Asking to participate in a survey or provide feedback relating to the website or Luso’s services; Sending out circulars, reminders, and any important notifications; Sending marketing communications if it had requested information from Luso (or purchased services from Luso); When it is necessary for Luso’s legitimate interests (or those of a third party) and user’s interests and fundamental rights do not override those interests; When Luso needs to comply with a legal or regulatory obligation; To improve the website. Luso will only use user’s personal data for the purposes for which Luso collected it, unless it is reasonable to consider that Luso’s will need to use it for another reason and that reason is compatible with the original purpose and permitted by law. Please note that Luso may process user’s personal data without his knowledge or consent, in compliance with the above rules and laws, when this is required or permitted by said rules and laws. Generally, Luso do not rely on consent as a legal basis for processing user’s personal data other than in relation to sending third party direct marketing communications to him via email or text message, case in which Luso will specifically ask for informed and express consent. The user have the right to withdraw consent to marketing at any time by contacting Luso.
Do the user has to inform Luso of any changes to his personal data?	It is important that the personal data Luso holds about the user is accurate and up to date. Please keep Luso informed if personal data changes during the relationship between parties. Also, as a data subject, users has the right to, without undue delay, rectify any inaccurate or incomplete personal data that Luso holds concerning himself, including by means of providing a supplementary statement.
When do Luso discloses, user’s personal data?	User’s personal data will be shared with the website’s hosting provider, only to the extent necessary to fulfil the website-related services. Luso partners with and are supported by service providers around the world. Personal information will be made available to these parties only when necessary to fulfil the services they provide to Luso, such as website, software, system, and platform support; direct marketing services; cloud hosting services; advertising; data analytics; and order fulfilment and delivery. Also, when using Luso’s services, user’s personal data will be shared with payment providers and banking partners, such as intermediary or beneficiary banks, for the purposes of performing the relevant transaction. This data sharing is absolutely vital to provide our services. For transparency, verification, and due to legal requirements, Luso is required to include certain information on the payment which could include: Name Date of birth Address; Beneficiary details; Identity document; Or other data/personal information legally required. In the course of using Luso’s services, it might be needed to share necessary information on to Governmental departments, regulatory bodies, the police/law enforcement agencies or other third parties. Luso will only share user’s data with these entities if and when legally compelled to do so. Also, please note that all of Luso’s employees and contractors are required to follow this data privacy and specific security policies when handling personal information. Still regarding the disclose of user’s personal data, please be informed that Luso may partner/contract with other organizations and, as part of these arrangements, the user may be a customer of Luso’s business partners in addition to us. Users should review the privacy statements of Luso’s partners if it would like to know more about the information they collect Our third-party service providers are not permitted to share or use the personal information Luso make available to them for any other purpose other than to provide us services with their services. Also, Luso requires all third parties we enter into contracts with to respect the security of user’s personal data and to treat it in accordance with the law. Luso do not allows our third-party service providers to use personal data for their own purposes and only permit them to process personal data for specified purposes and in accordance with our instructions. Luso will only share personal information when we believe it is required, such as to comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities.

4. Data security

Luso had implemented appropriate security measures to prevent user’s personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed.

In addition, Luso limit the access to personal data to those employees and third parties who indubitably need to know such information. They will only process personal data according to Luso’s instructions, and they are subject to a duty of confidentiality and contractual obligations that abide them to follow the law.

Luso stores all data electronically, in a secure manner, to protect its confidentiality, integrity and availability. These data are stored on AWS (Amazon Web Services) servers which are protected by actively maintained firewalls. The AWS servers are encrypted and managed by Amazon, a company also bound to comply with legislation regarding data protection and with a comprehensive policy on these matters – for further information on how AWS manages data, please check their policy here: https://aws.amazon.com/pt/compliance/gdpr-center/

Also, Luso make use of up-to-date anti-virus software and our servers have restricted access. Luso cannot guarantee the security of information collected or transmitted electronically however; we take reasonable care to safeguard your personal information. However, Luso had implemented several procedures to deal with any suspected personal data breach and will notify the user and any applicable regulator of a breach where and when legally required to do so.

5. Data retention

The personal data collected and processed by Luso will be kept for the entire period in which the registration of user in website.

Users may, at any time, ask Luso to delete the personal data that it had transmitted. Request to which Luso will attend if the law allows it.

In order to comply with certain legal obligations, namely obligations under the Anti Money Laundering national and European legislation, Luso processes personal data for a longer period than expected, such as the legal limitation period associated with the prevention of money laundering and terrorist financing, which is 7 (seven) years.

6. User’s legal rights

Complying with the obligation to take appropriate measures to provide information in a concise, transparent, intelligible and easily accessible form relating to client’s rights in the scope of data privacy, please read the chart below where will find further information about this topic.

Legal right	Further information
Request access to personal data (commonly known as a “data subject access request”)	This enables the user, as the data subject, to obtain confirmation from Luso as to whether or not personal data concerning him, is being processed, and, if so, grants him access to personal data and the following information: The purposes of the processing of user’s data; The categories of personal data concerned; The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations; Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; The existence of the right to request from Luso the rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; The right to lodge a complaint with a supervisory authority; If the personal data was not collected from the data subject (user), any available information as to their source; The existence of automated decision-making, including profiling, and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Request the correction of the personal data	This enables the user to has any incomplete or inaccurate data Luso holds about him corrected, though Luso may need to verify the accuracy of the new data provided.
Request erasure of personal data (“Right to be forgotten”)	This enables the user to ask Luso to delete or remove personal data where there is no good reason for continuing to process it, subject to legal and contractual obligations, or if user’s withdraw consent on which the processing is based and where there is no other legal ground for the processing. Users also has the right to ask Luso to delete or remove personal data when: Had successfully exercised their right to object to processing (please, see below for further information regarding this right); Luso may had processed information unlawfully; or When Luso is required to erase personal data to comply with the law. Note, however, that Luso may not always be able to comply with the request of erasure, for specific legal reasons which will notify the user, if applicable, at the time of his request.
Object to processing of personal data	Users can object to processing if Luso is relying on a legitimate interest (or that of a third party), but it feels such processing impacts his fundamental rights and freedoms. However, the users can not object to the processing if said processing arises from a legal obligation or where Luso must process user’s information to satisfy a contract to which it is party (for example, to provide it with Luso’s services).
Request restriction of processing of personal data	This enables the user to ask to suspend the processing of personal data in the following scenarios: If he wants Luso’s to establish the data’s accuracy; If the use of the data is unlawful, but it do not want Luso to erase it; Where it need Luso to hold the data even if no longer require it as the user need it to establish, exercise or defend legal claims; or The user have objected to Luso’s use of his data, but it’s needed to verify whether Luso’s have overriding legitimate grounds to use it.
Request the transfer of personal data to itself or to a third party (“Right to data portability”)	Luso will provide it personal data to user, or a third party it had chosen, in a structured, commonly used, machine-readable format, as long as this does not adversely affect the rights and freedoms of others.
Withdraw consent at any time where Luso is relying on consent to process personal data	Users has the right to withdraw the consent for the processing of specific data, at any time, if Luso’s is relying on consent to process this specific personal data. This will not affect the lawfulness of any processing carried out before the withdraw of consent. If the user’s withdraw it consent, Luso may not be able to provide certain products or services to it. Luso will advise if this is the case at the time it withdraw your consent.

If the users wish to exercise any of the rights set out above, please contact Luso as foreseen in Section 9 below.

Additional Information on the Exercise of User Rights

A. What is required if the user wishes to make a request for access to personal data?

Luso may request specific information from the user to help confirm their identity and ensure the right to access personal data (or to exercise any of the other rights). This is a security measure to ensure that personal data is not disclosed to anyone who does not have the right to receive it.

Luso may also contact the user to request further information regarding the access request in order to expedite the response.

B. Is it necessary to pay a fee to access personal data?

There is no fee required to access personal data (or to exercise any of the other rights). However, as provided for in the General Data Protection Regulation 2016/679 of the European Parliament, Luso may charge a reasonable fee if the request is manifestly unfounded, repetitive, or excessive. Alternatively, Luso may refuse to fulfill the request in these circumstances.

C. What is the response time for a personal data access request?

Luso makes every effort to respond to all legitimate requests within 1 (one) month. Occasionally, it may take longer than a month if the request is particularly complex or if multiple requests have been made. In such cases, Luso will notify the user to keep them updated.

7. Revisions and Changes to the Policy

Luso’s Privacy Policy is regularly reviewed to ensure that any new obligations and technologies, as well as any changes in business operations and practices, are considered, and to keep the user informed of changes in the regulatory environment. Any personal information Luso holds will be governed by our most recent Privacy Policy. Luso reserves the right to amend this Policy whenever necessary. Whenever a change occurs, the updated Policy will be duly posted on the website.

8. Complaints

If the user has a complaint about this Policy or any aspect of how Luso uses personal data, they should contact Luso as outlined in Section 9 below. If they are not satisfied and are located in an EEA country, they may contact the local data protection authority. The user has the right to file a formal complaint. In Portugal, this authority is the CNPD – Comissão Nacional de Proteção de Dados, and the website is: https://www.cnpd.pt/.

If the user is located or the issue they wish to complain about occurred within the EEA, they may visit this site ( https://edpb.europa.eu/about-edpb/board/members_en) to obtain a list of local data protection authorities in other EEA countries.

9. Contact details

Luso’s compliance department is responsible, among other things, for overseeing matters related to this Privacy Policy.

If there are any questions or concerns regarding this Policy or other data protection or processing matters, including any requests to exercise legal rights, the user should contact our compliance department via the following email address: legal@lusodigitalassets.com..