Privacy Policy

As of May 2024

1. Introduction

Luso Digital Assets respects your privacy and is committed to protecting your personal data. This Privacy Policy (or “Policy”) is issued on behalf of Luso Digital Assets, Lda. a company incorporated in Portugal with its registered office address at Rua Princesa D. Amélia, Nº 20 L, Funchal 9000 - 019 Portugal.

This Policy is issued in compliance with Regulation (EU) 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (or General Data Protection Regulation) and other legislation that may be issued on a national and European level regarding these matters.

It is vital that you read this Policy together with any other policies we may issue regarding the collection and processing of personal data, so that you are fully aware of how and why we are using your data.

Although this Privacy Policy is of Luso Digital Asset’s responsibility, as the controller, the company nominated a data protection officer, who is responsible for overseeing any questions in relation to this Policy.

If you have any questions about this Policy, including any requests to exercise of any legal rights, please contact data protection officer by the using the details set out in Section 9 below.

2. Purpose

The purpose of this Policy is to inform you – as our clients, visitor or possible clients – as to how we handle your personal data when you use our services, visit our website and use the functionalities contained within the same (regardless of where you visit it from), to inform you about your privacy rights and how the law protects you.

This website and all of Luso Digital Assets’ services are not intended for children, or anyone under the age of 18 (eighteen) years old. We do not knowingly collect data relating to children or anyone under the age of 18 (eighteen).

3. Collection of your personal data

Complying with the obligation to take appropriate measures to provide information in a concise, transparent, intelligible and easily accessible form relating to data processing, please read the chart below where you will find further information about this topic.

Question

Further information

What information do we collect about you and on what grounds?

We may collect, use, store and transfer different kinds of personal data about you. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We have grouped together the personal data we may collect as follows:

Identity data includes first name, middle names, last name, username or similar identifier, date of birth, gender, ID number (and full copy of your ID document), tax identification number, photo, nationalities, profession, among others.

Contact data includes physical address (primary and fiscal), email address and telephone numbers.

Financial data includes bank account information.

Transaction data includes details about payments to you and transactions you perform to your selected beneficiaries. This information includes the wallet address, amount, currency, type of transaction, source of funds, exchange rate, recipient name and bank details.

Technical data ludes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the website.

Profile data includes your interests, preferences, feedback and survey responses.

Data imported by the user includes reputation or trade history.

Usage data includes information about how you use the website.

Aggregated data such as statistical or demographic data that is derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. We may aggregate your usage data (e.g., information about how you use our website and related features) to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.

If our client is a legal person, besides information and documents regarding the entity/company, we may also request the aforementioned data regarding its managers, directors, ultimate beneficial owners, partners, associates, etc., for the purposes of complying with the Anti Money Laundering-Law or other that is applicable.

Through the course of our business relationship, we may ask for additional evidence in order for us to comply with our legal obligations. These additional evidences can include, but are not limited to, documents required to verify any information provided to us or evidence of source of your funds and/or or your wealth.

We collect all of the data identified above to comply with national and European legislation regarding Anti-Money Laundering and Counter Terrorist Financing, namely the Portuguese Law no. 83/2017 of August 18th and the Directive (EU) 2015/849 of the European Parliament and of the Council, of 20 May 2015, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.

We do not collect any details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. Nor do we collect any information about criminal convictions and/or offences.

How do we collect your personal data?

We use different methods to collect data from and about you, including:

Direct interactions you may give us your personal information by completing our onboarding process and providing supporting information and/or documentation for the purposes of helping us follow our compliance obligations, filling in forms or by corresponding with us by post, phone, email or otherwise.

This includes personal data you provide when you:

  • apply for our products or services;
  • request marketing to be sent to you;
  • give us some feedback.

Automated technologies or interactions technical data about your equipment, browsing actions and patterns that we may automatically collect as you interact with our website, by using cookies and other similar technologies. Please see our Cookie Policy for further details.

Third parties or publicly available sources we may receive personal data about you or technical data about you from parties, such as Google Analytics based outside the EU.

Do you have to provide us with your personal data?

Do you have to provide us with your personal data? We require certain personal data (1) to allow you to use our services and the website and (2) when we need to collect personal data as imposed by law.

How do we use your personal data?

We will only use your personal data when the law allows us to, namely laws regarding Anti-Money Laundering and Counter Terrorist Financing or other that may be applicable. Most commonly, we will use your personal data in the following circumstances:

  • Register you as a new customer;
  • To verify your identity;
  • To provide you with our services;
  • To make suggestions and recommendations to you about the goods or services that may be of interest to you;
  • Asking you to participate in a survey or provide feedback relating to the website or our services;
  • Sending out circulars, reminders, and any important notifications;
  • Sending marketing communications if you have requested information from us (or purchased services from us);
  • Where it is necessary for our legitimate interest s (or those of a third party) and your interests and fundamental rights do not override those interests;
  • Where we need to comply with a legal or regulatory obligation;
  • To improve our website.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and permitted by law.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules and laws, when this is required or permitted by said rules and laws.

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message, case in which we will specifically ask for you informed and express consent. You have the right to withdraw consent to marketing at any time by contacting us.

Do you have to inform of us of any changes to your personal data?

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.

Also, as a data subject, you have the right to, without undue delay, rectify any inaccurate or incomplete personal data that we hold concerning yourself, including by means of providing a supplementary statement.

When do we disclose your personal data?

Your personal data will be shared with the website’s hosting provider, only to the extent necessary to fulfil the website-related services. We partner with and are supported by service providers around the world. Personal information will be made available to these parties only when necessary to fulfil the services they provide to us, such as website, software, system, and platform support; direct marketing services; cloud hosting services; advertising; data analytics; and order fulfilment and delivery. Also, when using our services, your personal data will be shared with our payment providers and banking partners, such as intermediary or beneficiary banks, for the purposes of performing the relevant transaction. This data sharing is absolutely vital to provide us with our services. For transparency, verification, and due to legal requirements, we are required to include certain information on the payment which could include:

  • Your name;
  • Your date of birth;
  • Your address;
  • Beneficiary details;
  • Your identity document.
  • Or other data/personal information legally required.

In the course of using our services, we may need to share necessary information on to Governmental departments, regulatory bodies, the police/law enforcement agencies or other third parties We will only share your data with these bodies if and when we are legally compelled to do so.

Also, please know that all of our employees and contractors are required to follow our data privacy and specific security policies when handling personal information.

Still regarding the disclose of your personal data, please be informed that we may partner/contract with other organizations and, as part of these arrangements, you may be a customer of our business partners in addition to Luso Digital Assets. You should review the privacy statements of our partners if you would like to know more about the information they collect.

Our third-party service providers are not permitted to share or use the personal information we make available to them for any other purpose other than to provide us services with their services.

Also, we require all third parties we enter into contracts with to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We will only share your personal information when we believe it is required, such as to comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities.

4. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees and third parties who indubitably need to know such information. They will only process your personal data according to our instructions, and they are subject to a duty of confidentiality and contractual obligations that abide them to follow the law.

We store all data electronically, in a secure manner, to protect its confidentiality, integrity and availability. These data is stored on AWS (Amazon Web Services) servers which are protected by actively maintained firewalls. The AWS servers are encrypted and managed by Amazon, a company also bound to comply with legislation regarding data protection and with a comprehensive policy on these matters – for further information on how AWS manages data, please check their policy here: https://aws.amazon.com/pt/compliance/gdpr-center/

Also, we make use of up-to-date anti-virus software and our servers have restricted access. We cannot guarantee the security of information collected or transmitted electronically however; we take reasonable care to safeguard your personal information. However, we have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

5. Data retention

The personal data collected and processed by Luso Digital Assets will be kept for the entire period in which the registration of your user is on our website. You may, at any time, ask Luso Digital Assets to erase the personal data that you have transmitted. Request to which Luso Digital Assets will attend if the law allows it. In order to comply with certain legal obligations, namely obligations under the Anti Money Laundering national and European legislation, Luso Digital Assets processes personal data for a longer period than expected, such as the legal limitation period associated with the prevention of money laundering and terrorist financing, which is 7 (seven) years.

6. Your legal rights

Complying with the obligation to take appropriate measures to provide information in a concise, transparent, intelligible and easily accessible form relating to client’s rights in the scope of data privacy, please read the chart below where you will find further information about this topic.

Legal right

Further information

Request access to your personal data (commonly known as a “data subject access request”)

This enables you, as the data subject, to obtain confirmation from Luso Digital Assets as to whether or not personal data concerning you is being processed, and, if so, grants you access to your personal data and the following information:

  • The purposes of the processing of your data;
  • The categories of personal data concerned;
  • The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to request from Luso the rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • The right to lodge a complaint with a supervisory authority;
  • If the personal data was not collected from the data subject (you), any available information as to their source;
  • The existence of automated decision-making, including profiling, and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Request the correction of the personal data we hold about you

Request the correction of the personal data we hold about you This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data (“Right to be forgotten”)

This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it, subject to our legal and contractual obligations, or if you withdraw consent on which the processing is based and where there is no other legal ground for the processing.

You also have the right to ask us to delete or remove your personal data when:

  • You have successfully exercised their right to object to processing (please, see below for further information regarding this right);
  • We may have processed your information unlawfully; or
  • When we are required to erase your personal data to comply with the law.

Note, however, that we may not always be able to comply with your request of erasure, for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data

You can object to processing if we are relying on a legitimate interest (or that of a third party), but you feel such processing impacts your fundamental rights and freedoms. However, you can not object to the processing if said processing arises from a legal obligation or where we must process your information to satisfy a contract to which you are a party (for example, to provide you with our services).

Request restriction of processing of your personal data

This enables you to ask us to suspend the processing of your personal data in the following scenarios:

  • If you want us to establish the data’s accuracy;
  • If our use of the data is unlawful, but you do not want us to erase it;
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party (“Right to data portability”)

Request the transfer of your personal data to you or to a third party (“Right to data portability”) We will provide your personal data to you, or a third party you have chosen, in a structured, commonly used, machine-readable format, as long as this does not adversely affect the rights and freedoms of others.

Withdraw consent at any time where we are relying on consent to process your personal data

You have the right to withdraw your consent for the processing of specific data, at any time, if we are relying on consent to process this specific personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact our data protection officer as foreseen in Section 9 below.

Additional information regarding the exercise of your rights

A. What will you need from me if you wish to make a subject access request?

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

B. Do I need to pay to access my personal data?

You will not have to pay any fees to access your personal data (or to exercise any of the other rights). However, and as foreseen in the General Data Protection Regulation 2016/679 of the European Parliament, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

C. How long will it take to respond to my subject access request?

We try to respond to all legitimate requests within 1 (one) month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

7. Reviews and amends to the Policy

Our Privacy Policy is reviewed regularly to ensure that any new obligations and technologies, as well as any changes to our business operations and practices, are taken into consideration, as well as that it remains abreast of the changing regulatory environment. Any personal information we hold will be governed by our most recent Privacy Policy. Luso Digital Assets is entitled to the right to amend this Policy whenever should be necessary. Every time an amend takes place, the updated Policy will be duly published in our public website.

8. Complaints

If you have a complaint about this Policy or any element of how we use your personal data, then please contact us first, through our data protection officer as foreseen in Section 9 below. If you are not satisfied and are located in an EEA country, then please contact your local data protection authority. You have the right to present a formal complaint. In Portugal said authority is CNPD – Comissão Nacional de Protecção de Dados, and its website is: https://www.cnpd.pt/

If you are based in, or the issue you would to complain about took place in the EEA, please visit this website (https://edpb.europa.eu/aboutedpb/board/members_en) for a list of local data protection authorities in other EEA countries.

9. Contact details

We have appointed a data protection officer (DPO) who is responsible for, among other things, overseeing questions in relation to this Privacy Policy.

If you have any doubts or queries about this Policy or other matter related to data protection or processing, including any requests to exercise your legal rights, please contact our DPO Iara Batista, using the following e-mail address: iara.batista@lusodigitalassets.com