The data controller is BB Trade Estonia OÜ, with its registered office in Harju maakond, Tallinn, Lasnamäe linnaosa, Tähesaju tee 9, 13917 ESTONIA (office no. 10, 2nd floor), incorporated under Estonian law and registered in the Register of Entrepreneurs of the Ministry of Justice of the Republic of Estonia with the number 14814864; share capital: EUR 350.000.00, fully paid-up, (hereinafter referred to as the ‘Controller’).
The purpose of this Policy is primarily to inform the users, visitors and interested parties about their rights in relation to the processing of their data by the Controller.
In our activities we commit to comply with this Policy and with the requirements of the provisions of the law in force, such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter ‘GDPR’) and the Estonian Act on Personal Data Protection of 12 December 2018.
Whenever this Policy mentions:
- Processing – this means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Personal data – this means any information relating to an identified or identifiable natural person (‘data subject’). This includes the data of users and interested parties;
- Processor – this means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
- Profiling – this means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- Pseudonymisation – this means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- User – this means a person or entity having registered at https://zondacrypto.com and being in the process of verification;
- Client – this means a person or entity, with whom the Controller entered a business relationship, i.e. passed the process of verification;
- Visitor – this means a person browsing the website, https://zondacrypto.com;
- Interested party – this means a person having submitted an inquiry/report via www.zondacrypto.com or to the contact data specified at https://zondacrypto.com/en/contact.
- Fiat currency – currency recognised by at least one country as an official means of payment (e.g. EUR, USD, GBP, PLN);
- Cryptocurrency – any virtual currency, which digitally represents value (e.g. BTC, ETH, USDT, XRP).
II. Categories of data processed
The Controller collects and processes the following categories of personal data:
- User’s data such as e-mail address, login, full name, safety code, citizenship, residency, country of birth, login history (both successful and unsuccessful), phone number, national identification number (e.g. PESEL number, Social Security Number, and other analogues), date of birth, sex, data from personal ID card/passport/residency card (series and number, expiry date, place of issue, state of issue), image (photo, video or linked via a third-party tool, incl. Facebook, Google or Weibo), residence address (street name, street number, apartment number, postal code, city, country), data from utility bills, information about business activity, purpose of creating an account, source of funds transferred into the exchange, source of funds available to the user, information about any political positions held (status of a Politically Exposed Person (‘PEP’) or a PEP’s family member or close collaborator), exchange transaction details from Fiat currencies into Cryptocurrencies, Cryptocurrencies into other Cryptocurrencies and Cryptocurrencies into Fiat currencies (amount spent, date, time, vouchers or offers used), data for fraud prevention, data required by anti-money laundering (‘AML’) provisions, payment data (including verification data); data from your messages concerning the Services (e.g. chat logs and support requests) or your feedback about your experience with the Controller; additionally for corporate users: form of legal organization, company name/business alias, Tax ID (NIP), KRS (Polish National Court Register) or some other company register, REGON (statistical number), country of business, date of formation, website, information about board members, information about real beneficiaries, information about partners/shareholders (equity structure, how many shares held);
- Visitor's data such as the computer’s IP address, pages opened, duration of the visit, number of the various page views, number of visits, referral source; however, these are only used for statistical purposes and to improve the website’s contents – use of Google Analytics, and, if the user uses portable devices, then the identification data of that device, data of the ISP and the subscriber’s data; however, these shall only be used for statistical purposes or to ensure the correct operation of the website;
- Data of interested parties such as e-mail address, title, category, subject and body of the message, image (face photo and ID document) – where necessary to establish identity.
III. Legal basis and purpose of processing
The legal basis for data processing by the Controller is:
- Your freely given consent for data processing (Article 6(1)(a) GDPR) concerning a request submitted via the contact form available at www.zondacrypto.com or using the contact data available at https://zondacrypto.com/en/contact, wherein making contact with the Controller along with providing Personal data is treated as an expression of the required consent;
- requirements of the contract i.e. Data processing is necessary for accessing and browsing www.zondacrypto.com, registering and using an account here (Article 6(1)(b) GDPR);
- compliance with a legal obligation i.e. the data processing is necessary in order to comply with the Controller’s legal obligation, such as tax obligations or obligations under Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU; Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (text with EEA relevance), hereinafter the ‘AML Directive’, and the Estonian Act of 26 October 2017 on the Prevention of Money Laundering and Terrorism Financing, hereinafter the ‘AML Act’;
- the Controller’s legitimate interest (Article 6(1)(f) GDPR) including, without limitation, improving the quality of services and adapting them to the needs of the users, interested parties and visitors, responding to your requests, making the website and the services more effective, safeguarding the security of the Controller’s website, sending out the newsletter and marketing the Controller’s own products.
The provision of Personal data by users is voluntary but is required in order to be able to use the Controller’s services provided via https://zondacrypto.com
In the majority of cases, we obtain the data directly from you via our website, which you visit, and by tracing your activity on it, as well as your provision of the data necessary in order to register an account and authenticate your identity on our website.
The personal data of persons visiting the Controller’s website shall be processed starting from your visit to the website. If you do not accept this Policy, please cease any further activity and leave the site.
In remaining cases, we process such personal data as you provide when sending requests via our contact form.
IV. Automated processing decision
Personal data of Users are partially subject to an automated processing decision when verification of the User's account on the site https://zondacrypto.com using the Onfido program (Onfido Limited). The Onfido program, in an automated manner, recommends if the User's verification can be approved, denied or reassigned for manual verification by the Controller. Therefore, the User's verification process is not fully automated, as the final decision about establishing or not establishing a business relationship is made by the Controller. Your submission to the above-mentioned verification process is necessary to use the services of the Controller provided by the website https://zondacrypto.com, including primarily the performance of the contract by the Data Controller which, according to Art. 22 sec. 2, point a of GDPR excludes your right to request the exemption for you from automated processing of Personal Data.
V. Your rights
In the context of the processing of your Personal data, you have the following rights:
- right to access the Personal data – the data subject has the right to receive confirmation from us that the subject’s data are indeed processed by us, or not, and if so, then to demand access to their own personal data. Information about access includes, without limitation, the purpose of data processing, the categories of data processed and the recipients or categories of recipients to whom your data have been or shall be disclosed. This is not an absolute right, however, and your right of access may find some limitations due to the interests of other people. You have the right to receive a copy of your data being processed. Receiving the first copy is free of charge.
- right to have the data rectified – the data subject has the right to require the Controller to rectify the data subject’s Personal data without delay when such data are inaccurate;
- right to be forgotten – the data subject has the right to require the Controller to erasure the subject’s data without delay, and the Controller has the obligation to delete such data without unnecessary delay if one of the legal grounds for this is met;
- right to restrict the Processing – the data subject has the right to require the Controller to restrict the processing in the following cases:
- the data subject disputes the accuracy of the data – for a period allowing the Controller to verify the accuracy of such data;
- the processing is unlawful and the data subject opposes the deletion of the data, instead requiring that the processing be restricted;
- the Controller no longer needs the data for the purposes of the processing, but the data subject needs the data for the purpose of determining, pursuing or defending themselves against claims;
- the data subject has lodged an objection against the processing – until it can be determined whether the Controller’s legitimate reasons override the data subject’s objection.
- right to object – the data subject may at any time object to the processing in the light of the subject’s individual situation. This is not an absolute right, and in some situations it shall not apply; for example when the processing is necessary in order to protect a right in judicial proceedings;
- right to data portability – the data subject has the right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit such data to another controller without hindrance from the Controller, after meeting certain requirements specified by the provisions of the law;
- right to lodge an objection with the supervisory body – the data subject has the right to lodge an objection with the supervisory body, which in this case is the Estonian Data Protection Inspectorate (39 Tatari St., 10134 Tallinn, Estonia), you can exercise this right when you believe that we are processing your data without justification or not in compliance with the provisions of the law in force.
If you want to exercise any of the above-described rights or you have any questions concerning the processing of your data, please contact us at
- (e-mail): [email protected]
- or (by registered mail): BB Trade Estonia OÜ, Harju maakond, Tallinn, Lasnamäe linnaosa, Tähesaju tee 9, 13917 ESTONIA (office no. 10, 2nd floor).
For security reasons, we may require your requests to be made in written form. We have the right to decline your requests if we have reasonable grounds to believe that they are unfair, impossible to comply with or could threaten the privacy of others.
If you believe that we are processing your personal data in violation of the provisions in force, you always have the right to lodge an objection with the supervisory body – the Estonian Data Protection Inspectorate at 39 Tatari, 10134 Tallinn, Estonia.
VI. Data transfer
If necessary, the Controller may transfer your data to the following third parties for processing:
- business partners, banks, payment operators – if necessary in connection with our business activity, especially for the purpose of performing our contracts with such third parties, providing services and ensuring the appropriate standards of performance and compliance with the provisions of the law and safety requirements, communicating with you and with third parties, meeting financial obligations and responding to your requests and legal demands;
- data processors (processing entities)
The Controller may enter into written data processing contracts with another entity (processor). The right to enter into such contracts arises from the provisions of the law. Processors may include, without limitation: IT service providers, auditors, accounting firms, outsourced workforce providers, customer service software providers, e-mail operators (Google Inc.), server hosting providers.
Processors shall be contractually required to implement appropriate technical and organizational measures in order to protect the data of interested persons and users and to process such data only in accordance with the Controller’s instructions.
For the purpose of registering an account on https://zondacrypto.com and for verification of your identity, your data shall be transferred for processing to entities providing the authentication of scans of documents as a service (Onfido Limited, LexisNexis Risk Solutions Europe Limited, Fully Verified OU).
In addition, for the purpose of sending you, as Users and Clients, email messages, your Personal Data will be entrusted to the mailing service provider, Insider Services UK Limited.
Taking the above into account, therefore, we inform you that the processors, namely Onfido Limited and Insider Services UK Limited, are based in a third country within the meaning of the GDPR, i.e. the United Kingdom. However, the European Commission has formally confirmed that the United Kingdom of Great Britain and Northern Ireland provides an adequate level of protection of personal data, allowing the free transfer of personal data from the European Economic Area without the need for additional authorisations or the implementation of additional safeguards under Chapter V of the GDPR.
Additionally, please be informed that the data controller transfers your personal data to the business partner - Intercom R&D Unlimited Company (2nd Floor, Stephen Court, 18-21 Saint Stephen's Green, Dublin, Ireland) oraz Intercom, Inc. (55 2nd Street, 4th Fl., San Francisco, CA 94105, USA), as well as other companies from INTERCOM group, while you use the chat on the website https://zondacrypto.com. Currently, the USA does not ensure an adequate level of protection of your data (mainly due to the loss of legal force of the Privacy Shield) due to the lack of a decision by the European Commission regarding the determination of an adequate level of personal data protection, and we do not provide appropriate safeguards specified in art. 46 GDPR, including that we have not concluded standard contractual clauses with the data recipient, and we do not have binding corporate rules. Therefore, we would like to inform you that due to the lack of appropriate safeguards, there is a risk of insufficient protection of your data. In this case, the basis for the transfer of personal data is your voluntary consent in accordance with the art. 49 sec. 1 p. A of GDPR.
Moreover, your personal data may be disclosed to competent public authorities if required by the current provisions of the law.
Your personal data may be disclosed to the Controller’s affiliates (companies with capital or personal ties) – viz. Orion Software sp. z o. o. based in Poland, Expofer Servis House s. r. o. based in Czech Republic, to the extent necessary for business collaboration and the performance of contractual obligations.
To track your activity on our website, we use tools such as Google Analytics, Google Search Console, Google Tag, AHRefs, SEMRush, KW Finder, Screaming From, and SERPRobot. They are, however, tools which are used only to collect statistical data and do not collect any of your Personal data.
VII. Security measures
Your personal data are stored and protected in accordance with the principles set out in the provisions of the law in force. The Controller undertakes appropriate measures to:
- prevent data loss, unauthorized access, use, destruction, modification or disclosure;
- ensure appropriate technical and organizational protections;
- protect the personal data according to the risk level and any special category of personal data.
Taking into accounting the current state of technology, costs, nature, scope, context and purposes of the Processing operations, as well as the rights and freedoms of individuals, such activities may include, without limitation, Pseudonymization and encryption of personal data, measures ensuring confidentiality, integrity, availability and resilience, restoration measures, as well as procedures for regular testing, evaluation and assessment of the effectiveness of the security measures used.
VIII. Storage period
Having regard to the overriding principles of the GDPR and especially the principles of restricting the purpose, storage and scope of data, we process your data only for a period no longer than necessary to achieve the purposes of processing and no longer than permitted by the provisions of the law. After achieving the purpose of processing, your data shall be erased, as long as the provisions of the law allow this to be done. Depending on the legal basis for processing, different storage periods may apply.
Your data shall be stored until the statute of limitation runs out on any claims or until the legal obligation to store your data expires (especially obligations arising from the AML Directive and the AML Act).
The personal data of interested parties shall be stored until they withdraw their consent or until the Controller’s response (as long as this is possible in the light of the provisions of the law).
Users and Client’s personal data shall be stored for the duration of the contract, until the claims expire and for 5 years after the end of the business relationship/collaboration.
Visitor’s Personal data, who will not be qualified as Users, Clients and Interested parties, will be stored in compliance with applicable Cookies Policy.
IX. Age policy
Our services are not intended for persons younger than eighteen (18) years of age. We have no intention of processing their personal data. If you are younger than 18, do not use the Controller’s services and do not send us any information about yourself. If we become aware that we have been processing the personal data of a person younger than 18, we shall erase such data as soon as possible.