Coinmotion Oy’s Privacy Policy
as a Controller

Updated 21.6.2021

This Coinmotion Oy’s (hereinafter Coinmotion Oy may also be referred to as ‘we’ or ‘us’) privacy policy describes the personal data processing activities of Coinmotion Oy as the controller (hereinafter ‘Privacy Policy’). This Privacy Policy contains Coinmotion Oy’s records of processing activities as the controller, and it also acts as communication from us to our data subjects (hereinafter our data subjects may also be referred to as ‘you’) through which we inform the data subjects of the ways Coinmotion Oy processes their personal data. Thus, this Privacy Policy contains at least the information that Articles 13, 14 and 30 of the EU’s General Data Protection Regulation (679/2016) (hereinafter ‘GDPR’) require of us.

However, please note that the data controller in relation to any personal data that you provide in relation to the Coinmotion Card is our partner and issuer of the Card, Transact Payments Malta Limited (“TPML”). TPL is an e-money institution, authorised and regulated by the Malta Financial Services Authority. When you apply for a Coinmotion Card, you accept TPML’s Privacy Policy which is provided to you when you sign up for a card, is available within the Coinmotion mobile application and is available in this document below the Coinmotion Privacy Policy. We encourage you to read the TPML Privacy Policy.

Coinmotion Oy aims to ensure that this Privacy Policy is always publicly, transparently and easily applicable at Coinmotion Oy’s websites.

1) CONTROLLER

Name: Coinmotion Oy
Business ID: 2469683-1
Address: Kauppakatu 39, 40100 Jyväskylä

2) PERSON IN CHARGE OF DATA FILES

Name: Jukka Karhapää

Contact details: jkarhapaa@coinmotion.fi

3) CATEGORIES OF DATA SUBJECTS

Coinmotion Oy’s Privacy Policy concerns the following categories of data subjects:

  1. persons who use or wish to use Coinmotion or act as representatives of the legal entities that use or wish to use Coinmotion;
  2. persons who use or wish to use Bittiraha or act as representatives of the legal entities that use or wish to use Bittiraha
  3. persons who use or wish to use Coinmotion instant or act as representatives of the legal entities that use or wish to use Coinmotion instant;
  4. persons who use or wish to use Coinmotion Payments or act as representatives of the legal entities that use or wish to use Coinmotion Payments;
  5. persons who use or wish to use Denarium or act as representatives of the legal entities that use or wish to use Denarium;
  6. persons who use or wish to use Bittimaatti or act as representatives of the legal entities that use or wish to use Bittimaatti;
  7. persons who are employed by Coinmotion Oy or seek employment from Coinmotion Oy; and
  8. persons who contact us through email or other similar means.

4) CATEGORIES OF PERSONAL DATA

The data files concerning the data subjects of Sections 3.1) – 3.7) may contain the following categories of personal data:

  • contact information, such as full name, address, phone numbers and e-mail addresses;
  • nationality, age, gender, title or profession and mother tongue;
  • employment history;
  • personal identification numbers;
  • bank account data;
  • cryptocurrency ownership data;
  • information relating to our Know Your Customer and anti-money laundering policies, such as the reason for the use of our services, the political status of a person and the identification data of a person;
  • user information, such as username, password and other unique identification browsing;
  • search information and other information concerning your use of our services;
  • information regarding the customer relationship, such as billing and payment information, product-, service- and ordering information, information regarding customer feedback, contacts and cancellation;
  • data about your device, such as information about the device you use, the type of your device, your IP-address and various diagnostic data;
  • location information, such as GPS-coordinates, data of your wireless connection (SSID) and strength of your Wi-Fi signal; and
  • possible other information gathered with the data subject’s consent.

The data files concerning the data subjects of Section 3.8) may contain the following categories of personal data:

  • contact information, such as full name, address, phone numbers and e-mail addresses;
  • data about your device, such as information about the device you use, the type of your device, your IP-address and various diagnostic data; and
  • any other information provided by the person contacting us.

5) PURPOSE OF THE PROCESSING OF PERSONAL DATA

Personal data of the data subjects of Sections 3.1) – 3.6) can be handled for the following purposes:

  • management and development of the customer relationship;
  • customer service;
  • for improving our user experience;
  • profiling;
  • marketing;
  • to enable us to comply with our legal and regulatory obligations; and
  • analysis and statistics.

Personal data of the data subjects of Section 3.7) can be handled for the following purposes:

  • management and development of the employee and jobseeker relationships;
  • management of employment contracts and other related matters.
  • customer service;
  • for improving our user experience;
  • to enable us to comply with our legal and regulatory obligations; and
  • analysis and statistics.

Personal data of the data subjects of Section 3.8) can be handled for the following purposes:

  • management of contacts;
  • customer service;
  • for improving our user experience;
  • marketing;
  • to enable us to comply with our legal and regulatory obligations; and
  • analysis and statistics.

6) LEGAL BASIS FOR PROCESSING

The controller has the right to process the personal data of the data subjects, depending on the situation at hand, based on the:

  • consent received from the data subjects;
  • performance of a contract in which the data subject acts as the contact person of the organizer;
  • legitimate interests pursued by the controller or by a third party; or
  • legal obligation to which the controller is subject.

7) REGULAR SOURCES OF INFORMATION

Information regarding the data subjects are regularly gathered:

  • from data subjects themselves via phone, internet, e-mail or in other similar fashion;
  • with cookies and other similar technology;
  • by Coinmotion Oy’s other Finnish affiliate companies; and
  • from the Population Register Center/Population Information System, Posti’s address database, phone companies’ databases and other similar private and public registries.

8) PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED

8.1) We shall retain the data of the data subjects of Section 3.1) – 3.6) for a period of five (5) years following the end of customer relationships.

8.2) We shall retain the data of our employees of Section 3.7) for a period of ten (10) years following the end of their employment in our company, because we have a legal obligation to provide our former employees with references during that period.

8.3) We shall not retain the data of the jobseekers of Section 3.7) if the data subjects do not explicitly give us their consent to do so. Having received such a consent, we may retain the data of the data subjects for a period of six (6) months following explicit consent.

8.4) We shall retain the data of the data subjects of Section 3.8) for a period of one (1) year following the contact.

8.5) However, we may retain the data of the data subjects of Sections 3.1) – 3.8) for longer than is described above, where is necessary for the purpose of criminal investigation, pending judicial proceedings or securing the rights of parties subject to the reporting obligation or persons employed by them. The data subject concerned has no right of access to the data gathered.

8.6) The controller inspects annually the necessity of the stored customer data.

9) CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The recipients of personal data may consist of the following categories:

  • Coinmotion Oy’s affiliate companies;
  • parties who offer cloud services for data storage;
  • parties who offer accounting and auditing services; and
  • parties who help Coinmotion Oy to fulfill its legal obligations.
  • Banking partners and other parties involved in money transfers and transactions

10) REGULAR DISCLOSURE OF DATA AND INFORMATION TRANSFER OUTSIDE OF EU OR THE EUROPEAN ECONOMIC AREA

Some of the recipients of personal data described in Section 9 are located in the United States of America and Australia. When transferring personal data those parties, Coinmotion Oy shall ensure that the personal data is provided adequate security measures, e.g. by ensuring that the receiving party has an EU-U.S. Privacy Shield certificate or that the party has signed a valid standard data protection clause with us.

11) DATA SUBJECTS’ RIGHTS

The data subject has a right to use all of the below mentioned rights.

The contacts concerning the rights shall be submitted to the person in charge of the data file stated in Section 2. The rights of the data subject can be put into action only when the data subject has been satisfactorily identified.

Right to inspect

Having presented the adequate and necessary information, the data subject has the right to know what, if any, data the controller has stored of her/him into this register. While providing the requested information to the data subject, the controller must also inform the data subject of the register’s regular sources of information, to what are the personal data used for and where is it regularly disclosed to

Right to rectify and erasure

The data subject has a right to request the controller to rectify the inaccurate and incomplete personal data concerning the data subject.

The data subject can request the controller to erase the personal data concerning the data subject, if:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based on;
  • the personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

Let it be known that the data subjects’ rights to rectify and erase data does not concern the data which the controller must retain due to its legal obligations.

If the controller does not accept the data subject’s request to rectify or erase the personal data, it must give a decision on the matter to the data subject in a written form. The decision must include the reasons for which the request was not granted. The data subject may refer the matter to the relevant authorities (the Data Protection Ombudsman in Finland).

The controller must inform the party to whom the controller has disclosed the personal data to or has received the personal data from of the rectification or erasure of personal data. However, there is no such obligation where the fulfilment of the obligation would be practically impossible or otherwise unreasonable.

Right to restriction of processing

The data subject can request the controller to restrict the processing of the personal data concerning the data subject where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
  • the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If the controller has based the restriction of the processing of personal data on the abovementioned criteria, the controller shall give a notification for the data subject before removing the restriction.

Right to object

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning her/him for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to data portability

The data subject shall have the right to receive the personal data concerning her/him, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

However, the data subject shall not have the aforementioned right if the decision is:

  • necessary for entering into, or performance of, a contract between the data subject and us;
  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  • is based on the data subject’s explicit consent.

Right to withdraw consent

Where the legal basis for the processing of personal data is the consent of the data subject, the data subject shall have the right to withdraw her/his consent.

12) RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The complaint can be lodged in the Member State of her/his habitual residence, place of work or place of the alleged infringement.

13) COOKIES

Our service uses cookies which are used in order to make it more user-friendly and anonymously track your use of the Service. This is a standard policy regarding most websites.

Cookies are small text files that a website stores on your device when you browse that website. Cookies store data of your website use.

Cookies are not used for identifying a person.

You can control and/or remove cookies freely at the individual browser level. Instructions can be found for example in here: aboutcookies.org

In order to improve our service, we gather, measure and analyze data concerning your use of the service including (but not limited to) activity, page views, unique visitors and bounce rate.

Cookies Policy

When you visit this site, your device will automatically receive one or more cookies which are sent from our site to your browser. We also use tracking pixels and other similar tracking technologies to improve your user experience and to show you advertisements that are of potential interest. We will refer to these generally as ‘cookies’ from now on.

What are cookies?

A cookie is a small text file. Cookies are divided into session-based and permanent cookies. Session-based cookies are deleted when you end the browsing session. Permanent cookies stay on your device for a predefined amount of time, after which they are deleted. These cookies can renew each time when you visit a site that uses cookies.

Types of cookies

Cookies are divided in first-party and third-party cookies. First-party cookies belong to the web- or mobile service that you are visiting. Third-party cookies belong to a third party, such as a web analytics program.

Why do we use cookies?

We use cookies to collect information on, for example, how you use the site, what kind of products and services interest you, or if you have visited our site before. We use this information to create even better user experience than before and to track the use of our services. The information is also used for developing our products and services, and to better target our marketing. Therefore our site is able to remember your settings and preferences in regards of the service use, and is able to offer content that we believe is interesting to you. With the information we collect with cookies we are not able, nor will we strive to recognize you.

For how long do cookies stay on my device?

The period of the cookies staying on your device varies according to the type of cookie and its function. We store your information for as long as it’s necessary for a certain function, or until we can assume that the information is no longer needed. For example, when you visit an online store, a cookie will save the information of your shopping cart. If you wish to return to the online store and continue shopping, you don’t have to make the same selections you did before. The cookie will store your information for as long until we can assume that you will not be returning to shopping anymore.

Can I visit the site, if the use of cookies is declined?

Yes, you can use the site even if the use of cookies is declined. Please notice that some functions, such as shopping cart, questionnaires, and certain tools require the acceptance of cookies and might function worse, or not at all, if the use of cookies is declined.

How can I decline the use of cookies or delete cookies?

Most browsers accept cookies by default. You can change the settings of your browser to not accept cookies, or to delete cookies from your device. The deletion of cookies will not end the usage of cookies completely. If you don’t want cookies on your device, you can use the private browsing mode found in most browsers. Different browsers use different methods for controlling cookies. You can change the settings as guided by the browser service. We do not take responsibility for this guidance.

We also use third-party cookies. You can stop Google from collecting information by downloading and installing an application in your browser, available here or you can use other tools designed for blocking marketing and user tracking.

The third-party cookies and the information they collect

We use third-party cookies for the purposes mentioned above. For example, we use Google’s tools and analytics to target our marketing and to get information of the usage of our site. We also use social media plugins, which allow the functioning of our service, for example, with Facebook and Twitter. This means that when you visit our site, the service providers can attach cookies on your device. Third parties can recognize you by the information collected by the cookies.

We use Facebook pixel to collect information about your movements between Facebook and our site. This will help us to target the marketing of our services and products which we believe you will like, according to your previous visits on our site.

We are not responsible for third parties’ handling of information, cookies, or other techniques of tracking. In these cases, the terms of use and the security procedures of the third parties will be applied. We suggest you to study the third parties’ terms of use and the security procedures (Google, Facebook, Twitter, LinkedIn, Reddit, YouTube, Pinterest).

14) PROFILING

We can make customer profiling with a crosscheck method. The data for crosscheck will be gathered from our own databases. We can for example profile customers based on their country codes. Profiling may have effects on the data subject’s right to use our services. The data is being processed by our company employees.

15) SECURITY OF PROCESSING

We implement at least the following technical and organizational measures to ensure appropriate level of safety to the processing of personal data:

  • the entry to our servers and other related databases is strictly limited;
  • our servers are reduplicated and we keep backup copies of our data, which means that it is easy for us to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • we have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • we use external audits in evaluating the data processing in our systems and all changes to the source code of the production system are reviewed by several people before the code is updated to the production system.

16) DATA PROTECTION PRINCIPLES

Coinmotion Oy uses all reasonable efforts to maintain physical, electronic, and administrative safeguards to protect personal information from unauthorized or inappropriate access, but Coinmotion Oy note that the Internet is not always a secure medium. Coinmotion Oy restricts access to information about data subjects only to the personnel of Coinmotion Oy that need to know the information e.g. for responding to inquiries or requests made by the data subjects.

17) TPML Privacy Policy

This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

We are committed to safeguarding the privacy of your information. By “your data”, “your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.

We may change this Policy from time to time so please check this page regularly to ensure that you’re happy with any changes.

Who are we?

Transact Payments Malta Limited (“TPML”, “we”, “our” or “us”) is the issuer of your payments card and is the Data Controller for the personal data which you provide to us in relation to the card only. TPML is a private limited liability company incorporated and registered in Malta with company registration number C91879 and registered address at Vault 14, Level 2, Valletta Waterfront, Floriana, FRN 1914, Malta. TPML is authorised by the Malta Financial Services Authority as an Electronic Money Institution.

How do we collect your personal data?

Information is collected from you when you apply in person, online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases. 

On what legal basis do we process your personal data?

Contract

Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.

Legal/Regulatory 

We may also process your personal data to comply with our legal or regulatory obligations.

Legitimate Interests 

We, or a third party, may have a legitimate interest to process your personal data, for example:

  • To analyse and improve the security of our business;
  • To anonymise personal data and subsequently use anonymized information.

What type of personal data is collected from you?

When you apply for a card, we, or our partners on our behalf, collect the following information from you: full name, physical address, email address, mobile phone number, phone number, date of birth, gender, login details, IP address, identity and address verification documents.

When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example a supermarket or retailer). We also collect information relating to the payments which are made to/from your account. 

How is your personal data used?

We use your personal data to: 

– set up your account, including processing your application for a card, creating your account, verifying your identity and printing your card.

– maintain and administer your account, including processing your financial payments, processing the correspondence between us, monitoring your account for fraud, providing customer services and providing a secure internet environment for the transmission of our services.

– comply with our regulatory requirements, including anti-money laundering obligations.

– improve our services, including creating anonymous data from your personal data for analytical use, including for the purposes of training, testing and system development.

Who do we share your information with?

When we use third party service providers, we have a contract in place that requires them to keep your information secure and confidential.

We pass your information to the following categories of entity: 

  • identity verification agencies to undertake required verification, regulatory and fraud prevention checks;
  • information security services organisations, web application hosting providers, mail support providers, network backup service providers and software/platform developers;
  • payment networks and payment service providers;
  • document destruction providers;
  • anyone to whom we lawfully transfer or may transfer our rights and duties under this agreement;
  • any third party as a result of any restructure, sale or acquisition of TPML or any associated entity, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us.
  • regulatory and law enforcement authorities, whether they are outside or inside of the EEA, where the law requires us to do so.

Sending personal data overseas

To deliver services to you, it is sometimes necessary for us to share your personal information outside the European Economic Area (EEA), e.g.:

  • with service providers located outside the EEA;
  • if you are based outside the EEA;
  • where there is an international dimension to the services we are providing to you.

These transfers are subject to special rules under European and Malta data protection law.

These non-EEA countries do not have the same data protection laws as Malta and EEA. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. We will send your data to countries where the European Commission has made an adequacy decision, meaning that it has ruled that the legislative framework in the country provides an adequate level of data protection for your personal information. You can find out more about this here.

Where we send your data to a country where the European Commission has not made an adequacy decision, our standard practice is to use standard data protection contract clauses that have been approved by the European Commission. To obtain a copy of those clauses, please go to the European Commission’s website

If you would like further information, please contact our Data Protection Officer on the details below.

How long do we store your personal data?

We will store your information for a period of 5 years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If applicable legislation requires us to retain your data for a longer period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.

Your rights regarding your personal data?

You have certain rights regarding the personal data which we process: 

  • You may request a copy of some or all of it.
  • You may ask us to rectify any data which we hold which you believe to be inaccurate.
  • You may ask us to erase your personal data.
  • You may ask us to restrict the processing of your personal data.
  • You may object to the processing of your personal data.
  • You may ask for the right to data portability.
  • If you would like us to carry out any of the above, please email the Data Protection Officer at DPO@transactpaymentsltd.com.

How is your information protected?

We implement security policies and technical measures in order to secure your personal data and take steps to protect it from unauthorised access, use or disclosure. 

While we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Complaints

We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your personal information. 

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Malta is the Office of the Information and Data Protection Commissioner. Their contact details are as follows:

IDPC, 

Floor 2, Airways House, Triq il-Kbira, Tas-Sliema, SLM1549, Malta.

(+356) 23287100 / info@idpc.org.mt

Other websites

Our website may contain links to other websites. This privacy policy applies only to our website, so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

Changes to our Privacy Policy

We keep our Privacy Policy under review and we regularly update it to keep up with business demands and privacy regulation. We will inform you about any such changes. This Privacy Policy was issued on 1st May 2021.

How to contact us

If you have any questions about our Privacy Policy or the personal information which we hold about you, please send an email to our Data Protection Officer at DPO@transactpaymentsltd.com.