Privacy Policy

1. INTRODUCTION

 

This Personal Data Processing Policy ("Privacy Policy") governs the collection, processing, and protection of personal data and the use of cookies and similar tracking technologies on the Carpathian Chain sp. z o.o.website, including any affiliated subdomains and mobile versions (collectively, the "Platform").

 

By accessing or continuing to use the Platform, you acknowledge that you have read, understood, and agreed to the terms set forth in this Privacy Policy.

 

2. DATA CONTROLLER

 

The controller of your personal data is Carpathian Chain sp. z o.o., a limited liability company incorporated under the laws of Poland, with its registered office at ul. Piotrkowska 116/52, 90-006 Łódź, Poland, registered in the National Court Register (KRS) under number 0001141644, NIP: 7252350111, REGON: 540310366 (hereinafter, the "Company"). The Company has appointed a Data Protection Officer (DPO), who can be contacted at privacy@cryptonara.com for all matters related to data protection.

 

For any inquiries regarding personal data processing, you may contact us at: privacy@cryptonara.com

 

3. CATEGORIES OF PERSONAL DATA PROCESSED

 

A. Personal Data Processed in Connection with the Provision of Services

 

• Categories of Data: Identifying information (name, surname, date of birth), contact details (email address, phone number), address, payment card details, cryptocurrency wallet information, and, where applicable, identity verification documents required for compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.

 

• Purpose: Execution and performance of contractual obligations, provision of customer support, enhancement of security, fraud prevention, transaction monitoring and legal compliance.

 

• Legal Basis: Processing is necessary for the performance of a contract to which the data subject is a party (Art. 6(1)(b) GDPR); Compliance with legal obligations, including AML/KYC regulations (Art. 6(1)(c) GDPR); Legitimate interests pursued by the Company, including fraud prevention, dispute resolution, and platform optimization (Art. 6(1)(f) GDPR).

 

B. Personal Data Processed for Marketing Purposes

 

• Categories of Data: Name, surname, email address, and any personal data voluntarily provided in communications.

 

• Purpose: Providing promotional information about the Company’s services, responding to inquiries, and offering personalized marketing communications.

 

• Legal Basis: Legitimate interest in promoting the Company’s services (Art. 6(1)(f) GDPR); Consent for direct marketing communications, which may be withdrawn at any time (Art. 7(3) GDPR).

 

C. Additional Data Processing

 

The Company may process certain data in connection with social media communication addressed to you. In such cases the Company processes personal data provided by you through a social media platform for communication purposes. The legal basis is our legitimate interest in responding to your inquiries and in direct marketing of our Services.

 

The Company also collects certain data points which, depending on individual circumstances, may or may not be classified as personal data. These include data points such as IP address, information on User’s activity on the Platform, e.g. the order in which the page is viewed or technical information about the device from which the User logs in, parameters of software and hardware used by the User, pages viewed, mobile device identification number, and other data on devices and use of systems. Such information does not usually allow for unique identification of the User. This kind of information allows us to keep statistics and adapt the Platform to the User's preferences, as well as to ensure security and to prevent fraud on the Platform. Insofar as such data may constitute personal data, the Company ensures adequacy of information and data minimization. The legal basis for such processing is our legitimate interest in improving operation of the Platform, as well as detecting and preventing fraud.

 

D. Data Collection from Third-Parties

 

In addition to data provided directly by users, the Company may collect personal data from publicly available sources, business partners, affiliates, and third-party service providers. This includes verification data from identity verification services, credit agencies, and compliance databases, which is used to fulfil regulatory obligations and fraud prevention purposes.

 

In addition to data provided directly by users, the Company may collect personal data from publicly available sources, business partners, affiliates, and third-party service providers. This includes verification data from identity verification services (such as Sumsub), credit reference agencies, sanctions and PEP databases, and compliance tools.

 

The Company processes this data for the purposes of fulfilling its legal obligations under applicable financial and anti-money laundering laws, fraud prevention, and ensuring regulatory compliance.

 

Where personal data is obtained indirectly, data subjects are informed in accordance with Article 14 GDPR unless an exemption applies (e.g., data subject already has the information, or providing the information proves impossible or would involve disproportionate effort).

 

Categories of such data may include identity verification status, sanctions screening results, source of funds indicators, and risk scoring metrics. The legal basis for such processing is Article 6(1)(c) GDPR (legal obligation) and Article 6(1)(f) GDPR (legitimate interests).

 

E. Special Categories of Data

 

The Company does not intentionally collect special categories of personal data, including health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or trade union membership. However, in exceptional cases where processing of such data is necessary, explicit user consent will be obtained, or processing will be conducted as permitted by law. 

 

4. DISCLOSURE OF PERSONAL DATA

 

The Company may share personal data with:

 

• Data Processors: Third-party service providers engaged for data hosting, CRM solutions, analytics, advertising, and customer support, acting strictly under the Company’s instructions.

 

• Regulatory and Law Enforcement Authorities: Where required under applicable legal obligations or pursuant to a valid court order or administrative request.

 

• Affiliated Entities: Companies within the Carpathian Chain corporate structure where necessary for service provision, compliance, or legitimate business purposes.

 

Personal data is not sold or otherwise made available to third parties for independent commercial use.

 

5. THIRD-PARTY DATA PROCESSORS 

 

To provide and optimize our services, the Company shares personal data with third-party service providers who process data on our behalf. These include:

 

• Cloud Hosting Providers: Secure data storage and hosting solutions (e.g., AWS).

 

• Payment Processors: Handling transactions and fraud prevention.

 

• Identity Verification Services: Conducting KYC/AML checks for regulatory compliance. Identity Verification Services: Conducting KYC/AML checks for regulatory compliance. The Company engages Sumsub Ltd. as a processor under Article 28 GDPR for customer due diligence procedures. Sumsub operates under a data processing agreement with appropriate technical and organisational safeguards, including encryption, access control, and data minimization. 

 

• Analytics & Performance Monitoring: User behaviour analysis and platform optimization. 

 

• Marketing & CRM Platforms: Sending communications and managing customer relationships. Marketing & CRM platforms are used to manage communications with users who have opted in to receive marketing updates.

 

All third-party processors operate under strict confidentiality agreements and are contractually required to implement appropriate security measures.

 

6. DATA TRANSFERS TO THIRD COUNTRIES

 

Personal data may be transferred outside the European Economic Area (EEA) and the United Kingdom in connection with cryptocurrency exchanges, custodial services, and fraud prevention mechanisms. Where feasible, the Company identifies the specific recipient country of the transfer. For example, data transferred to Sumsub or other processors outside the EEA is protected through Standard Contractual Clauses, and supplementary measures where required. Data subjects may request a copy of the safeguards used by contacting privacy@cryptonara.com

 

Transfers are conducted under one or more of the following safeguards:

 

• An adequacy decision by the European Commission confirming an adequate level of data protection in the recipient country;

 

• Standard Contractual Clauses (SCCs) approved by the European Commission; and

 

• Binding Corporate Rules (BCRs) where applicable.

 

7.  DATA SECURITY MEASURES

 

The Company implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

 

• Encryption: Sensitive data, such as financial information and authentication credentials, is encrypted both at rest and in transit.

 

• Access Controls: Role-based access restrictions ensure that only authorized personnel can access personal data.

 

• Security Audits: The Company conducts regular security audits, penetration testing, and vulnerability assessments.

 

• Incident Response Plan: In the event of a data breach, the Company will promptly notify affected users and relevant supervisory authorities in accordance with GDPR Articles 33 and 34.

 

• Data Minimization & Anonymization: Where possible, the Company limits the amount of personal data collected and use pseudonymization or anonymization techniques.

 

All third-party service providers, including hosting, KYC/AML processors, and payment partners, are contractually obliged to implement equivalent levels of security. Data protection impact assessments (DPIAs) are conducted where appropriate, especially in connection with high-risk processing activities such as customer due diligence and fraud monitoring.

 

 

 

8. DATA RETENTION PERIOD

 

Personal data is retained only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, in accordance with the principle of data minimization (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e) GDPR).

 

Retention periods for different categories of personal data are as follows:

 

• Contractual Relationships: Personal data is retained for the duration of the contract and for up to five (5) years after termination to comply with legal and regulatory obligations, including record-keeping requirements.

 

• AML/KYC Compliance: Personal data collected for anti-money laundering (AML) and know-your-customer (KYC) purposes is retained for five (5) years following the end of the business relationship or the last transaction, as required under applicable financial and anti-money laundering regulations.

 

• Marketing Data: Personal data processed for marketing purposes is retained until consent is withdrawn or for a maximum period of five (5) years from the last interaction, unless a shorter period is required by law. Users can opt out of marketing communications at any time.

 

• General Operational Data: Data that is no longer necessary for the stated purposes will be securely deleted, anonymized, or aggregated in accordance with GDPR requirements.

 

If a longer retention period is required by law or necessary to establish, exercise, or defend legal claims, data may be retained accordingly.

 

For more information on specific retention periods, users may contact privacy@cryptonara.com.

 

 

 

9. DATA SUBJECT RIGHTS

 

You have the following rights under the General Data Protection Regulation (GDPR):

 

• Right of access (Art. 15 GDPR);

• Right to rectification (Art. 16 GDPR);

• Right to erasure (‘right to be forgotten’) (Art. 17 GDPR);

• Right to restrict processing (Art. 18 GDPR);

• Right to data portability (Art. 20 GDPR);

• Right to object to processing (Art. 21 GDPR);

• Right to withdraw consent at any time (Art. 7(3) GDPR);

• Right to lodge a complaint with the Polish Data Protection Authority or any other competent supervisory authority.

 

If you wish to exercise any of the rights listed in Section 9, you may do so by:

 

• Submitting a written request to: privacy@cryptonara.com.

• Including the following details:

o Your full name and contact details

o A description of your request (e.g., data access, deletion, restriction)

o Proof of identity (to prevent unauthorized access to your data)

 

The Company will respond within one month of receiving your request, as required by GDPR Article 12(3). If your request is complex or requires additional verification, the Company may extend this period by an additional two months, in which case you will be notified.

 

Generally, requests are processed free of charge. However, if requests are manifestly unfounded or excessive, the Company may charge a reasonable administrative fee.

You may also visit the Polish Data Protection Authority (UODO) website at https://uodo.gov.pl/ for more information about your rights or to lodge a complaint directly.

 

10. AUTOMATED DECISION-MAKING & PROFILING

 

The Company does not engage in fully automated decision-making that produces legal effects or similarly significant consequences for individuals. However, the Company uses automated systems for fraud detection, transaction monitoring, and AML risk assessments, which are always subject to meaningful human review.

 

These systems analyse user behaviour, transaction patterns, and verification inputs to detect suspicious activity or flag high-risk cases. For example, users with risk factors such as location, transaction volume, or sanctions alerts may be asked to provide additional documents or may be temporarily restricted pending review.

 

The outcome of such profiling may influence whether the user is onboarded or permitted to transact. However, no final decisions are made without human oversight.

 

Your rights in connection with such profiling include:

 

• The right to obtain meaningful information about the logic involved;

• The right to express your point of view and contest the decision;

• The right to request human intervention.

 

To exercise these rights, contact us at privacy@cryptonara.com.

 

11. REQUIREMENT TO PROVIDE DATA

 

Provision of your personal data is necessary for:

 

• the conclusion and performance of the agreement concluded with the Company, and the consequence of not providing your personal data will be the inability to conclude and perform the agreement concluded with the Company;

 

• provision of platforms by the Company, and the consequence of not providing your personal data will be the lack of provision of Services;

 

• processing of complaints, requests or appeals and the consequence of your failure to provide your personal data will be the inability to process the complaint, request or appeal; and

 

• to receive offers or marketing of products offered or services provided by the Company, and the consequence of your failure to provide your personal data will be the inability to receive such offers or marketing of products or services.

 

12. ADDITIONAL INFORMATION

 

The Company reserves the right to make changes to the platform's privacy policy, which may be affected by developments in Internet technology, possible changes in data protection laws and the development of our platform. The Company will inform you of any changes in a visible and understandable manner.

 

Links to other websites may appear on the platform. Such websites operate independently of the platform and are not supervised by the Company in any way. These websites may have their own privacy policies and regulations, with which the Company recommends that you familiarize yourself.

 

This Privacy Policy is also available in the Polish language to ensure transparency for users located in Poland. In case of any inconsistency between the English and Polish versions, the Polish version shall prevail for residents of Poland.

 

13. CONTACT INFORMATION

 

For any questions regarding this Privacy Policy, please contact:

 

Carpathian Chain sp. z o.o.

ul. Piotrkowska 116/52

90-006 Łódź, Poland

 

14. COOKIES AND TRACKING TECHNOLOGIES 

 

The Platform uses cookies and similar technologies (such as pixels or local storage) to enhance your experience, measure performance, and support security. Cookies may be set by the Company or third parties such as analytics providers or advertising networks.

 

The use of non-essential cookies requires your consent in accordance with the Polish Telecommunications Law and the ePrivacy Directive. You may manage your preferences at any time via our Cookie Banner or browser settings.

 

For more information, please refer to our Cookie Policy or contact us at privacy@cryptonara.com.