Privacy Policy - Bitpace

Last Updated: 18 June 2026

IMPORTANT NOTICE

This website and the products or services described herein are intended solely for corporate clients, merchants, and partners, acting in their trade, business, craft, or profession, and not for individual consumers (natural persons acting outside their trade, business, craft, or profession). Access to this website in any jurisdiction does not constitute an offer or solicitation to provide services. Our products and services may only be acquired under a separate written agreement with us and are subject to applicable legal restrictions on payments and crypto-assets. In providing services to our clients, we may process personal data and personal information relating to visitors, users, merchants, partners, and their associated natural persons – including directors, shareholders, employees, and end-customers – as described in this Privacy Policy. Please read this Privacy Policy, our Standard Terms and our Risk Warning carefully.

About this Privacy Policy

Protecting the privacy of our website visitors, partners and clients is an essential priority at Bitpace (“we“, “us“, or “our“), and we are committed to maintaining strong, meaningful privacy protections. The privacy of your information is a significant responsibility, and we value the trust you place in us.

In particular, we would like to inform you, among others, of the nature, scope and purpose of the personal data we collect, use, and process via our website https://www.bitpace.com/, our sandbox environment and our services. Furthermore, we would like to inform you about the personal data-related rights to which the corresponding data subject is entitled.

This Privacy Policy is provided in line with the requirements of privacy laws such as Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“), as well as the applicable local legislation in Bulgaria and Estonia. Where personal information of individuals located in Canada is collected or processed by Bitpace CA (as defined below) in the course of commercial activities, this Privacy Policy is also provided in compliance with Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA“) and, to the extent applicable, provincial privacy legislation in Canada. Where personal data is collected or processed by Bitpace KM (as defined below), this Privacy Policy is also provided in compliance with the Protection of Personal Data Law, 2021 of the Union of Comoros.

When referring to “you” or “your“, we mean separately and collectively any visitor or user of this website or the sandbox environment or user of our services as a data subject, as well (if the context allows doing so) as any merchant or partner that is employing or receiving services from such a user.

You can find the contact details of the competent supervisory authority for data protection in each jurisdiction part of the European Economic Area (“EEA“) at https://edpb.europa.eu/about-edpb/about-edpb/members_en. Where this Privacy Policy is provided in compliance with PIPEDA, individuals in Canada may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca, or the applicable provincial privacy commissioner, for information about their privacy rights.

By accessing and using our website, sandbox environment and/or our services, you hereby declare that you have read and understood the terms of this Privacy Policy. You may also confirm that you are familiar with this Privacy Policy by ticking/clicking to accept on and/or otherwise selecting and/or indicating that you have read and agreed to this Privacy Policy.

If you are acting on behalf of a merchant or a partner, when you provide us with personal data of related persons to that merchant or partner, such as shareholders, directors, employees, authorised representatives or users, contractors, end-customers, or any other related natural person (“related persons“), you declare that you have the right or you are authorised to do so and, when you are so required by applicable privacy laws you should have made them aware of this Privacy Policy.

Unless we otherwise agree with you in writing, if you do not consent to any part of this Privacy Policy, please do not use our website, sandbox environment and our services.

Who are we

The Bitpace entity with which you have a service agreement or other direct contractual relationship, have commenced our registration procedures, or granted you use of the sandbox environment, will be considered the sole controller of your personal data. The following companies are each referred to in this Privacy Policy as “Bitpace“:

Q500 Canada Inc. (“Bitpace CA“), a corporation incorporated under the laws of Ontario, Canada, with a registered address at 181 Bay St., Suite 1800, Toronto, ON M5J 2T9, Canada; registered as a money services business (“MSB“) with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC“) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17 (“PCMLTFA“), FINTRAC registration number C100000531; this entity acts as the accountable organisation under PIPEDA for personal information collected in the course of Bitpace’s Canadian commercial activities.
Chiral Limited (“Bitpace KM“), a private limited company, incorporated in the Union of the Comoros (company number HA00724762), with a registered address at Bonovo Road, Island of Moheli, P.B.1257, Fomboni, Comoros, operating under an International Brokerage and Clearing House License issued by the Mwali International Services Authority (MISA) in the Union of the Comoros.
Q500 Europe EOOD, a private limited company, incorporated in Bulgaria (company number UIC 206635600) with a registered address at Evropark building, 40 Tsarigradsko Shose Blvd., 2nd floor, 1750 Sofia, Bulgaria.
Q500 Estonia OÜ, a private limited company, incorporated in Estonia (registry code 16564979) with a registered office at Maakri tn 19/2, Tallinn 10145, Estonia.

For individuals who are exclusively website visitors and are not acting as employees or service providers for a merchant, nor have access to the sandbox environment, the Bitpace entities listed above will serve as joint controllers throughout the duration of that visitor status.

For clarity, the Bitpace entities listed above may serve also as data processors. Where a Bitpace entity acts as a data controller, it may engage other listed Bitpace entities to perform processing activities. Notwithstanding the foregoing, Bitpace entities established in the EEA or Canada will not subcontract the processing of personal data to Bitpace KM. Furthermore, other affiliated Bitpace entities not specified above may process personal data as subcontractors.

How to contact us

Any data subject may, at any time, contact our Data Protection Officer and us via the email below with any questions or suggestions concerning privacy and data protection.

Address: Please refer to each registered entity’s address above.

Email: [email protected]

You can review, correct, update, or change your personal information (or if you are a merchant or a partner – the information of your related persons) that you have provided to us, opt out or opt in (as applicable) of receiving certain emails by changing the relevant settings in your account/service profile (if technically available) or making the corresponding request by emailing us at [email protected]. However, please note that the deletion of your personal information may be carried out only when the cases where certain conditions (as per applicable laws) are satisfied (e.g., after the retention period has elapsed).

You can unsubscribe from receiving marketing emails from us; however, you cannot opt out of receiving emails related to the status or maintenance of your account/service profile. If you have questions or concerns regarding this Privacy Policy, please email us at [email protected]. Individuals in Canada may direct privacy inquiries to our Canadian Privacy Officer at [email protected], referencing their Canadian inquiry. Our Canadian Privacy Officer is the designated individual responsible for Bitpace’s compliance with PIPEDA with respect to personal information under Bitpace CA’s control.

Definitions

In this Privacy Policy, in addition to other terms defined elsewhere in this Privacy Policy or our applicable Standard Terms, we use the following defined terms:

“Personal Data” is any information relating to an identified or identifiable natural person;

“Data Subject” is any identified or identifiable natural person;

“Processing” is any operation or set of operations that is performed on personal data or sets of personal data;

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;

“Controller” the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.

For individuals in Canada, “Personal Information” has the same meaning as “Personal Data” as used in this Privacy Policy and refers to information about an identifiable individual, as defined under PIPEDA and applicable Canadian provincial privacy legislation. All references to “personal data” in this Privacy Policy should be read as including “personal information” where Canadian privacy law applies.

Information we may collect automatically through cookies and other technologies

While browsing or using certain features on our website, and through the use of cookies, we collect personal data. We may collect information about the products or services you looked at or searched for, and the website’s functions you used, including time spent and other statistical information. Certain types of information may be collected automatically, for example, when you interact with the website or use our services. This information does not necessarily reveal your personal identity directly but may include information about the specific device you are using, such as device ID, operating system, web browser (such as Chrome, Firefox, Safari, or Internet Explorer) and your IP address/MAC address/device identifier.

For example, we automatically receive and record information on our server logs from your browser, including how you came to and used the services; your IP address; device type and unique device identification numbers; device event information (such as browser type, browser language, the date and time of your request and referral URL), broad geographic location (e.g. country or city-level location) and other technical data collected through cookies, pixel tags and other similar technologies that uniquely identify your browser. How your device has interacted with our website, including pages accessed and links clicked, may be automatically collected. Bitpace may use identifiers to recognise you when you arrive at the website via an external link, such as a link appearing on a third-party site.

Please refer to our Cookie Policy for additional information on how to manage our use of cookies.

What personal data do we collect and process

We collect personal data about you and, when you are a merchant or a partner, about persons related to you (such as beneficial owners, directors, authorised representatives of the merchants or our partners or other data subjects related to such businesses).

Among others, the personal data that we may collect includes:

When you register on our website and create an account/service profile: full name, your business name, your email address, and your country for the registration.
When you submit a general inquiry on our website: full name, email address and any other personal data you may have added in the message box.
With regards to related persons’ personal identification information: full name, date of birth, photograph, full colour copies of national ID, phone number, email address, national ID number and postal address.
When processing a crypto-asset payment for the merchant: (i) related person of a merchant that is dealing with the merchant’s transaction, such as user details of the related person for signing in on Bitpace; or (ii) merchant’s end-customer: email address, Internet Protocol (IP) address, wallet address (as long as they can be linked to and individual and considered personal data). Please note that the merchant’s end customer’s full name may be passed by the merchant to us, but it may not be mandatory.
With regards to relationship details: relationship with the merchant or partner concerning the related persons, business information (role, capacity or title), business contact details.
When completing our application form: non-personal data for the merchants or partners, such as legal name, trading name, company registration number, registered address, operational address, country and date of incorporation, business type, etc. However, our application form also requires information about individuals related to the merchant or partner such as, (i) primary contact name, phone and email address; (ii) shareholders/beneficial owners, directors, authorised signatories’ full name, date of birth, nationality, residential address, position, percentage of ownership (if individual shareholder/beneficial owner); (iii) source of wealth.
While onboarding or dealings with you, including through completing due diligence, when administering transactions and carrying out reviews, when contacting us, when using the Bitpace platform or applications, and from publicly available sources or third parties: national identity card details, passport numbers, driver’s licence details and/or photographic identification cards, and utility bills of the merchant’s or partner’s related persons, source of wealth of beneficial owner(s), compliance and background checks, reputational data and adverse media.
When acting as both a beneficiary and a recipient, the personal data collected under the travel rule includes name, account or wallet address (to the extent it can be linked to an individual), and potentially other identifying information like address, date of birth, or national ID number, especially for transactions over a certain threshold.
When (to the extent applicable to the corresponding Bitpace entity) completing the self-certification form for the Crypto-Asset Reporting Framework (CARF) or similar: regarding the corresponding controlling individual. This is the full name, date of birth, residential address, country/jurisdiction of residence, tax identification number (TIN) (each of them as the case may be), and tax residency.
While tracking transaction history: crypto-asset transaction history, transaction amount and wallet addresses.
With regards to online trackers (all visitors and users): browser name, version and fingerprint, IP address and geolocation, should you choose to enable these, following our Cookie Policy as laid above.

We also collect other information you choose to provide our personnel or support team, including while reacting to our social media posts where you mention or address Bitpace (or its services).

Bitpace collects personal data directly from the merchant or partner and related persons and from other sources described below:

We will check our own records for information about (i) any accounts/service profiles belonging to the merchant or partner or any associated businesses and (ii) the merchant’s or partner’s shareholders who might or might not be beneficial owners of the businesses.
We may carry out searches using compliance tool platforms or applications and/or financial crime prevention agencies, for information relating to the merchant’s or partner’s business and related persons.
We may search publicly available sources, such as media stories, social media, online search engines, companies’ registries and other public registries or records for information relating to the merchant’s or partner’s business and related persons.
We may also get personal information from your providers or other third parties when authorised or engaged by you.

We would also like to highlight that some of the information that we may collect might fall into special categories of personal data (also known as sensitive personal data). For example, the client due diligence checks we carry out may reveal political opinions or information about criminal convictions or offences of the merchant or partner and the persons related to them. In addition, if incorrect information is provided or fraud is suspected, we will record this. We may also pass this information to financial crime prevention agencies, where it may be accessed by law enforcement agencies globally.

We may also collect any other personal data, not listed or quoted in this Privacy Policy, in which case, we will inform you, to the extent permitted by law, of the additional data we will collect accordingly. This may be the case, but is not limited to, when the merchant or partner discloses to us that the beneficial owner or representative is a politically exposed person (“PEP“) or related to a PEP, or if we need to fulfil a competent authority request, or if we need to have a conflict of interest. As this may be required on a case-by-case basis, we will inform you which additional data ought to be collected.

Please note: If you are an individual partner (which is a very exceptional case), for example, an introducer, or an OTC-desk client (in this case a natural person acting for purposes within that person’s trade, business, craft or profession); we will collect and process the personal data and information mentioned in this section and as relevant in related sections of this Privacy Policy. To be clear, when we refer to a merchant’s beneficial owner or representative, or on the merchant’s behalf, or similar, would be understood, to the extent possible and applicable, as a reference to you.

Why do we collect and process your data: the legal basis for doing so

We must have a legal basis to collect and process personal data. Our data collection and processing activities strictly follow the grounds permitted by the GDPR and, where applicable, the local privacy laws of our Bitpace entities. Specifically, when Bitpace KM acts as the data controller or processor, it will adhere to the GDPR where applicable, and in all cases, unless prohibited, it will follow Bitpace and Bitpace’s affiliates group privacy policies, which are grounded on the principles of the GDPR. This commitment ensures consistency across our operations, as our standards are based on GDPR principles and the rule of when the GDPR directly applies. Furthermore, Bitpace KM is committed to applying the principles of the GDPR to the extent feasible across all its data processing activities, even when the GDPR does not directly apply.

We reassure you herewith that we will use personal data only for lawful purposes such as (i) identity verification; (ii) mitigation of financial and business risk; (iii) detection, investigation, assessment, monitoring and prevention of fraud and other crime; (iv) compliance with tax, anti-money laundering, counter-terrorist financing, anti-bribery and corruption and similar laws; (v) legitimate business needs.

Where personal information of an individual in Canada is collected, used, or disclosed by Bitpace CA, the legal basis for processing is consent (express or implied) or an applicable statutory exception under PIPEDA. References in this Privacy Policy to “legitimate interest”, “legal obligation”, or “performance of a contract” describe the nature of the underlying activity, which is supported by consent or a PIPEDA exception for Canadian purposes.

We obtain express consent from individuals in Canada before collecting, using, or disclosing sensitive personal information, including government-issued identification, biometric identifiers, financial information, source-of-wealth data, PEP status, and information relating to criminal records or compliance screening. Express consent is typically obtained at onboarding through a clear, affirmative action by the individual or their authorised representative.

For non-sensitive personal information processed for purposes that would be reasonably expected by the individual in the context of our services (for example, processing a transaction the individual has initiated or sending account/service profile-related notifications), we may rely on implied consent in accordance with PIPEDA Principle 4.3.5 and section 5(3) of PIPEDA.

Subject to legal or contractual restrictions, individuals in Canada may withdraw consent at any time by contacting us at [email protected]. Where personal information must be retained by law (including under the PCMLTFA), withdrawal of consent will not require deletion until our retention obligations have expired.

See the summary below (other sections of this Privacy Policy or separate agreements with you may also contain other purposes and legal bases).

Purpose

For providing and improving our services

We will mainly use the information to provide the services you have requested from us. Namely, for user authentication, management and administration of services and monitoring and reporting to develop and improve our services.

Legal Basis

For the performance of a contract

If you use our contact form or register as a user on our website (which constitutes acceptance of our Standard Terms), or if we enter into a merchant or other separate agreement with a merchant or partner, we may process personal data to perform our contractual obligations. We process such data on these grounds when we execute transactions requested by our clients. Namely, we process data for the purposes of transaction processing, registering of trades, monitoring and analysis, and developing and managing our products and services, to name but a few. For the purposes of performing a contract, we may also transfer the necessary personal data to third parties (such as, but not limited to, banks and payment processors).

Legitimate interest

Where it is in our legitimate interests to ensure that our services are well-managed, and their quality is improved so that our clients are provided with a high standard of service to protect our business interests and the interests of our clients.

Purpose

For transaction processing

We will use certain personal data for the purposes of providing our specific services related to crypto-asset transactions. For the merchants and us to identify transactions, or to block transactions from sanctioned jurisdictions. For example, merchants-related persons (who perform a transaction on behalf of the merchant) sign in details on Bitpace’s platform; or merchants’ end-customers’ email addresses, IP addresses, payment information, wallet addresses, and any other transaction information.

Legal Basis

Legal obligations

Where the law requires this (e.g., as applicable to the relevant Bitpace entity), crypto-assets regulations, operational resilience regulations, payments regulations, anti-money laundering and terrorist financing regulations, including but not limited to complying with the travel rule.

Legitimate interest

Where it is in our legitimate interest to develop, build, implement and run business models and systems which protect our business interests and provide our clients with a high standard of service.

Purpose

To comply with applicable laws

For instance, but not limited to, and as applicable to the relevant Bitpace entity, crypto-assets regulations, operational resilience regulations, payments regulations, anti-money laundering, counter-terrorist financing laws, financial crime/fraud prevention, and tax regulations. We will use personal data for undertaking client due diligence checks for the prevention and detection of financial and other crimes and undertaking checks, including on merchants’ and partners’ related parties, in relation to identity verification (e.g., via a copy of an ID card, driving licence or utility bill), application checks, anti-money laundering, counter-terrorist financing, compliance and risk screening and for preventing illicit or fraudulent behaviour on our website, sandbox environment or when providing our service, as we are obligated by applicable laws. We also perform ongoing monitoring and investigation of personal data and financial data related to users’ accounts/service profiles. For the same purpose, if the merchant or partner is required by applicable laws to perform due diligence on their end customers, we may request that the merchant or partner share that due diligence with us. We may also need to process certain transaction information to fulfil our record-keeping and reporting obligations in accordance with applicable regulations.

Legal Basis

Legal obligations

Where the law requires this (e.g. anti-money laundering and terrorist financing regulations, crypto-assets regulations, payments regulations, tax regulations as applicable to the relevant Bitpace entity). For instance, in Canada, applicable legal obligations include the PCMLTFA and the reporting, client identification, and record-keeping requirements administered by FINTRAC.

Legitimate interest

Where it is in our legitimate interest to prevent and investigate fraud, money laundering and other crimes and to verify the client’s identity in order to protect our business and to comply with laws that apply to us.

Purpose

To cooperate with authorities

We may process personal data when requested by official public authorities or for the purposes of legal proceedings arising from disputes, fraudulent activities, etc.

Legal Basis

Legal obligations

Where the law requires this (e.g. anti-money laundering and terrorist financing regulations, crypto-assets regulations, payments regulations, tax regulations, as applicable to the relevant Bitpace entity).

Purpose

To exercise our legal rights

We may use personal data where it is necessary to do so, for example, to detect, prevent and respond to fraud or other violations of law, for legal and dispute management purposes, and for debt collection and recovery purposes.

Legal Basis

Legal obligations

Where the law requires this (e.g. anti-money laundering and terrorist financing regulations).

Legitimate interest

Purpose

To keep in touch

We use some personal data to contact you and respond to your inquiries. We send important notifications to your email address, including transaction-related information, verification requests/statuses, security-related warnings/requests, and general technical and administrative information such as maintenance, downtime and software update notifications.

Legal Basis

For the performance of a contract

Where we are obliged by a contract to provide you with certain notices in relation to the performance of such a contract.

Legitimate interest

Where it is in our legitimate interest to provide information about our business and services that we believe would benefit or inform our clients.

Purpose

To send marketing communication

This is to our merchants or B2B marketing to corporate email addresses. We may use personal data to send advertisements and offers to our business clients. We may send direct marketing messages to companies or their representatives promoting our products and services. We will, at all times, provide the option to “opt out” of receiving such messages, and we will respect your choice by stopping the sending of marketing messages. Please note that if you are already our client, we may continue to send you other communications necessary for the provision of our services and for maintaining our relationship with you.

Legal Basis

Legitimate interest

Where it is in our legitimate commercial interest to send marketing communication. Recipients of any marketing communications may tell us at any time if they wish to change their contact preferences for this purpose (e.g., opt out, unsubscribe, or change preferred communication channels). In Canada, commercial electronic messages are sent in compliance with Canada’s Anti-Spam Legislation, S.C. 2010, c. 23 (“CASL“). We obtain express consent or, where applicable, rely on valid implied consent under CASL (for example, in the context of an existing business relationship), before sending commercial electronic messages to Canadian recipients. Each such message includes our identification information and a functioning unsubscribe mechanism that is honoured within ten (10) business days of receipt.

Purpose

To communicate promotional offers

We may also use personal data to provide advertisements for our offers. In case you sign up for our newsletter, you will receive our promotional emails. We can also use your information to communicate with you. If you express your explicit consent, your data will be used to provide information about promotions and other information related to our services.

Legal Basis

Consent

Where we have your permission to do so (e.g., opt in, subscribe, via email). Recipients of any marketing communications may tell us at any time if they wish to change their contact preferences for this purpose (e.g., opt out, unsubscribe, or change preferred communication channels).

Purpose

To share your information

For example, your corporate email address, in a secure format, with social media and third-party digital platforms, so that we can tell you about our products and services.

Legal Basis

Consent

Where we have your permission to do so.

Legitimate interest

Where it is in our legitimate interest to use social media companies and third-party digital platforms to share information with you about our products or services that may be relevant and beneficial to you. You can at any time object to the processing of your information in such a manner based on our legitimate interest.

Please also consider that:

Where we process special categories of personal data, we will usually do so on the basis that it is necessary for reasons of substantial public interest or to establish, exercise or defend any legal claims. In any case, we will carry out the processing in accordance with applicable laws.
We process personal data for closely related purposes, such as payment processing and financial account/service profile management, contract management, website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and legal compliance.
We store the information in the corresponding account/service profile based on the legitimate interest that both Bitpace and our clients have. We process this information to provide you with our services or to answer your queries. We also store personal data for the purposes of civil legal proceedings and administrative and criminal investigations to comply with the laws applicable to us globally.
Where you have presented to us any additional personal data (by including it in your written requests, by presenting it through documents that you have applied in your requests or by any other means), that personal data will be processed on the grounds of your consent. You can withdraw your consent at any time by writing a short email to: [email protected].
When we process personal data to meet our legitimate interests, we put in place robust safeguards to ensure that data subjects’ privacy is protected and to ensure that our legitimate interests do not override the data subjects’ interests or fundamental rights and freedoms.

Automated data processing and profiling

We use profiling and analytics to understand how individuals use our website and our services for product development and business intelligence purposes. These analytics help us understand and improve our services and better serve our clients. We also use analytics for security and anti-fraud purposes. We will not make automated decisions about you that may significantly affect you unless (i) the decision is necessary as part of a contract that we have with you, (ii) we have your explicit consent, or (iii) we are required by law to use the technology.

While providing services on our website, we do not use mechanisms or algorithms for automated processing of your personal data or decision-making without human intervention (except that we may, but are not obligated to, perform automated processing as a part of Know Your Customer (KYC)/Know Your Business (KYB) and enhanced due diligence verification procedures).

What are your rights, and how to exercise them

The GDPR grants the data subjects a number of individual rights. Individuals whose personal information is controlled and processed by Bitpace CA also have rights under PIPEDA, including the right to access their personal information held by Bitpace, the right to challenge its accuracy and completeness, and the right to withdraw consent to processing subject to legal or contractual restrictions. The rights set out below apply in both the GDPR context and, where applicable, the PIPEDA context. Please be aware that those rights are not absolute and may not apply in certain circumstances. For ease of reference, we provide below a non-exhaustive summary of the data subject’s rights.

Right of access to your personal data. Information or confirmation as to whether or not personal data concerning you is being processed. Access information about, for instance, but not limited to, the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed. You have the right to receive a copy of your personal data in electronic form.

Rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject has the right to have incorrect data corrected and incomplete personal data completed, including by means of providing a supplementary statement/documents. We are committed to ensuring that the personal data we hold remains as precise and current as necessary for its intended use. The corresponding data subject, including individuals located in Canada, possesses the right to request the rectification of inaccurate or incomplete information by reaching out to us via [email protected]. When a correction is substantiated, we will adjust our records accordingly and, if required by the circumstances, inform any third-party recipients of the necessary updates.

Erasure (the ‘Right to be forgotten’) of personal data concerning yourself in certain circumstances. This right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. Please note that when we are required by law to process certain personal data, then the right to erasure will not apply to such data, e.g. when we are obligated by law to retain the personal data for a certain period of time. We would like to clarify also that the right to be forgotten applies so that the erasure will be fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten. This signifies that we will put the backup data ‘beyond use’, even if it cannot be immediately overwritten (the backup is simply held on our systems until it is replaced in line with an established schedule).

Restriction of processing in certain circumstances. This is an alternative to requesting the erasure of your data, where, for instance (but not limited to), the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, unless this proves impossible or involves disproportionate effort.

Data portability of the personal data as long as the processing is based on consent or on a contract, and the processing is carried out by automated means. This right allows data subjects to obtain and reuse their personal data for their own purposes across different services, from one IT environment to another, in a safe and secure way, without affecting its usability.

Object to the processing of personal data. For instance (but not limited to), the data subject has the right to object, at any time, to the processing of personal data concerning them for marketing purposes; however, if the data subject is objecting to other uses, we can refuse to comply with the objection but only if we can prove we have a strong reason to continue processing your data that overrides your objection. In particular, the data subject has the right to object at any time to the processing on the basis of legitimate interest, in which case Bitpace shall no longer process the personal data unless Bitpace demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Avoid automated decision-making (with no human involvement), such as profiling, which uses personal data to make calculated assumptions about individuals. There are strict rules about this kind of processing, and data subjects are permitted to challenge and request a review of the processing if they believe such rules are not being followed.

Withdraw data protection consent to the processing of your personal data at any time, and we will cease the processing of the relevant information. However, please bear in mind that consent is only one of several lawful grounds for personal data processing, so exercising this right means that there is no other legal basis in place.

Information on action taken within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

Information in case of a data breach that is likely to result in a high risk to the rights and freedoms of the data subject.

If a data subject wishes to avail themselves of any of the above rights, they may, at any time, contact us (albeit where/if technically possible, the data subject may be able to help themselves directly).

Our contact details for exercising your rights are:

We will respond to your request within one month of receipt. Where the complexity or number of requests warrants it, that period may be extended by up to two further months; we will notify you of any such extension within the first month, together with the reasons for the delay.

For individuals in Canada: we will respond to your request within thirty (30) days of receipt. Where we are unable to respond within thirty (30) days, we will notify you in writing before that period expires, stating the length of the extension (which will not exceed a further thirty (30) days) and the reason for it.

Additionally, data subjects have the right to lodge a complaint with the competent supervisory authority and before the competent courts if the data subject considers that the processing of their personal data is in breach of the provisions of the applicable privacy laws, including the present Privacy Policy.

You have the right to lodge a complaint before the competent supervisory authority.

Where personal data is processed in the EEA, you can find the contact details of the competent authorities in the EEA at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

The details for the Bulgarian competent supervisory authority for data protection are:

Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov Blvd.
1592 Sofia
Tel. +359 2 915 3580 / +359 2 915 3548
Email: [email protected]
Website: https://www.cpdp.bg/

The details for the Estonian competent supervisory authority for data protection are:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39, 10134 Tallinn
Tel. +372 6828 712
Email: [email protected]
Website: http://www.aki.ee/

We kindly ask you to send your complaint to [email protected] first and await our official response to your complaint, should you decide to further escalate it to the competent supervisory authority(-ies).

Residents of Canada may also lodge a complaint with the Office of the Privacy Commissioner of Canada (“OPC“) if they believe their personal information has been handled contrary to PIPEDA. The OPC can be reached toll-free at 1-800-282-1376 or at 30 Victoria Street, Gatineau, Quebec, K1A 1H3 (website: www.priv.gc.ca). Residents of Alberta and British Columbia may additionally contact the Office of the Information and Privacy Commissioner of the relevant province. We encourage Canadian residents to contact us at [email protected] before escalating to the OPC or a provincial regulator.

For how long do we keep your personal data

We retain your personal data for the minimum period required to comply with the purposes set out by this Privacy Policy unless we are obligated by law and/or have the right to retain it for a longer period.

We will retain personal data to enable us to:

Maintain business records for analysis and/or audit purposes.
Comply with record retention requirements under the law (for example, as required under legislation concerning the prevention, detection and investigation of money laundering and terrorist financing).
Defend or bring any existing or potential legal claims.
Deal with any future complaints regarding the services we have delivered.

Except otherwise expressed or required by applicable laws, please also note that we generally apply the following storage periods:

All data is stored in its original format for a period of ten (10) years on server(s) of Bitpace in the manner created;
Five (5) years after the date a business relationship ends or the date a transaction is completed, for records that contain personal data that we had processed in order to comply with anti-money laundering and counter-terrorism financing laws, including the PCMLTFA as administered by FINTRAC in Canada (however, as noted in this Privacy Policy, we may retain these records for longer periods);
No less than twelve (12) months after the collection and processing of data, related to geographical IP location, date, time, and duration of a website session of the person transferred to Bitpace’s gateway to complete a transaction;
Two (2) years after the date when you have contacted us via any communication channel we support and have provided any personal data;

We will retain personal data after those times if we are required to do so to comply with the law in the cases of outstanding claims or complaints that will reasonably require personal data to be retained, or for regulatory or technical reasons. Where we retain this data, we will continue to make sure that the data subjects’ privacy is protected.

Please bear in mind that, in certain circumstances, for instance, when we are obligated to retain personal data for a prescribed period of time or when we require to retain the data for the establishment, exercise or defence of legal claims, we do not have the right to erase the data prior to the end of the prescribed retention period, even if we have received such a request from you.

If you have consented to receive information about products and services (including such by other companies and organisations), which we believe you are interested in, we will process your contact details until you decide to withdraw your consent.

How and why we may share or transfer personal data to third parties, third countries and international organisations

Where necessary, we may provide (share or transfer) personal data about you, on a need-to-know basis:

To other members of our group, including internal service companies and to other group companies and, on the merchant’s behalf, entities with whom the merchant or partner has a relationship;
to anyone as a result of any restructure, sale or acquisition or to anyone to whom we transfer or may transfer our rights;
To the relevant authorities or third parties, if we are required, requested or permitted to do so by law, regulation, court order, or supervisory, regulatory or similar authority;
for international payments where we are required to send details of the payee and the beneficiary with the payment, and to overseas regulators and authorities in connection with their legitimate duties;
to providers of distributed ledger (DLT) infrastructure services, blockchain analytics providers, and compliance service providers, who are bound by data protection agreements (DPAs) to ensure that personal data is used strictly for the purposes of providing the relevant services, and that appropriate safeguards are in place to protect all personal data provided;
to our trusted partners (as long as this is necessary for the provision of services to you and the services we use from those partners, for example, payment aggregators, technical support of our website/platform, managing our Customer Support Centre and communication channels, such as our online chat platform, etc.), whose adherence to the highest data security and privacy standards is assured on our end. Namely, we are in contractual relationships with those companies, guaranteeing that the provided personal data is processed exclusively and as strictly necessary for the provision of their services to us.

Please bear in mind that the data transferred is limited to the purpose for which it is transferred. By adhering to that notion, we give access to information to third parties only after a detailed documentation review and only if they meet the requirements of the applicable regulatory regime. This review carefully addresses the competence of each third party as well as technical and organisational data protection measures.

Because we operate as part of a global business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we are located).

If your personal data is transferred outside the EEA -including to other members of the Bitpace group or to third-party processors and service providers located in other jurisdictions- to a country whose data protection standards are not deemed to be adequate to those provided by the GDPR, we will ensure that appropriate safeguards are put in place to guarantee data protection. The safeguards will include the use of contractual terms approved by the European Commission and/or other appropriate safeguards to ensure that personal data is sent and received in accordance with applicable laws.

Where personal information of individuals in Canada is transferred outside of Canada – including to other members of the Bitpace group or to third-party processors and service providers located in other jurisdictions – Bitpace ensures that appropriate contractual protections are in place with the receiving party. In accordance with the Office of the Privacy Commissioner of Canada’s guidelines on cross-border transfers, individuals are hereby notified that their personal information may be processed in a foreign jurisdiction and may, while in that jurisdiction, be subject to the applicable laws of that jurisdiction, including lawful access by its courts, law enforcement, and governmental authorities.

Further information about the safeguards used by Bitpace can be obtained from our Data Protection Officer via email to [email protected].

How do we protect your information?

We take all the necessary measures to ensure the confidentiality of personal data and any other confidential information provided to us that is not personal data. We will comply with our obligations of confidentiality and establish and maintain adequate security measures to safeguard confidential information from unauthorised access or use.

We have put in place technical and organisational measures that meet the GDPR requirements and require third-party service providers that we use to do the same. We take reasonable technical and organisational measures to prevent the loss, misuse, or erasure of your personal information. We store all personal information we are provided with on our password-protected servers. All electronic financial transactions concluded through our website are protected by encryption technology. When you use a form on our website to send us data, this transmission goes exclusively through an encrypted transport layer security (TLS) connection. Your information is stored and encrypted using the Secure Sockets Layer (SSL)/TLS certificate on the website.

We cannot bear responsibility for third-party sites to which the website links or for their policies. If you click on a link to a third-party site, please read the privacy policy/notice of the named site carefully and choose whether it is appropriate to use it.

The implemented technical and organisational measures to ensure that processing is carried out in accordance with the GDPR that we have in place include, but are not limited to:

pseudonymisation of personal data (when practicable);
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

These measures are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.

Breach of security safeguards

Bitpace is committed to responding promptly to any breach of security safeguards involving personal data or personal information under its control or custody.

Under the GDPR, Bitpace will notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, where feasible, and will communicate the breach to affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

In Canada, where Bitpace CA determines that a breach of security safeguards has occurred involving personal information under its control or custody, it will assess whether the breach creates a real risk of significant harm (“RROSH“) to an affected individual. Where RROSH exists, Bitpace will: (i) notify the Office of the Privacy Commissioner of Canada as soon as feasible; (ii) notify affected individuals as soon as feasible, providing information sufficient to allow them to take steps to reduce the risk of harm; and (iii) notify any other organisation or government institution that may be able to reduce that risk. Bitpace will maintain records of all security breaches involving personal information for a minimum of 24 months from the date it determined that the breach occurred, regardless of whether RROSH was identified.

“Significant harm” for these purposes includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, negative effects on credit records, and damage to or loss of property.

If you believe your personal information may have been affected by a breach of security safeguards, please contact us immediately at [email protected].

Changes to this Privacy Policy

We reserve the right to make changes to this Privacy Policy from time to time, so please check back periodically for changes. You will be able to see that changes have been made by consulting the last updated version and date posted at the top of this Privacy Policy.

Additionally, if we elect to use or disclose your personal data in a manner that is materially different from that stated in this Privacy Policy at the time we collected that information from you, we will give you a choice regarding such use or disclosure by appropriate means, which may include use of an opt-out mechanism. Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on the merchants’ or partners’ related persons, we will give reasonable advance notice to such merchants or partners.

PLEASE RETAIN A COPY OF THIS PRIVACY POLICY FOR YOUR RECORDS AND CHECK THIS WEBSITE FREQUENTLY FOR ANY CHANGES.

Please note that the previous version of this Privacy Policy was published on this website on February 13, 2026. This information is provided for reference.