XAPO bank logo

PRIVACY POLICY

Xapo Bank Limited, Xapo Limited and Xapo VASP Limited

Last Updated: 1st February 2024

Introduction

Xapo Bank Limited (“Xapo Bank”), Xapo VASP Limited (“Xapo VASP”) and Xapo Limited (“Xapo Limited”) respect your privacy and are committed to protecting your Personal Data. This Privacy Policy applies to how we collect, process, and store your Personal Data through our online services, our Android and iOS Mobile apps, recipients of our emails, or when you otherwise interact with us. This Privacy Policy describes the types of Personal Data we obtain, how we use the Personal Data, and with whom we share it. We also describe your rights, how the law protects you, and how you can contact us about our privacy practices.

If you are submitting information through our recruitment solution linked to this website, please read carefully our separate Job Applicant Privacy Notice.

This Privacy Policy is provided in a layered format so you can click through to the specific areas set out below.

1. PURPOSE OF THIS PRIVACY POLICY

This Privacy Policy aims to give you information on how Xapo collects and processes your Personal Data.

It is important that you read this Privacy Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data.

This Privacy Policy is supplemented by other privacy policies or notices and is not intended to override them.

In this Policy, “Xapo”, "we", "us" and "our" collectively refers to Xapo Bank, Xapo VASP and Xapo Limited.

In this Privacy Policy, “Personal Data” means any information relating to you as an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.

For the avoidance of doubt, Personal Data does not include data from which you cannot be identified (which is referred to simply as data, non-Personal Data, anonymous data, or de-identified data).

In this Privacy Policy, “processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Identity and the Contact Details of the Controller

For the purposes of the Gibraltar General Data Protection Regulation (Gibraltar GDPR), Gibraltar’s data protection law consisting of both the Gibraltar GDPR and the Data Protection Act 2004 (the “DPA”), Xapo is the data controller and responsible for the Personal Data that we collect or that you provide to us.

If you have any questions or comments about this Privacy Policy or any issue relating to how we collect, use, or disclose Personal Data, or if you would like us to update information we have about you, you can contact us at: [email protected]

You can also contact us :

  • In writing, at the following postal address: Xapo. Units 1/1, 1/2 and 1/A-1 Casemates Square, Gibraltar, GX11 1AA

By email at: [email protected]

Full name of legal entity: Xapo Limited where neither registration nor licence is required.

Xapo Limited encompasses:

  • Xapo Bank Limited, a ‘credit institution’ regulated by the Gibraltar Financial Services Commission under the Financial Services Act 2019 with permission number 23171; and
  • Xapo VASP Limited, a ‘distributed ledger technology provider’ regulated by the Gibraltar Financial Services Commission under the Financial Services Act 2019 with permission number FSC1359B.

Contact Details of the Data Protection Officer

We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this Privacy Policy and to inform you how to exercise your rights. Our Data Protection Officer can be contacted directly at: [email protected]

DETAILS ABOUT PERSONAL DATA PROCESSING ACTIVITIES

2. COLLECTING YOUR PERSONAL DATA

2.1. CATEGORIES OF DATA

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website or Mobile App feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data, which will be used in accordance with this Privacy Policy.

*  The automatic exchange of financial account information between tax authorities shall apply to all our customers, excluding the Xapo customers only making use of our "E-Money" services unless informed otherwise. Nonetheless, all of our customers, including those only making use of our "E-Money" services are subject to applicable laws and regulations which may require us to disclose their information where we are legally required to do so.

** The GPS Location data processing by Xapo shall be mandatory for these purposes or activities for all our customers, excluding the Xapo users only making use of our "E Money" services unless informed otherwise.

2.2. SOURCES OF DATA

Information That We Collect Automatically

We use Personal Data that we collect automatically through cookies and action tags. We also use the information to help diagnose technical and service problems, administer the Site, and identify visitors to the Site.

Cookies: We use cookies on our website to collect data about your visit (like usage data, and other information automatically collected from your browser or mobile device; this information may include your IP address; browser type and version; preferred language; geographic location using IP address or the GPS, wireless, or Bluetooth technology on your device; operating system and device) and to allow you to navigate from page to page without having to re-login each time, count visits, and see which areas and features of our website are popular.

Action Tags: We may use action tags to identify some of the pages that you visit and how you use the content on those pages. Action tags collect and transmit this data in a manner that identifies you if you have registered with our website (and are logged into) our Android or iOS Mobile apps. We also may use action tags in our emails to determine whether an email was opened or whether it was forwarded to someone else. When you use our Android or iOS Mobile apps, we may use action tags where you are accessing websites from links in our Android or iOS Mobile apps. These may identify the pages that you visit and how you use the content on those pages.

To learn more about the cookies that we use on our online services, our Android and iOS Mobile apps, as well as to control your cookie settings, please read our Cookie Policy.

We use third party analysis tools to collect data about your device and internet connection. That information includes, but is not limited to, the IP address of your computer and/or internet service provider, geolocation, when you access our online services, our Android or iOS Mobile apps, the Internet address of websites from which you link to our online services and from which you came to before landing on our online services, the browser that you are using and your movements on our online services. All of this information is used internally for the purposes of understanding how our online services are being used and to improve them. We also use the data collected via cookies to track the popularity of our online services.

We also use third party analysis tools to collect data about your use of our Android and iOS Mobile apps. The information collected identifies the types and timing of actions you take within our Android and iOS Mobile apps, including installation, registration, uploading, and certain types of navigating. All of this information is used internally for the purpose of understanding how our Android and iOS Mobile apps are being used and improving them. Clicking on those links or enabling those connections allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We accept no responsibility for the actions of these third-party websites. When you leave our online services, we encourage you to read the privacy statements of every Website you visit.

Your browser settings may allow you to transmit a “Do Not Track” signal to websites and online services you visit. Like many other websites and online services, we do not currently process or respond to “Do Not Track” signals from your browser or to other mechanisms that enable choice. If we do so in the future, we will describe how we do so in this Privacy Policy.

INFORMATION THAT WE OBTAIN FROM THIRD PARTIES AND PUBLICLY AVAILABLE SOURCES

Please find a description in a table format of the information obtained from third parties in Addendum 1.

2.3. LEGAL BASES FOR PROCESSING YOU PERSONAL DATA

We will only use your Personal Data when the law allows us to. Most commonly, we will use your Personal Data under the following circumstances:

Consent

When you give us your consent, for example, to access your contacts on your phone or allow us to have access to your location. You have the right to withdraw your consent at any time. To withdraw your consent just go to the Privacy Settings in our Android or iOS Mobile app or contact us at [email protected]

Contract

When we need to execute a contract you have entered into with us by accepting applicable terms and conditions or specific related terms relating to other services offered by us.  

Where we need to collect Personal Data under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform our services under the contract we have or are trying to enter into with you (for example, to provide you with any of our services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.

Legal or regulatory obligation

When we need to collect Personal Data by law. If you fail to provide that data when requested, we will not be able to perform our services under the contract with you (for example, to provide you with any of our products or services). In this case, we will have to cancel a product or service you have with us and we will notify you at that time.

For information about how we process your personal data with respect to Anti-Money Laundering purposes, please see the AML Notice available at: AML/KYC Privacy Notice.

Legitimate Interests

Legitimate Interest means the broader stake that Xapo has in the processing or the benefit that we derive from the processing of your Personal Data. For examples, please refer to the table at paragraph 2.1

Where we rely on legitimate interests, we make sure that we consider and balance any potential impact on you and your rights before we process your Personal Data for our legitimate interests.

2.4. PURPOSES 

We have set out a description of all the ways we plan to use your Personal Data, and the legal basis we rely on to do so, which you can find in the table at paragraph 2.1. This table also shows how we have identified what our legitimate interests are. Note that we may process your Personal Data for multiple legal reasons.

Marketing

We are committed to providing you with choices regarding certain Personal Data uses, particularly around marketing and advertising. We will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to receive 3rd party marketing communications at any time by contacting us.

Promotional Offers From Us

We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you (we call this marketing).

You can expect to receive marketing communications from us if you have requested information or purchased services from us and you have not opted out of receiving that marketing.

Lookalike Advertising on Third Party Sites

Our Members

When we share your personal information with Advertising Partners (as described at paragraph 2.1), we may also ask the Advertising Partner to find other people that share similar interests and behaviours to you, and to show our advertising to those people when they use Social Media Platforms.

This is based on personal information that you have provided to a Third party Site through your use of said Third Party Site (which may include Third Party Sites of the Advertising Partner). According to their terms and conditions, you have agreed to be subject to profiling activities, carried out exclusively by them. This personal information might include demographic data (such as your age or gender) and interest-based data (things that you like). No personal information is shared with us. At the same time, please note that we may share additional information from paragraph 2.1 in an anonymised format, for better results. This means we make sure you cannot be identified and therefore, there are no risks towards your rights and freedoms.

To the extent we are a controller of this personal information, we consider it is in our legitimate interest to use this personal data in this way to increase the effectiveness of our advertising by displaying our ads on individuals who share similar interests and characteristics to our customer base.

Using tools made available by Advertising Partners

Our Prospective Members

Advertising Partners may provide tools that we can use to deliver our advertisements to people who we think are more likely to be interested in our products and services.

For example, an Advertising Partner may have determined that you are a ‘crypto-enthusiast’ using data that they have collected about you through your use of Third Party Sites (which may include Third Party Sites of the Advertising Partner). If we want to display a crypto-related product advertisement to other crypto-enthusiasts, the Advertising Partners that we work with may allow us to show our advertisement to you using selection tools that they make available. The personal information that is used for this is not shared with us.

To the extent we are a controller of this personal information, we consider it is in our legitimate interest to use this personal data in this way to ensure our advertising is relevant to those receiving it.

Change of purpose

We will only use your Personal Data for the purposes for which we collected it. We will delete it after fulfilling the intended purpose or after expiration of the respective storage periods.

3. THIRD PARTY LINKS

In addition, please note that our website,  our Android app, and iOS Mobile app may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

As a rule, we instruct all third parties on how to process your personal data for the purpose of our future or existing contract with you, through a Data Processing Agreement. However, if they process your personal data separately from our services, we do not control their processing activities or websites and are not responsible for their data privacy compliance. Therefore when you leave our online services, or Android and iOS Mobile apps, we encourage you to read the Privacy Policy/Notice/Statement of every webpage or app you visit. We are not responsible for the security of any data you are transmitting over the Internet, or any data you are storing, posting, or providing directly to a third party’s website, which is governed by that party’s policies. Nonetheless, we always assess thoroughly the third parties we choose to integrate into our services and make sure they are key leaders in the field they operate it, be it security, compliance or marketing. If you have further questions about security, you can contact us using the details provided above.

Please read Addendum 2 for a more exhaustive list regarding the categories of service providers we use. and Addendum 4 for the detailed explanation of our data processing activities related to the data processing of third parties during the onboarding. 

4. INFORMATION WE SHARE; DATA TRANSFERS

We do not sell or otherwise disclose Personal Data that you provide to us or that we collect on this website, our online services, or our Android and iOS Mobile apps, except as described here:

  • Companies in the Xapo group where it is necessary for the performance of a contract and these entities are used by us to assist in the provision of our services to you. Companies in the Xapo group will be acting as joint controllers in order to provide our services;
  • Service providers we use to provide customer benefits such as Airport Lounge access and Wifi access;
  • Marketing materials from third parties if you have provided consent;
  • If required, professional advisers such as lawyers, banks, auditors and insurers providing such services;
  • Regulators and other authorities who require reporting of processing activities under certain circumstances;
  • If required, or where we believe it is required by applicable laws or legal process;
  • To protect the rights, property and safety of Xapo, our users and the public, including, for example, in connection with court proceedings, to detect or prevent criminal activity, fraud, material misrepresentation, or to establish our rights or defend against legal actions;
  • Gathering your rating of the App which is processed through a third party service provider.

Xapo is headquartered in Gibraltar. However, due to the nature of our global offering, we have operations throughout the world, including but not limited to, North America, South America and Asia. We transfer your data to countries outside the European Economic Area (“third countries”) to the extent that is necessary in order to perform our services and comply with our legal obligations..

Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • Where we use certain service providers, we will use contract language approved by the European Commission which gives Personal Data the same protection it has in Europe.
  • Where we use providers based in the US, we will transfer data to them making use of Standard Contractual Clauses that require them to provide similar protection to Personal Data shared between Gibraltar and the US.

Further details on these provisions can be obtained by contacting at [email protected]

The Categories of Providers Table provides information on the type of third party recipient (i.e. by reference to the activities it carries out), the industry and the location of the recipients.

5. SECURITY MEASURES AND DATA BREACHES

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have taken precautions to ensure the security of your data. The Personal Data you have entered on HTML pages (contact forms) and that is stored by us, shall be transmitted to Xapo in encrypted form (TLS - Transport Layer Security) via the public data network, and stored and processed at Xapo.

In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties on a need to know basis. This means contractors, agents, and third parties are instructed about these measures  under the provisions made within a service agreement signed with them. At the same time, employees are informed about access controls via the Acceptable Use Policy. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality and a duty to comply with data protection procedures.

We utilise dedicated best-in-class security tools and intuitive cyber intelligence to monitor market activity and predict potential issues. Furthermore, we hold no personal data at our secure physical headquarters, located at One Grand Casemates Square, Gibraltar, thus greatly reducing likelihood of a Personal Data breach.

Nonetheless, we have put in place a Data Breach Procedure to deal with any suspected or actual Personal Data breach. According to the Gibraltar GDPR and DPA 2004, we are obliged to inform you about a data breach, whenever it may put at risk your rights and freedoms. At the same time, we fulfil our notification obligations to the Gibraltar Regulatory Authority, as prescribed in law.

Nonetheless, we acknowledge that the notification obligations we have as a data controller established in Gibraltar do not exempt us from similar obligations across different jurisdictions. For any derogations, please refer to our Derogations Section

6. PROTECTION OF MINORS

Xapo does not knowingly collect or solicit Personal Data from anyone under the age of 18. If you are under 18, please do not attempt to register for our services or send any Personal Data about yourself to us. If Xapo acknowledges underage persons registered on the platform against the T&Cs rules, it reserves the right to close that account and inform the person accordingly.

7. DATA RETENTION

We retain information about you in our databases for as long as your account is active, or as is reasonably needed to fulfil the purposes we collected it for and to provide our services, and as required by applicable laws. Our retention and use of your information will be as necessary to comply with our legal, regulatory, tax, accounting, or reporting obligations and requirements, to resolve disputes, or complaints, and to enforce our agreements. Any derogation from the Retention Policy will be based on legal grounds and will be explicitly mentioned.

While retention requirements vary by jurisdiction, please find a full description in a table format of all the general retention periods of your Personal Data and the specific legal basis we must comply with. We have also identified what our legitimate interests are where appropriate. Note that we may retain your Personal Data for more than one lawful basis depending on the specific purpose for which we are using your data. Although the table provides our general retention periods stipulated for different categories of Personal Data and/or different processing purposes, in certain circumstances, your information may be retained for longer periods due to the inherent nature of distributed ledger technology.

In some circumstances we will anonymize your Personal Data (so that it can no longer be associated with you) for research or statistical purposes. When information is anonymized, it ceases to be Personal Data and we may use it without further notice to you.

8. YOUR RIGHTS AND CHOICE

RIGHT TO INFORMATION

You have a right to be informed about the processing of your Personal Data. This is why we have created the current Privacy Policy, as an effort to clearly explain all the aspects of our processing activities. We want you to feel all your assets are secure, including the personal data you trust us with.

RIGHT TO REQUEST ACCESS

You also have a right to access information we hold about you. We will endeavour to provide you with details of your Personal Data that we hold or process and to provide this data in the format you request. To protect your Personal Data, we follow established disclosure procedures, which may require us to request proof of identity from you prior to providing such information. You can exercise this right at any time by contacting us using the details found below.

RIGHT TO RECTIFICATION

You have the right to have any inaccurate Personal Data about you rectified and to have any incomplete Personal Data about you completed.

RIGHT TO ERASURE (RIGHT TO BE ‘FORGOTTEN’)

You have the general right to request the erasure of your Personal Data in the following circumstances:

  • the Personal Data is no longer necessary for the purpose for which it was collected;
  • you withdraw your consent to processing and no other legal justification for processing applies;
  • you object to the processing activity, when the latter was based on the legal grounds of legitimate interest or public interest;
  • you object to the processing activity, when the latter had the purpose of direct marketing;
  • we unlawfully processed your Personal Data; and
  • erasure is required to comply with a legal obligation that applies to us.

We will proceed to comply with an erasure request without undue delay and to such extent we are able to do so. However, it may also be the case that there are overriding grounds requiring us to store your data for longer, for:

  • Exercising the right of freedom of expression and information
  • Complying with a legal obligation under EU or other applicable law or for the performance of a task carried out in the public interest (such as anti-money laundering);
  • Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • The establishment, exercise, or defense of legal claims.

Please be aware that by doing so, we will need to close your Xapo account and this action is not reversible and by requesting us to erase your data we are not able to provide Xapo services to you any longer. However, this will not affect the lawfulness of any processing carried out before you requested erasure of your data.

However, exercising this right does not necessarily mean all personal data about you will be deleted, although we will make all reasonable effort to do so. For example, when interacting with the blockchain, we may not be able to ensure that your Personal Data is deleted.

RIGHT TO RESTRICT PROCESSING

You have a right to request to restrict processing of your Personal Data, such as where:

  • you contest the accuracy of the Personal Data;
  • you objected to a processing activity based on legitimate interest, while the verification of conditions is carried out;
  • if you believe processing is unlawful, you may request, instead of requesting erasure, that we restrict the use of unlawfully processed Personal Data;
  • we no longer need to process your Personal Data but need to retain your information for the establishment, exercise, or defense of legal claims or regulatory requirements.

Depending on the type of processing you request to restrict, please be aware that by doing so, we may need to close your Xapo account and this action is not reversible and by requesting us to stop processing your data we are not able to provide Xapo services to you any longer. However, this will not affect the lawfulness of any processing carried out before you requested to restrict processing.

RIGHT TO DATA PORTABILITY

Where the legal basis for our processing is your consent, or the processing is necessary for the performance of a contract to which you are party of, or in order to take steps at your request prior to entering into a contract, you have a right to receive the Personal Data you provided to us in a structured, commonly used and machine-readable format.

RIGHT TO OBJECT TO DIRECT MARKETING (‘OPTING OUT’)

You have a choice about whether or not you wish to receive information from us.

We will not contact you for marketing purposes unless you have an existing business relationship with us to offer you similar services, and we rely on our legitimate interests as the lawful basis for processing;

On each and every marketing communication, we will always provide an option for you to exercise your right to object to the processing of your Personal Data for marketing purposes (known as ‘opting-out’) by clicking on the ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your Personal Data.

Please note that any administrative or service-related communications (to offer our services, or notify you of an update to this Privacy Policy or applicable terms and conditions, etc.) will solely be directed at our clients or business partners, and such communications generally do not offer an option to unsubscribe, as they are necessary to provide the services requested.

Therefore, please be aware that your ability to opt-out from receiving marketing and promotional materials does not change our right to contact you regarding your use of our online services and Android or iOS Mobile apps or as part of a contractual relationship we may have with you.

RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION MAKING

It is our interest to protect data subjects that engage with us against undesired automated data processing. This right can be exercised whenever the processing activity is based solely on automated decision-making (ADM) activities that produce legal or similarly significant effects, as Article 22 of the GDPR details.

Timeline Purpose Legal ground Method
Before onboarding KYC, anti-money laundering checks Fulfilling legal obligations Using a third party
After onboarding Detecting fraud or financial crimes Legitimate interest Using a third party
Monitoring accounts to ensure a safe platform for all users, as undertaken in the initial contract Contractual obligation Using a third party

In case you do not agree with the above described processing activities, we cannot offer you the experience of high standard financial security. This means we are not able to either open your account or maintain it. 

Please note that the law prescribes this right cannot be exercised when: 

  • the processing activity is undertaken for the conclusion or performance of a contract with you, 
  • we are subject to legal obligations, or
  •  explicit consent has been expressed

Moreover, we avoid processing sensitive data by ADM means. However, if this becomes a necessary step for purposes such as onboarding or vetting, sensitive data is only processed under the legal grounds of explicit consent or substantial public interest. 

Also, whenever such processing relies upon explicit consent or contractual obligations, you can further exercise your rights to express your point of view, to request human intervention and contest the decision.

Right to withdraw consent

Where the legal basis for processing your Personal Data is your consent, you have the right to withdraw that consent at any time by contacting us using the details found below.  Please be aware that by doing so, we will need to close your Xapo account and this action is not reversible and by requesting us to stop processing your data we are not able to provide Xapo services to you any longer.  However, this will not affect the lawfulness of any processing carried out before you withdrew your consent.  

You can exercise any of the above rights free of charge by contacting us at [email protected].

Most of the above rights are subject to limitations and exceptions. We will provide reasons if we are unable to comply with any request for the exercise of your rights.

Right to lodge a complaint with a relevant supervisory authority

If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, without prejudice to any other administrative or judicial remedy, you are entitled to make a complaint to the Information Commissioner under the Gibraltar Data Protection Act 2004 (i.e. the Chief Executive Officer of the Gibraltar Regulatory Authority), which is presently the Gibraltar Regulatory Authority (GRA). You may contact the GRA on the below details:

Gibraltar Information Commissioner

Gibraltar Regulatory Authority

2nd Floor, Eurotowers 4

1 Europort Road

Gibraltar

Email: [email protected]

Phone: (+350) 200 74636

Fax: (+350) 200 72166

You also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of your rights has taken place, if that is based in the European Economic Area.

We would, however, appreciate the chance to deal with your concerns before you approach the Gibraltar Regulatory Authority or supervisory authority in the country of your legal residence, place of work, or the place where you allege an infringement of one or more of our rights has taken place so please contact us in the first instance at [email protected] or [email protected]

9. UPDATES ON OUR ONLINE PRIVACY POLICY

We keep our Privacy Policy under regular review and we will update it to reflect any changes.

Changes to this privacy notice may become necessary as we develop our online services, Android and iOS Mobile apps, in order to implement new legal requirements or new technologies and in order to improve the services we provide. If we change our Privacy Policy in the future, we will post the revised version on our website www.xapo.com together with the version number and date of change. You should check this Privacy Policy from time to time when you visit our website.

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

Addendum 1 - Data Obtained from Third Parties

Whenever we obtain personal data from third parties, we refer to the following categories: 

  1. Technical Data (e.g. IP address)
  2. Identity and Contact Data (e.g. name and phone number)
  3. Financial and Transaction Data (e.g. credit card details, transaction number)
  4. Job applicant data (all data included in the application sent to us)
Category of Data Providers Type of Data that we get Country of Establishment
Analytics providers, advertising networks, search information providers Technical Data USA
Technical, payment and delivery services providers Contact, Financial and Transaction Data USA
Identity and Contact Data USA
Responses to surveys and campaigns to obtain leads Identity and Contact Data USA
Publicly available sources [such as Companies House and the Electoral Register] Identity and Contact Data EU/EEA
Usage of extended benefits Contact data of visits to Airport Lounges UK
USA
Job Postings Job applicant data USA

Addendum 2 - Categories of Providers

Addendum 3 - Retention Period Table

Addendum 4 - AML KYC PRIVACY NOTICE

We will process your identifying data and profile data within operations such as identification (Know your Customer, also known as KYC) and profiling (Customer Due Diligence, also known as CDD) for the purposes of the execution of our Anti Money Laundering (also known as AML) and Counter Terrorism Financing (also known as CTF) customer identification and verification process obligations.

When Xapo asks for CDD, what this refers to is proof of address and proof of identification. This along with information gathered at the application stage paints a picture of any customer (KYC). Without KYC, Xapo may unknowingly become involved with illicit activities and therefore subject to reputational, operational and legal risks, which can result in significant financial cost, or eventual winding up of the institution. KYC is most closely associated with the fight against money-laundering.

Specific proof of address, proof of Identification, source of funds and/or AML-CTF questionnaires that aimed at to fulfil KYC and CDD obligations are compulsory to Xapo users and the failure to be replied might lead (in extreme cases) in the blocking of their accounts or the refusal of services.

In response to the scale and effect of money laundering, the European Union has passed Directives designed to combat money laundering and terrorism. These Directives, together with national regulations as read below, form the cornerstone of our AML/CTF obligations, establish the legal basis for us to process this data and outline the offences and penalties for failing to comply.

  • Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market;
  • Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing;
  • Council Decision of 17 October 2000 concerning arrangements for cooperation between financial intelligence units of the Member States in respect of exchanging information (2000/642/JHA);
  • Crime Proceeds of Crime Act 2015;
  • Terrorism Act 2018;
  • Drug Trafficking Offences Act 1995;

As part of implementing the EU framework, the Proceeds of Crime Act 2015 prescribed in para 1K of part 1 that the AML purposes are a matter of public interest, with respect to personal data processing activities. This means that most of the time, we may collect, share, store or otherwise process your personal data even in cases when you requested deletion, for complying with legal obligations or such public interest requests. For details about data deletion requests, please refer to section 8 of this Policy and for data retention, please refer to Addendum 3.

ANTI-MONEY LAUNDERING (AML) POLICIES

Our AML policy is designed to prevent money laundering by meeting the European standards on combating money laundering and terrorism financing, including the need to have adequate systems and controls in place to mitigate the risk of the firm being used to facilitate financial crime. Our AML policy sets out the minimum standards which must be complied with and includes:

  • Appointing a Money Laundering Reporting Officer (MLRO) who has a sufficient level of seniority and independence, and who has responsibility for oversight of compliance with the relevant legislation, regulations, rules and industry guidance;
  • Establishing and maintaining a Risk-Based Approach (RBA) to the assessment and management of money laundering and terrorist financing risks faced by the firm. The requirement to provide CDD related data throughout an RBA that will always take into account different factors such as the status of the client, the nature of the transactions, the financial product or the financial flows involved;
  • Establishing and maintaining risk-based Customer Due Diligence (CDD), identification, verification and Know Your Customer (KYC) procedures, including enhanced due diligence for customers presenting a higher risk, such as Politically Exposed Persons (PEPs);
  • Establishing and maintaining risk-based systems and procedures for the monitoring of on-going customer activity;
  • Establishing procedures for reporting suspicious activity internally and to the relevant law enforcement authorities as appropriate;
  • Maintaining appropriate records for the minimum prescribed periods;
  • Providing training for and raising awareness among all relevant employees.

As a regulated financial institution, Xapo has specific requirements regarding AML systems and procedures. This reflects senior management’s desire to prevent money laundering.

SANCTIONS POLICY

Xapo is prohibited from transacting with individuals, companies and countries that are on prescribed sanctions lists. Xapo will therefore screen against United Nations, European Union, UK Treasury and US Office of Foreign Assets Control (OFAC) sanctions lists in all jurisdictions in which we operate.

AUTOMATED DECISION MAKING

We use semi-automated processes which includes, but is not limited to, screening Know-Your-Customer (KYC) and Anti-Money Laundering (AML) data you provide to us in order to assess whether or not we are legally able to allow you to use our services.

All automated screenings matches are manually reviewed by Xapo compliance analysts. The analyst will review the triage cases to determine if they should be cleared or escalated to the MLRO.

THIRD PARTIES AML-KYC

Where processing of personal data is carried out on behalf of Xapo by a third party provider, we conclude a separate contract with the processor with respect to this processing, called a Data Processing Agreement. This contract ensures compliance with applicable data protection regulations and defines sufficient guarantees for the implementation of appropriate technical and organisational measures, which ensure the protection of your rights. Their Privacy Notices corresponding to the chosen third parties can be accessed below: 

Privacy Notice (Sumsub Service) | Sumsub.com

Privacy Policy | Incode

Privacy Statement | Fourthline - Fourthline

Therefore, for KYC purposes, the following personal data will be processed by one of the above mentioned third parties, according to your country of residence and document type, based on your freely given, specific, informed, unambiguous and explicit consent: 

Type of data Details
General Personal data Full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship
Email and phone number for verification
Unique identifiers ID data, Unique Identifier (applicant ID)
PoA document data for verification
Depending on the country, can also be tax ID and other such identifiers.
Technical data Software and hardware attributes,( camera and device name), geolocation (IP address, domain name, GPS data, general geographic location including city and country from the device)
Biometric data Facial Image data (photos or videos of face including selfies or scan of face on the ID document), Biometric data (numeric facial features)
Relevant publicly available data Information regarding a person being a Politically Exposed Person (PEP) or included in country-specific sanctions lists, criminal lists or financial lists
For more details regarding the categories of third parties used by Xapo, please read Addendum 2.

Addendum 5 - Country-Specific Derogations

SECTION 1 - South Africa derogations

In addition to the previous sections, in case the South African Data Protection Law [The Protection of Personal Information Act no. 4/2013 (POPIA)] applies, the following differences are to be noted: 

  1. The following definitions are to be used, in addition to other relevant ones used in section 1, chapter 1, of the law:
    1. ‘biometrics’ means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
    2. ‘consent’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
    3. 'security compromise’ is understood as a data breach and must be notified to the data subject and the Regulator ‘as soon as reasonably possible’.
    4. ‘operator’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
    5. ‘responsible party’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information (understood as Data Controller).
    6. ‘person’ refers to both natural and legal persons.
    7. ‘personal information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
      1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
      2. information relating to the education or the medical, financial, criminal or employment history of the person;
      3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
      4. the biometric information of the person;
      5. the personal opinions, views or preferences of the person;
      6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
      7. the views or opinions of another individual about the person; and
      8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
        1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
        2. the criminal behaviour of a data subject to the extent that such information relates to—
          1. the alleged commission by a data subject of any offence; or
          2. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
  2. Moreover, in terms of data subjects rights, the right of access will be subject to estimated reasonable costs when detailed information processed is required.
  3. According to the South African Law, there are various ways of notifying when security compromises occurs – including by publishing it on the website or media.
  4. Any communications with the Supervisory Authority will be made with the Information Regulator.
  5. At the same time, Xapo will respect the codes of conduct issued by the Regulator from time to time, along with the relevant reports used as guidance.
  6. Data subjects’ rights can be exercised in the same conditions as described in this Privacy Policy, unless different conditions are established by national the national law protecting the data subject.
  7. In case of a conflict of laws, any legal derogation stemming from the national rules will be prioritised (e.g. timeframe for responding to a DSAR). At the same time, if the national law is silent with respect to certain aspects, the Privacy Policy herein, is applicable.

SECTION 2 – HONG KONG DEROGATIONS

In addition to the previous sections, in case the Hong Kong Data Protection Law [Personal Data (Privacy) Ordinance (CAP.486)] applies, the following differences are to be noted:

  1. The following definitions are to be used, in addition to other relevant ones used in section 2, part I, of the law:
    1. Relevant person refers to the cases when an individual is legally authorised to exercise the rights of the data subject – meaning when the data subject is minor or incapable, under the circumstances prescribed by the law.
    2. Data user in relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data (understood as Data Controller). In addition to that, any person ‘authorised in writing by the data user to collect, hold, process or use the data’ will be considered a Data Processor.
    3. third party, in relation to personal data, means any person other than—
      1. the data subject;
      2. a relevant person in the case of the data subject;
      3. the data user; or
      4. a person authorized in writing by the data user to collect, hold, process or use the data—
        1. under the direct control of the data user; or
        2. on behalf of the data user;
    4. personal data means any data—
      1. relating directly or indirectly to a living individual;
      2. from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
      3. in a form in which access to or processing of the data is practicable;
  2. Under this Law, data subjects have the right to submit access requests or correction requests, which will be responded to within 40 days after receipt. The procedural framework relies on Division 1 and 2, Part 5, from the above-mentioned Law.
  3. Data breaches are not reportable. However, it is advised they are communicated to the Commissioner through the Data Breach Notification Form. Thus, Xapo will assess the gravity and impact of any potential data breach and will decide on a case by case basis if the Commissioner must be notified.
  4. Any communications with the Supervisory Authority will be made with the Privacy Commissioner for Personal Data.
  5. Data subjects’ rights can be exercised in the same conditions as described in this Privacy Policy, unless different conditions are established by national the national law protecting the data subject.
  6. In case of a conflict of laws, any legal derogation stemming from the national rules will be prioritised (e.g. timeframe for responding to a DSAR). At the same time, if the national law is silent with respect to certain aspects, the Privacy Policy herein is applicable.

SECTION 3 – SINGAPORE DEROGATIONS

In addition to the previous sections, in case the Singapore Data Protection Law [Personal Data Protection Act 2012 (No. 26 of 2012)] applies, the following differences are to be noted:

  1. The following definitions are to be used, in addition to other relevant ones used in section 2, part I, of the law:
    1. ‘individual’ means a natural person, whether living or deceased (and is to be understood as a wider concept of the data subject);
    2. “personal data” means data, whether true or not, about an individual who can be identified —
      1. from that data; or
      2. from that data and other information to which the organisation has or is likely to have access;
    3. “user activity data”, in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation;
    4. “user‑provided data”, in relation to an organisation, means personal data provided by an individual to the organisation.
    5. “data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation (understood as Data Processor)
    6. The Data Controller (as describe in the Privacy Policy, along with its obligations) shall be understood as ‘the organisation’ as it is mentioned throughout the law
  2. Consent withdrawal is possible at any moment, but procedurally, section 16, part 4, division 1 of the Law shall be taken into consideration. In practice, that means Xapo will inform the individual of the ‘likely consequences of withdrawing his or her consent’ after receiving the consent withdrawal.
  3. Since the national rules do not prescribe any timeline for responding to requests regarding correction of personal data or access to personal data, the regime established in this Privacy Policy shall be fully applicable (unless the law prohibits so).
  4. In case a data breach occurring is considered reportable (according to part 6A of the Law), it should be notified within 3 calendar days after assessing it is a notifiable data breach.
  5. Any communications with the Supervisory Authority will be made with the Personal Data Protection Commission ('PDPC').
  6. Data subjects’ rights can be exercised in the same conditions as described in this Privacy Policy, unless different conditions are established by national the national law protecting the data subject.
  7. In case of a conflict of laws, any legal derogation stemming from the national rules will be prioritised (e.g. timeframe for responding to a DSAR). At the same time, if the national law is silent with respect to certain aspects, the Privacy Policy herein, is applicable.

SECTION 4 – BRAZIL DEROGATIONS

In addition to the previous sections, in case the Brazilian General Personal Data Protection Law (LGPD) applies, the following differences are to be noted:

  1. The following definitions are to be used, in addition to other relevant ones used in article 5, chapter 1 of the law:
    1. The Data Processor is to be considered ‘the operator’, as described by law
    2. The person in charge means a person appointed by the controller and operator to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD);
    3. Blockade refers to a temporary suspension of any processing operation, through the blockage of personal data or the database;
    4. The Data Protection Impact Assessment (DPIA) will be understood as ‘Impact Report on the Protection of Personal Data’
  2. Personal data security incidents will be reported to the ANPD and to the ‘holder of occurrence’ in cases that may lead to ‘significant risk or damage to the holders’. Based on NDPA’s guidance from 2021, the communication must be made within 2 working days.
  3. Any communications with the Supervisory Authority will be made with the National Data Protection Authority (NDPA).
  4. Xapo will make sure the reports and guiding materials of the National Council of Personal Data Protection and Privacy are valued and incorporated in our practices.
  5. Data subjects’ rights can be exercised in the same conditions as described in this Privacy Policy, unless different conditions are established by national the national law protecting the data subject.
  6. In case of a conflict of laws, any legal derogation stemming from the national rules will be prioritised (e.g. timeframe for responding to a DSAR). At the same time, if the national law is silent with respect to certain aspects, the Privacy Policy herein, is applicable.

SECTION 5 – INDONESIA

  1. With regards to the Indonesian activity, we essentially refer to:
    1. Law No. 11 of 2008 regarding Electronic Information and Transactions, as amended by Law No. 19 of 2016 ("Electronic Information Law")
    2. Government Regulation No. 71 of 2019 regarding the Implementation of Electronic Systems and Transactions ("GR 71") and Minister of Communication
    3. Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data ("MOCI Reg. 20")
  2. Relying on the MOCI Reg. 20, the following definitions are to be noted, stemming from Art. 1:
    1. Consent is referred to as ‘approval’ and means a ‘written statement either manual and/or electronic given by Personal Data Owners after obtaining complete explanation of the actions of Personal Data acquisition, collection, processing, analysis, retention, display, publication, transmission, and dissemination as well as confidentiality or non-confidentiality’.
    2. Personal Data Owner shall be understood as Data Subject.
    3. Electronic System Operator shall be understood as a Data Controller operating an Electronic System
  3. According to MOCI Reg. 20, personal data stored in an electronic system will be governed by a data retention period of minimum 5 years, unless special regulations apply.
  4. The same regulation mandates Xapo must notify data subjects about a data breach in writing, within 14 days after becoming aware of it (Art. 28, ch. V, MOCI Reg.20). At the same time, complaints about data breaches and other security issues can be filed to the Minister in line with Art. 31 and within 30 business days since becoming aware of the incident.
  5. Under Indonesian Law, the rule for processing personal data is consent (Art. 26 of EITL).
  6. Data subjects’ rights can be exercised in the same conditions as described in this Privacy Policy, unless different conditions are established by national the national law protecting the data subject.
  7. In case of a conflict of laws, any legal derogation stemming from the national rules will be prioritised (e.g. timeframe for responding to a DSAR). At the same time, if the national law is silent with respect to certain aspects, the Privacy Policy herein, is applicable.
  8. Please note the above-mentioned clauses are temporary and will soon be adjusted to the new regulation. At the moment, the comprehensive data protection law (PDP Bill) is still not enforced.

SECTION 6 – ARGENTINA

  1. With regards to the activities carried out in Argentina, the following definitions apply, in line with the Law 25,326 - the Personal Data Protection Law (PDPL):
    1. Personal data means information of any type referred to individuals or legal entities, determined or which may be determined.
    2. Data dissociation should be understood as data anonymisation
    3. Data Owner is referred to as Data Subject
    4. Person responsible for a data file, register, bank or base is referred to as Data Controller
    5. Data User is referred to as Data Processor
  2. Under Argentinian law, sensitive data can be processed only relying on consent. However, any other personal data can also be processed based on legal obligation, contractual obligation or whenever we obtain that data from unrestricted public access sources.
  3. Please note that the PDPL also allows us to process your personal data without consent when limiting to your name, national identity document number, tax or social security identification, occupation, phone number, date of birth and domicile.
  4. For all Xapo customers that are protected by the PDPL, we will respect the following deadlines, upon receiving your request: for the right of access, within 10 calendar days, whilst for the right to rectification and erasure, within 5 business days.
  5. The Supervisory Authority you can refer to for exercising your rights under the PDPL is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública).
  6. With respect to data transfers from Argentina, Xapo is allowed to carry out such processing operations to jurisdictions that are signatories of international treaties that Argentina is a party to or to any territories for the purpose of bank/stock exchange transfers. In this context, please note that both Gibraltar and Argentina are part of Convention 108 (Convention for the Protection of Individuals with Regard to the Processing of Personal Data), meaning that similar privacy standards are applicable.

SECTION 7 – MEXICO

  1. With regards to the activities carried out in Mexico, in line with the Federal Law on the Protection of Personal Data held by Private Parties (“The Law”):
    1. Data Owner is referred to as Data Subject
    2. Any reference to “Days” shall be interpreted as made to working days
  2. Please note that Mexico is one of the countries that still accepts tacit consent. Thus, under Article 8 of the Law, “It will be understood that the data owner tacitly consents to the processing of his data when, once the privacy notice has been made available to him, he does not express objection”. In addition to this, personal data can also be processed based on legal obligation, contractual obligation or whenever we obtain that data from unrestricted public access sources.
  3. However, whenever we need to process sensitive data from you, we will do so only under your consent, certified using authentication mechanisms such as electronic signature.
  4. For all Xapo customers that are protected by the Law, we will respond to your data subject request within 20 business days. Such requests are generally free of charge, except for the fees necessary to ship or copy/provide your data in other formats. However, in accordance with Art. 35 of the Law, if you repeat your request within a period of twelve months, we are legally allowed to charge this operation, but not exceeding three days of the General Current Minimum Wage in Mexico City, unless there are material changes to this notice that lead to new requests.
  5. With respect to data transfers from Mexico, Xapo is allowed to carry out such processing operations to jurisdictions that are signatories of international treaties Mexico is a party to. In this context, please note that both Gibraltar and Argentina are part of Convention 108 (Convention for the Protection of Individuals with Regard to the Processing of Personal Data), meaning that similar privacy standards are applicable. At the same time, such transfers are lawful whenever they are needed for the performance of a contract concluded in the interest or with the data subject.
  6. The Supervisory Authority you can refer to for exercising your rights under the Law is the National Institute for Transparency, Access to Information and Personal Data Protection