Privacy Policy

 1. INTRODUCTION

 

This Personal Data Processing Policy ("Privacy Policy") governs the collection, processing, and protection of personal data and the use of cookies and similar tracking technologies on the Carpathian Chain sp. z o.o. website, including any affiliated subdomains and mobile versions (collectively, the "Platform").

 

By accessing or continuing to use the Platform, you acknowledge that you have read, understood, and agreed to the terms set forth in this Privacy Policy.

 

2. DATA CONTROLLER

 

The controller of your personal data is Carpathian Chain sp. z o.o., a limited liability company incorporated under the laws of Poland, with its registered office at ul. Piotrkowska 116/52, 90-006 Łódź, Poland, registered in the National Court Register (KRS) under number 0001141644, NIP: 7252350111, REGON: 540310366 (hereinafter, the "Company").

 

For any inquiries regarding personal data processing, you may contact us at: privacy@cryptonara.io

 

3. CATEGORIES OF PERSONAL DATA PROCESSED

 

A. Personal Data Processed in Connection with the Provision of Services

 

·       Categories of Data: Identifying information (name, surname, date of birth), contact details (email address, phone number), address, payment card details, cryptocurrency wallet information, and, where applicable, identity verification documents required for compliance with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.

 

·       Purpose: Execution and performance of contractual obligations, provision of customer support, enhancement of security, fraud prevention, and legal compliance.

 

·       Legal Basis: Processing is necessary for the performance of a contract to which the data subject is a party (Art. 6(1)(b) GDPR); Compliance with legal obligations, including AML/KYC regulations (Art. 6(1)(c) GDPR); Legitimate interests pursued by the Company, including fraud prevention, dispute resolution, and platform optimization (Art. 6(1)(f) GDPR).

 

B. Personal Data Processed for Marketing Purposes

 

·       Categories of Data: Name, surname, email address, and any personal data voluntarily provided in communications.

 

·       Purpose: Providing promotional information about the Company’s services, responding to inquiries, and offering personalized marketing communications.

 

·       Legal Basis: Legitimate interest in promoting the Company’s services (Art. 6(1)(f) GDPR); Consent for direct marketing communications, which may be withdrawn at any time (Art. 7(3) GDPR).

 

C. Additional Data Processing

 

The Company may process certain data in connection with social media communication addressed to you. In such cases the Company processes personal data provided by you through a social media platform for communication purposes. The legal basis is our legitimate interest in responding to your inquiries and in direct marketing of our Services.

 

The Company also collects certain data points which, depending on individual circumstances, may or may not be classified as personal data. These includes data points such as IP address, information on User’s activity on the Platform, e.g. the order in which the page is viewed or technical information about the device from which the User logs in, parameters of software and hardware used by the User, pages viewed, mobile device identification number, and other data on devices and use of systems. Such information does not usually allow for unique identification of the User. This kind of information allows us to keep statistics and adapt the Platform to the User's preferences, as well as to ensure security and to prevent fraud on the Platform. Insofar as such data may constitute personal data, the Company ensures adequacy of information and data minimization. The legal basis for such processing is our legitimate interest in improving operation of the Platform, as well as detecting and preventing fraud.

 

D. Data Collection From Third-Parties

 

In addition to data provided directly by users, the Company may collect personal data from publicly available sources, business partners, affiliates, and third-party service providers. This includes verification data from identity verification services, credit agencies, and compliance databases, which is used to fulfil regulatory obligations and fraud prevention purposes.

 

E. Special Categories of Data

 

The Company does not intentionally collect special categories of personal data, including health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or trade union membership. However, in exceptional cases where processing of such data is necessary, explicit user consent will be obtained, or processing will be conducted as permitted by law

 

4. DISCLOSURE OF PERSONAL DATA

 

The Company may share personal data with:

 

·       Data Processors: Third-party service providers engaged for data hosting, CRM solutions, analytics, advertising, and customer support, acting strictly under the Company’s instructions.

 

·       Regulatory and Law Enforcement Authorities: Where required under applicable legal obligations or pursuant to a valid court order or administrative request.

 

·       Affiliated Entities: Companies within the Carpathian Chain corporate structure where necessary for service provision, compliance, or legitimate business purposes.

 

Personal data is not sold or otherwise made available to third parties for independent commercial use.

 

5. THIRD-PARTY DATA PROCESSORS

 

To provide and optimize our services, the Company shares personal data with third-party service providers who process data on our behalf. These include:

 

·       Cloud Hosting Providers: Secure data storage and hosting solutions (e.g., AWS).

 

·       Payment Processors: Handling transactions and fraud prevention.

 

·       Identity Verification Services: Conducting KYC/AML checks for regulatory compliance.

 

·       Analytics & Performance Monitoring: User behaviour analysis and platform optimization.

 

·       Marketing & CRM Platforms: Sending communications and managing customer relationships. Marketing & CRM platforms are used to manage communications with users who have opted in to receive marketing updates.

 

All third-party processors operate under strict confidentiality agreements and are contractually required to implement appropriate security measures.

 

6. DATA TRANSFERS TO THIRD COUNTRIES

 

Personal data may be transferred outside the European Economic Area (EEA) and the United Kingdom in connection with cryptocurrency exchanges, custodial services, and fraud prevention mechanisms.

 

Transfers are conducted under one or more of the following safeguards:

 

·       An adequacy decision by the European Commission confirming an adequate level of data protection in the recipient country;

 

·       Standard Contractual Clauses (SCCs) approved by the European Commission; and

 

·       Binding Corporate Rules (BCRs) where applicable.

 

7.  DATA SECURITY MEASURES

 

The Company implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

 

·       Encryption: Sensitive data, such as financial information and authentication credentials, is encrypted both at rest and in transit.

 

·       Access Controls: Role-based access restrictions ensure that only authorized personnel can access personal data.

 

·       Security Audits: The Company conducts regular security audits, penetration testing, and vulnerability assessments.

 

·       Incident Response Plan: In the event of a data breach, the Company will promptly notify affected users and relevant supervisory authorities in accordance with GDPR Articles 33 and 34.

 

·       Data Minimization & Anonymization: Where possible, the Company limits the amount of personal data collected and use pseudonymization or anonymization techniques.

 

8. DATA RETENTION PERIOD

 

Personal data is retained only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, in accordance with the principle of data minimization (Article 5(1)(c) GDPR) and storage limitation (Article 5(1)(e) GDPR).

 

Retention periods for different categories of personal data are as follows:

 

·       Contractual Relationships: Personal data is retained for the duration of the contract and for up to five (5) years after termination to comply with legal and regulatory obligations, including record-keeping requirements.

 

·       AML/KYC Compliance: Personal data collected for anti-money laundering (AML) and know-your-customer (KYC) purposes is retained for five (5) years following the end of the business relationship or the last transaction, as required under applicable financial and anti-money laundering regulations.

 

·       Marketing Data: Personal data processed for marketing purposes is retained until consent is withdrawn or for a maximum period of five (5) years from the last interaction, unless a shorter period is required by law. Users can opt out of marketing communications at any time.

 

·       General Operational Data: Data that is no longer necessary for the stated purposes will be securely deleted, anonymized, or aggregated in accordance with GDPR requirements.

 

If a longer retention period is required by law or necessary to establish, exercise, or defend legal claims, data may be retained accordingly.

 

For more information on specific retention periods, users may contact privacy@cryptonara.io

 

9. DATA SUBJECT RIGHTS

 

You have the following rights under the General Data Protection Regulation (GDPR):

 

·       Right of access (Art. 15 GDPR);

·       Right to rectification (Art. 16 GDPR);

·       Right to erasure (‘right to be forgotten’) (Art. 17 GDPR);

·       Right to restrict processing (Art. 18 GDPR);

·       Right to data portability (Art. 20 GDPR);

·       Right to object to processing (Art. 21 GDPR);

·       Right to withdraw consent at any time (Art. 7(3) GDPR);

·       Right to lodge a complaint with the Polish Data Protection Authority or any other competent supervisory authority.

 

If you wish to exercise any of the rights listed in Section 9, you may do so by:

 

·       Submitting a written request to: privacy@cryptonara.io

·       Including the following details:

o   Your full name and contact details

o   A description of your request (e.g., data access, deletion, restriction)

o   Proof of identity (to prevent unauthorized access to your data)

 

The Company will respond within one month of receiving your request, as required by GDPR Article 12(3). If your request is complex or requires additional verification, the Company may extend this period by an additional two months, in which case you will be notified.

 

Generally, requests are processed free of charge. However, if requests are manifestly unfounded or excessive, the Company may charge a reasonable administrative fee.

 

10. AUTOMATED DECISION-MAKING & PROFILING

 

The Company does not engage in fully automated decision-making that produces legal effects or similarly significant consequences for individuals. However, the Company uses automated systems for fraud detection, transaction monitoring, and risk assessments, which are reviewed by human oversight. This includes:

 

·       Fraud Prevention & Security Monitoring: Algorithms analyze user behavior and transactions to detect suspicious activities.

 

·       AML/KYC Risk Scoring: Automated checks determine whether additional identity verification is required.

 

·       Marketing Personalization: User interactions may be analyzed to tailor advertising and promotional content.

 

Your Rights Regarding Automated Processing If you are subject to significant automated decisions, you have the right to:

 

·       Request human intervention to review the decision.

 

·       Express your point of view and contest the decision.

 

·       Obtain an explanation of how the decision was made.

 

To exercise these rights, please contact privacy@cryptonara.io

 

11. REQUIREMENT TO PROVIDE DATA

 

Provision of your personal data is necessary for:

 

·       the conclusion and performance of the agreement concluded with the Company, and the consequence of not providing your personal data will be the inability to conclude and perform the agreement concluded with the Company;

 

·       provision of platforms by the Company, and the consequence of not providing your personal data will be the lack of provision of Services;

 

·       processing of complaints, requests or appeals and the consequence of your failure to provide your personal data will be the inability to process the complaint, request or appeal; and

 

·       to receive offers or marketing of products offered or services provided by the Company, and the consequence of your failure to provide your personal data will be the inability to receive such offers or marketing of products or services.

 

12. ADDITIONAL INFORMATION

 

The Company reserves the right to make changes to the platform's privacy policy, which may be affected by developments in Internet technology, possible changes in data protection laws and the development of our platform. The Company will inform you of any changes in a visible and understandable manner.

 

Links to other websites may appear on the platform. Such websites operate independently of the platform and are not supervised by the Company in any way. These websites may have their own privacy policies and regulations, with which the Company recommends that you familiarize yourself.

 

13. CONTACT INFORMATION

 

For any questions regarding this Privacy Policy, please contact:

 

Carpathian Chain sp. z o.o.

ul. Piotrkowska 116/52

90-006 Łódź, Poland

 

Email: privacy@cryptonara.io