FIOR Digital Privacy Policy

General

FIOR Digital GmbH (hereinafter referred to as “FIOR Digital” or “we”) offers via the website www.21bitcoin.app and the mobile application (“Mobile App”) (hereinafter collectively referred to as “Website” or “Platform”) services and products related to the purchase and sale of Bitcoin. FIOR Digital GmbH, based at Rupertiwinkelstraße 19, 5020 Salzburg, Austria, entered in the commercial register of the Salzburg Regional Court under FN 556789h, is the provider of the platform and responsible for trading Bitcoin on it.

1. Applicability

Who does this privacy policy apply to?
‍‍
This Privacy Policy applies to all individuals who use the FIOR Digital services, the Website and the Mobile App or otherwise interact with FIOR Digital (e.g. business partners, prospects, service providers, etc.); in general, this person is hereinafter referred to as "customer" or "you".

2. Minors

Are minors allowed to use the services of FIOR Digital?
‍‍
No, FIOR Digital's products and services are not directed to persons under the age of 18. Only persons of legal age may use the services of FIOR Digital and register on the platform. Therefore, to the best of our knowledge, we do not collect any personal data from minors. So if you are under the age of 18, please do not use our platform and do not submit any personal data to us.

3. Responsible Body

Who is responsible for data processing and who can I contact?
‍‍
FIOR Digital is aware that the protection and careful handling of your personal data is very important. FIOR Digital uses the personal data you provide only in accordance with the applicable data protection laws of this data protection declaration and your consent.
If you have any questions related to the processing of your personal data and exercising your rights under the GDPR, please feel free to contact our data protection team: privacy@fior.digital. Please note that for certain inquiries we require further identification data from you (e.g. passport, identity card, etc.) to ensure that your personal data is only passed on to you.

4. Data Categories and Sources

Which of my personal data is processed and from which sources do this data come?
‍‍
We process the personal data that we receive from you as part of the business relationship and the use of our website. In addition, data from credit agencies, debtor registers, providers of business analyzes (e.g. CRIF GmbH, KSV 1870 Holding AG, Factiva Limited) and from publicly accessible sources (e.g. company register, register of associations, land register, media, sanctions lists) may be processed.
When using the services of FIOR Digital or otherwise interacting with FIOR Digital, the following of your personal data may be processed:

• Contact data: When creating a new user account or communicating with FIOR Digital, we can process e.g. name, address, telephone number, e-mail address, date of birth, photo for the account, etc
  
• Verification data: When an account is verified, which also depends on the verification level, e.g. screenshots of national identification documents such as passport, driver's license, ID card and the identification data from these documents, information for verifying residence, data on the status of politically exposed persons may be processed
  
• Financial data: Bank details (IBAN, BIC), payment service provider information, payment data, transaction ID, etc. can be processed as part of transactions made
  
• Log data: As part of activities on our website, e.g. IP address, computer or mobile device information, operating system, browser type, device type, unique device identification number, identification cookies (e.g. for the referral program), optional form data, third-party cookies, etc. are processed
  
• Mobile App Data: If you use the Mobile App, we may, for example, IP address, transaction data, deposit and withdrawal address, mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, optional form data, crash reports (Datadog Inc.), link tracking (Branch Metrics Inc.) performance data process and only with your express consent data from: camera, microphone, storage, phone (SMS confirmation)
• Information and proof of the source of funds: Insofar as proof of the source of funds is required, we can, for example, process account statements or other documents issued by banks or financial institutions, purchase agreements or contracts in general or other suitable data to prove or determine the source of funds if the daily/monthly or general amount limits of FIOR Digital are exceeded or an upgrade to FIOR Digital Private "OTC Service" takes place. In order to determine the purpose of using the above services or the trading volume, additional information about current, past or planned business or personal activities of private customers or other data to determine the intentions of the customer may be processed by FIOR Digital or by the customer, if necessary at the request of FIOR Digital
  
• Support requests: If you contact our support, e.g. the personal data provided to the support team as part of the request may be processed
• Marketing data: If you visit our website or social media pages (such as the Twitter company page) or use the mobile app, statistical and marketing data such as: number of visitors, frequency, clicks, time, locations, target groups, data from cookies and similar technologies (pixels, clear GIFs, etc.), consumer behavior, interests and preferences, data on market research and target group surveys, etc. are processed; regarding social media see also point 9
  
• Photo, video and audio data: If we take part in events or trade fairs or organize such events ourselves or conduct interviews with people, we can take photographs and other recordings and process photo, video and audio data in the process. However, we will always inform you separately about such recordings
  
• Application data: If you apply for a job on our website or via LinkedIn, we may process the data necessary for the recruitment process, such as contact details, CV, qualifications, criminal record, credit report, national identification documents such as passport, driver's license and the Data from all these documents, links to your portfolio or social media platforms, etc.

5. Purposes and Legal Bases for Processing Data

For what purposes and on what legal basis is my personal data processed by FIOR Digital?
‍‍
All data processing at FIOR Digital takes place in accordance with the GDPR and the Austrian Data Protection Act (DSG). We always process your personal data on the basis of at least one of the legal bases listed below. If we ask you to provide additional personal data not listed above, you will be informed of the purpose and legal basis for the collection and processing of this data at the time of collection.

5.1 To fulfill Contractual Obligations (Art 6 Para 1 lit b GDPR)

The processing of personal data may be necessary to fulfill contractual or pre-contractual obligations towards you. The following data processing operations are, for example, covered by such a contractual obligation:

• General provision of our services, including all tasks required for the operation, performance and administration of FIOR Digital and the platform
  
• Account management (e.g. continuous updating of customer data)
  
• Fulfillment of your orders (e.g. payment processing, chargebacks, proof of purchase and sale)
  
• Execution of the "Referral Program"
• Customer service and support requests (e.g. contacting about complications, intercom)
• Authentication process when you register and verify an account on our website (verification of identity)
  
• Analysis and improvement of the quality and general user experience of our website (e.g. using performance tracking on our platform)
• Data security and IT security on our website and securing our network (e.g. protection against identity theft and against erroneous or suspicious access to our websites)
  
• Application process for new employees
  

5.2 To fulfill legal Obligations (Art 6 Para 1 lit c GDPR)

The processing of personal data may also be necessary to fulfill various legal obligations (e.g. FM-GwG, GewO 1994, etc.). For example, the following data processing operations are covered by such legal obligations:

• Contract management, bookkeeping and accounting
  
• Compliance and Risk Management
  
• Know-Your-Customer measures such as authentication process (verification of identity) and verification of the origin of funds
  
• Monitoring to combat fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing
• Information according to official orders in the context of financial criminal proceedings or for general criminal prosecution
• Consultation of credit institutions to determine credit and default risks, etc.
  

5.3 To protect legitimate Interests (Art 6 Para 1 lit f GDPR)

If necessary, data can be processed beyond the fulfillment of a contract to protect the legitimate interests of FIOR Digital or a third party. The following data processing operations are, for example, covered by such a legitimate interest:

• Prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing
  
• Risk management and risk minimization e.g. by making inquiries with credit agencies, debtor registers or providers of business analysis
  
• Identification and verification of potentially erroneous or suspicious business transactions and access to our websites
  
• Maintaining accounts and processing general customer inquiries
• Measures to protect our customers and partners and to secure the network and information; as well as measures to protect our employees and the property of FIOR Digital, e.g. video surveillance (deletion cycle 72 hours) as well as measures by external data centers and service providers
• Processing inquiries from authorities, lawyers, collection agencies in the context of legal prosecution and enforcing legal claims in court proceedings
  
• Market research and further development of services and products
  
• Processing of statistical data, performance data and general market research data via the website, the mobile app or social media platforms (e.g. Twitter, Facebook, Instagram, LinkedIn, YouTube, etc.)
  
• Processing of customer settings (e.g. language, region) using cookies on our website
  
• Direct marketing and advertising (e.g. implementation of marketing strategies, addressing customers, sending vouchers and advertising from FIOR Digital and its partner companies)
  
• Use of audio, video and photo data from public spaces (e.g. public events, trade fairs, etc.) for marketing and other representation purposes on our social media channels or our website
  
• Analyzing the performance of the referral program
  

5.4 Based on Consent (Art 6 Para 1 lit a GDPR)

If you have given us your consent to the processing of your personal data, the processing will only take place for the purposes specified in the declaration of consent and to the extent agreed therein. A given consent can be revoked at any time without giving reasons and with effect for the future if you no longer agree to the processing. For example, with your consent, we process data for the following purposes:

• to use all functions of the mobile app (e.g. phone authorization to read SMS confirmations, camera to scan QR codes, etc.)
  
• Direct marketing and advertising (e.g. customer satisfaction surveys, newsletters, sweepstakes and other promotional communications, etc.)
  
• Analysis and tracking on our website for advertising purposes
  
• Certain uses of audio, video and photo data (e.g. commercials, interviews, etc.) for marketing and other representational purposes via different channels
• Automated authentication process when you verify yourself via the Onfido Limited service (“Onfido”) (verification of identity)
• Application management system, recruitment process and processing of your application (e.g. voluntary storage of applicant data for 2 years, data transfer from your social media account when using the "Apply with LinkedIn" tool, see also point 9)
  

6. Special Categories of Personal Data

Does FIOR Digital process special categories of personal data?
‍‍
No, FIOR Digital does not process any special categories of personal data from customers. This includes data revealing racial and ethnic origin, political opinions, religious or ideological beliefs or trade union membership, as well as genetic and biometric data (Article 9 (1) GDPR).

7. Recipients of Personal Data

Who receives my personal data?
‍‍
The protection and confidentiality of your personal data is very important to FIOR Digital. For this reason, we only transfer your personal data to the extent described below or as part of an instruction at the time your data was collected. We will neither sell your personal data nor pass it on to third parties in any other way.

7.1 Data transmission to Service Providers

To a limited extent, we also transfer personal data to processors who provide services for us, such as authentication services (e.g. Onfido Limited), IT services (Amazon Web Services Inc.), customer support (Intercom Inc.), improving our website (Google Analytics), financial services (Volksbank Raiffeisenbank Bayern Mitte eG) and sending newsletters (e.g. Twilio Inc.). Processors may only use or pass on this data to the extent necessary to provide services for FIOR Digital or to comply with legal regulations. We contractually oblige such processors to ensure the confidentiality and security of your personal data that they process on our behalf.

7.2 Data Transmission to Public Bodies and Institutions

Your personal information may be (I) if we are required to do so by law or legal process, (II) if we believe disclosure is necessary to prevent harm or financial loss, or (III) if it is in connection with a investigation of suspected or actual fraudulent or illegal activity, be communicated to any public body or institution.

7.3 Transfer of Data to Third Parties

Joint controllership: Where FIOR Digital acts as joint controller with other parties, we may provide those third parties with personal data, the processing always being based on at least one of the legal bases set out in point 7 above. In addition, in the case of joint responsibility, we only transfer your personal data on the basis of a sufficient agreement with the other persons responsible (Art 26 DSGVO).
Other third parties: FIOR Digital can process your personal data with your consent for disclosure or for the purpose of fulfilling the contract or at the request of the customers to other third parties before the conclusion of the contract.

8. International Data Transfer

Will my data be transferred to third countries or to international organizations?
‍
Your personal data may be accessed, transferred to and/or stored by employees or service providers outside of the country in which you are currently located and the data protection laws of such countries may be of a lower standard than those in Europe Union. Nevertheless, under all circumstances, FIOR Digital will protect personal data in accordance with this privacy statement.
If personal data is processed in a third country (outside the European Union (EU) or the European Economic Area (EEA)) or if this happens in connection with the use of third-party services or the disclosure and/or transmission of personal data to third parties, this only takes place , insofar as this is necessary to fulfill our (pre-)contractual obligations or on the basis of consent or a legal obligation or to protect legitimate interests. Subject to legal or contractual approvals, we only process personal data in a third country if the conditions of Art 44 ff GDPR are met. This means, for example, that the processing and transmission takes place on the basis of special protective measures, such as compliance with a code of conduct or a certification mechanism together with the binding and implementable obligation of the recipient in the third country to comply with the corresponding protective measures for data protection and officially recognized ones to comply with special contractual obligations of the European Commission (so-called "standard contractual clauses").
If you require further information regarding international data transfers or if you would like a copy of the specific safeguards applicable to the export of your personal data, please feel free to contact privacy@fior.digital.

9. Social Media

Will my data be processed on social media platforms and who is responsible in such cases?
‍
FIOR Digital is present on various social media platforms (see below) to communicate with active customers, potential customers and interested social media users about FIOR Digital's services, products and other news. If you use such social media platforms, the general terms and conditions and the data protection guidelines of the platform operators also apply. We would like to point out that user data can also be processed outside the European Union. Due to different legal frameworks, there are certain risks for the users of these platforms (e.g. enforcing the rights of the data subjects may be more difficult).
As part of the technical process of various social media platforms (e.g. Google, Facebook, Twitter, etc.), they can record your behavior in the background, for example if you click on content or visit websites while you are still logged into your social media account. Such information is collected by social media platforms and associated with your social media accounts, regardless of whether you click on content on that platform or not. By logging out of your account, you can prevent these companies from linking the information they collect to your accounts. The activities of such social media platforms cannot be controlled by FIOR Digital and therefore we do not accept any liability for damage that you incur as a result of the use of your data by social media platforms.
Controller: FIOR Digital can only process personal data of social media users if users communicate directly with FIOR Digital via such platforms (e.g. number of visitors, articles posted, likes, direct messages, customer inquiries, comments, etc.). In such cases, FIOR Digital is then also responsible for the processing of the personal data collected. In addition to such data processing by us, the operators of social media platforms in particular also process personal data of users. We have no influence on this data processing and we are therefore not responsible for it - such data processing is therefore exclusively the responsibility of the social media platforms.
For a detailed explanation of the respective data processing and the possibilities of objection (opt-out) of social media platforms, we refer to the respective data protection declaration of the operator (see below). Requests for information and other data subject rights in connection with social media platforms must be asserted with the respective operator. Because only the operators have access to the personal data of their users and can therefore take the necessary measures and provide information.
‍
Our social media pages and channels and the links to the respective data protection declarations:

Application via the LinkedIn button: If you use the opportunity to apply using the social media sign-in button "Apply with LinkedIn" from the social network LinkedIn (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA), you allow FIOR Digital limited access to your LinkedIn profile. After clicking the "Apply with LinkedIn" button, you will be redirected to LinkedIn to enter your LinkedIn access data. Then you can select the data you want to share with FIOR Digital. Only the data you have selected will be transferred to FIOR Digital. FIOR Digital does not receive any information about your login or access data on LinkedIn. You can find more information in LinkedIn's Privacy Policy.

10. Newsletter

On what legal basis will electronic messages be sent to me and how can I unsubscribe?
‍
In our e-mail newsletter (e.g. weekly update) we inform you about the services and products of FIOR Digital. If you would like to receive our newsletter, you must register with your email address. Newsletters and other electronic notifications will only be sent by us with your express consent if you subscribe to the newsletter directly (double opt-in) or when registering for a FIOR Digital account or alternatively if there is another legal basis for this (e.g. § 107 para. 3 TKG). With the double opt-in procedure, we check whether you are also the owner of the email address provided or whether the owner agrees to receive electronic notifications. This procedure serves as evidence in cases in which a third party misuses an e-mail address by registering to receive the newsletter without the knowledge of the person actually entitled.
The infrastructure of the service Twilio, Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA is used to send our e-mail newsletter. You can find more information about Sendgrid in the Sendgrid data protection declaration.
‍You can unsubscribe from our newsletter at any time, e.g. by withdrawing your consent. You will find a link to unsubscribe at the end of each newsletter. Please note, however, that if you simply unsubscribe, we will continue to process your personal data until you revoke your consent to the storage of the data, so that we can prove the previously given consent to receive newsletters. Such processing is limited to the purpose of a possible defense against claims, and you have the right to request the deletion of your personal data.

11. Retention and Deletion Periods

How long will my personal data be processed (stored) and when will it be deleted?
‍
If necessary, we store your personal data for the duration of the entire business relationship (from initiation to fulfillment to the termination of a contract) and generally for 1 year after the end of the business relationship. In addition, we only store your data for a longer period of time, within the framework of the statutory storage and documentation obligations, to defend against legal claims or with your express consent.
The retention periods for data result from the statutory retention periods or limitation periods. According to the Business Code (UGB) and the Federal Fiscal Code (BAO), this is 7 years, according to the Financial Market Money Laundering Act (FM-GWG) 10 years, according to the Equal Treatment Act (GIBG) half a year and in certain cases between 3 and 30 years according to the ABGB e.g. if data is required as evidence for legal disputes or as long as there are other legitimate interests in the storage.
Unless expressly stated otherwise in this data protection declaration, the personal data processed by us will be deleted as soon as they are no longer required for their processing purpose and the deletion does not conflict with any other statutory storage obligations.

12. Data Subject Rights

What rights and options do I have regarding my data under the GDPR?
‍‍
Right to information:
You have the option of requesting confirmation as to whether we are processing your personal data. If we are processing personal data about you, you have the right to receive information from us about the personal data we hold about you and a copy of the data being processed, within a reasonable period of time.

Right to rectification:
You have the right to have inaccurate personal data rectified to request data concerning you. With regard to the purposes of the processing, you also have the right to have incomplete personal data completed, also by means of a supplementary statement from you.

Right to erasure: You have the right to request the erasure of personal data concerning you from FIOR Digital if one of the following reasons applies and no further processing of this data is required:‍

• the personal data are no longer necessary for the purposes for which they were collected
  
• you have withdrawn your consent on which the processing is based and there is no other legal basis or overriding legitimate interest in the processing
  
• the personal data have been processed unlawfully; or
  
• the erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject

The corresponding reason must be stated in the requests for the deletion of personal data (Article 17 (1) GDPR).
‍
Right to restriction of processing:
You have the right to request that we restrict processing if one of the following conditions is met

• you dispute the accuracy of the personal data (the restriction is made for a period of time that allows FIOR Digital to verify the accuracy of the data)
  
• the processing of your data was unlawful, and you reject the deletion of the data and instead request the restriction of its processing
  
• FIOR Digital no longer needs your personal data for the purposes of processing, but you still need it to assert, exercise or defend legal claims; or
  
• you have objected to the processing of your personal data, and it has not yet been determined whether the legitimate reasons of FIOR Digital outweigh yours

Right to data portability:
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You can also request that we pass on this data directly to a person responsible named by you, insofar as this is technically possible and the rights and freedoms of others are not affected. The right to data portability can only be exercised if the basis of the processing is either your consent or a (pre-)contractual necessity and the processing is automated. The right to data portability does not apply to processing that is necessary for the performance of tasks that are in the public interest or in the exercise of official authority that has been transferred to the person responsible.

Right of objection:
You have the right to object to the processing of your personal data at any time to object if this is based on our legitimate interests. If you have objected to processing, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms or if the processing is necessary for the establishment, exercise or defense of legal claims serves. The objection does not affect the lawfulness of the processing of your personal data based on legitimate interests that occurred before your objection.

Contact:
To exercise any of the above rights, you can send an email to privacy@fior.digital. Please note that for such requests we require further identification data from you (e.g. passport, identity card, etc.) to ensure that your personal data is only passed on to you.

13. Objection to Advertising

How can I object to the processing of my data for advertising purposes?
‍
You can also object to any use of your personal data for advertising purposes. If you would like to fundamentally object to the processing of your data for advertising purposes, please contact us by email at privacy@fior.digital. The objection does not affect the lawfulness of the processing of your personal data based on legitimate interests that occurred before your objection.
Please note, however, that such an objection is only made to FIOR Digital and, even after such an objection, you may still receive advertising about FIOR Digital from other providers on other websites over which we have no influence.

14. Automated Decisions

Does FIOR Digital use my personal data for automated decision-making including profiling?
‍
FIOR Digital does not use personal data for automated decision-making processes including profiling within the meaning of Art 22 DSGVO.

15. Processing for Other Purposes

Will my personal data be processed for purposes other than those for which it was collected?
‍
Basically, at FIOR Digital we only process personal data for the purposes for which it was collected. In exceptional cases, however, we can process your personal data collected for a specific purpose for another purpose. In such a case, we will inform you before the intended processing of the new purpose, the duration of storage, the exercise of the rights of the data subject, the possibility of withdrawing consent, the existence of the right to lodge a complaint with the data protection authority and whether the provision of the data is necessary for legal or contractual reasons and the consequences of not providing the data and whether automated decision-making or profiling is used in the process.

16. Regulatory Authority

Which supervisory authority can I lodge a complaint with?
‍
You have the right to lodge a complaint with the competent supervisory authority if you believe that your rights under the GDPR have been violated. In Austria, this is the data protection authority.

17. Consent

How do I give my consent and how can I revoke my consent?
‍
By ticking the appropriate box during the registration process or in the event of an update after logging into your FIOR Digital account, you expressly confirm that you have read the privacy policy and that you consent to the processing of your personal data as described there.
By ticking the respective separate box for news and updates by email (newsletter), you expressly agree that you wish to receive electronic messages as described under point 10.
You have the right to revoke your consent at any time by contacting FIOR Digital GmbH or by sending an email to privacy@fior.digital. Please note that if you withdraw your consent, we will no longer be able to offer you all of our services and products. The revocation of your consent does not affect the lawfulness of the processing of your personal data based on consent before your revocation.

18. Data Security

How is my personal data protected?
‍
The security of data is very important to us, and we are committed to protecting the data we collect. We have extensive administrative, technical and physical measures in place to protect your personal information from accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure, or use. These measures correspond to the highest international safety standards and are regularly checked for their effectiveness and suitability for achieving the desired safety goals.
For example, we have implemented the following technical and organizational measures:

• SSL encryption of our websites from which we send personal data
  
• Ensuring the confidentiality, integrity, availability, and resilience of our systems and services
  
• Use of encrypted systems
  
• Measures to quickly restore the availability of personal data in the event of a physical or technical incident
• Measures in the area of privacy by design and default on our platform such as prevention of user enumeration, also "user enumeration"
• Introduction of procedures for regular review, evaluation, and evaluation of the effectiveness of technical and organizational measures to ensure the security of data processing, such as the "bug bounty" program
• Internal IT security guidelines and IT security training
• Incident Management

19. Updates of this Privacy Policy

How do I find out about changes to this privacy policy?
‍
FIOR Digital is committed to keeping the principles of data protection up to date. For this reason, we regularly review and update our privacy policy. This ensures that it is displayed correctly and clearly on our website, contains appropriate information about your rights and our processing activities (also with regard to technical changes or business developments), is implemented in accordance with applicable law and therefore meets data protection requirements . We will update this Privacy Policy from time to time as necessary to reflect current circumstances. If we make material changes to this Privacy Policy, we will notify you after logging into your FIOR Digital account, providing you with the updated version of the Privacy Policy. If required by applicable law, FIOR Digital will obtain your express consent to make material changes.

20. Contact

How can you contact us?
‍
If you have any further questions about this privacy policy or the processing of your personal data, please contact our data protection team: privacy@fior.digital