Privacy statement

General

FIOR Digital GmbH (hereinafter referred to as”FIOR Digital“or”we“referred to) offers via the website www.21bitcoin.app and the mobile application (”mobile app“) (hereinafter together as”webpage“or”platform“means) services and products related to buying and selling Bitcoin.
FIOR Digital GmbH, based in Rottweg 66, 5020 Salzburg, Austria, registered in the commercial register of the Salzburg Regional Court under FN 556789h is the provider of the platform and is responsible for trading Bitcoin on it.

1. Applicability

Who does this privacy statement apply to?
‍
This privacy policy applies to all persons who use FIOR Digital's services, the website and the mobile app or otherwise interact with FIOR Digital (e.g. business partners, prospects, service providers, etc.); in general, this person is referred to as “customer” or “you” below.

2. Minors

Are minors allowed to use FIOR Digital services?
‍
No, FIOR Digital's products and services are not aimed at people under 18 years of age. Only persons of legal age may use FIOR Digital services and register on the platform. Therefore, to the best of our knowledge, we do not collect any personal data from minors. So if you are under 18 years of age, please do not use our platform and do not submit any personal data to us.

3. Responsible person

Who is responsible for data processing and who can I contact?
‍
FIOR Digital is aware that the protection and careful handling of your personal data is very important. FIOR Digital uses the personal data you provide exclusively in accordance with the applicable data protection laws in this privacy policy and with your consent.
If you have any questions regarding the processing of your personal data and the exercise of your rights under the GDPR, you are welcome to contact our data protection team: privacy@fior.digital. Please note that for certain inquiries, we need further identification information from you (e.g. passport, identity card, etc.) to ensure that your personal information is only shared with you.

4. Data categories and sources

Which of my personal data is processed and from which sources does this data come?
‍
We process the personal data that we receive from you as part of the business relationship and use of our website. In addition, data from credit agencies, debtor registers, providers of business analyses and publicly available sources (e.g. commercial register, register of associations, land register, media, sanction lists) can be processed.
When using FIOR Digital services or otherwise interacting with FIOR Digital, the following of your personal data may be processed:

• contact details: When creating a new user account or communicating with FIOR Digital, we can process, for example, name, address, telephone number, email address, date of birth, photo for the account, etc.
  
• Verification data: When an account is verified, although this also depends on the level of verification, screenshots of national identity documents such as passport, driver's license, identity card and the identification data from these documents, information on the verification of residence, data on the status of politically exposed persons can be processed
  
• financials: Bank details (IBAN, BIC), payment service provider information, payment data, transaction ID, etc. can be processed as part of transactions made
  
• log data: As part of activities on our website, for example, IP address, computer or mobile device information, operating system, browser type, device type, unique device identification number, identification cookies (e.g. for the referral program), optional form data, third-party cookies, etc. may be processed.
  
• Mobile app data: When you use the mobile app, we can process, for example, IP address, transaction data, deposit and withdrawal address, mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, optional form data, crash reports (Datadog Inc.), link tracking (Branch Metrics Inc.), performance data and only with your express consent, data from: camera, microphone, memory, telephone (SMS) confirmation)
• Information and proof of source of funds: If proof of the source of funds is required, we can process, for example, account statements or other evidence prepared by banks or financial institutions, purchase contracts or contracts in general or other suitable data to prove or determine the source of funds if the day/monthly or general amount limits of FIOR Digital are exceeded or if an upgrade to FIOR Digital Private “OTC Service” takes place. To determine the purpose of using the above services or the volume of trade, additional information about current, past or planned business or personal activities of private customers or other data to determine the client's intentions may be processed at the request of FIOR Digital or by the customer
  
• Support inquiries: When you contact our support, for example, the personal data provided to the support team as part of the request may be processed
• marketing data: When you visit our website or social media sites (such as the Twitter company page) or use the mobile app, statistical and marketing data such as: number of visitors, frequency, clicks, time, locations, target groups, data from cookies and similar technologies (pixels, clear GIFs, etc.), consumer behavior, interests and preferences, data about market research and target group surveys, etc. can be processed; with regard to social media, see also point 9
  
• Photo, video and audio data: When we participate in events or trade fairs or organize such events ourselves or conduct interviews with people, we can take photographs and other recordings of them and process photo, video and audio data. However, we will always inform you separately about such recordings
  
• Application data: If you apply for a job on our website or via LinkedIn, we can process the data necessary for the hiring process, such as contact details, curriculum vitae, qualifications, police clearance, credit report, national identification documents such as passport, driver's license and the data from all of these documents, links to your portfolio or social media platforms, etc.

5. Purposes and legal bases for processing data

For what purposes and on which legal basis is my personal data processed by FIOR Digital?
‍
All data processing at FIOR Digital is carried out in accordance with the GDPR and the Austrian Data Protection Act (DSG). We always process your personal data on the basis of at least one of the legal bases set out below. If we ask you to provide further personal data not listed above, you will be notified of the purpose and legal basis for collecting and processing this data at the time of collection.

5.1 To fulfill contractual obligations (Article 6 (1) (b) GDPR)

The processing of personal data may be necessary to fulfill contractual or pre-contractual obligations towards you. The following data processing processes are, for example, covered by such a contractual obligation:

• Overall delivery of our services, including all tasks required to operate, deliver and manage FIOR Digital and the platform
  
• account management (e.g. continuous updating of customer data)
  
• Fulfilling your orders (e.g. payment processing, chargebacks, proof of purchase and sale)
  
• Implementation of the “referral program”
• Customer service and support inquiries (e.g. contact due to complications, intercom)
• Authentication process when you register and verify an account on our website (identity verification)
  
• Analyzing and improving the quality and general user experience of our website (e.g. using performance tracking on our platform)
• Data security and IT security on our website and security of our network (e.g. protection against identity theft and against incorrect or suspicious access to our websites)
  
• Application process for new employees
  

5.2 To comply with legal obligations (Article 6 (1) (c) GDPR)

The processing of personal data may also be necessary to fulfill various legal obligations (e.g. FM-GwG, GewO 1994, etc.). The following data processing processes are, for example, covered by such legal obligations:

• Contract management, bookkeeping and invoicing
  
• Compliance and risk management
  
• Know-your-customer measures such as authentication process (identity verification) and verification of the source of funds
  
• Monitoring to combat fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing
• Information as required by an official order as part of financial criminal proceedings or for general prosecution
• Consultation of credit institutions to identify credit and default risks, etc.
  

5.3 To protect legitimate interests (Article 6 (1) (f) GDPR)

If necessary, data may be processed by FIOR Digital or a third party in addition to fulfilling a contract to protect the legitimate interests of FIOR Digital. The following data processing operations are, for example, affected by such a legitimate interest:

• prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing
  
• Risk management and risk minimization, e.g. through inquiries to credit agencies, debtor registers or providers of business analyses
  
• Identifying and verifying potentially erroneous or suspicious business cases and accesses to our websites
  
• Account management and processing of general customer inquiries
• Measures to protect our customers and partners and to secure the network and information; including measures to protect our employees and FIOR Digital property, e.g. video surveillance (72 hour deletion cycle) and measures taken by external data centers and service providers
• Handling inquiries from authorities, lawyers, collection agencies as part of legal prosecution and enforcement of legal claims in the context of court proceedings
  
• Market research and development of services and products
  
• Processing of statistical data, performance data and general market research data via the website, mobile app or social media platforms (e.g. Twitter, Facebook, Instagram, LinkedIn, YouTube, etc.)
  
• Processing customer preferences (e.g. language, region) using cookies on our website
  
• Direct marketing and advertising (e.g. implementation of marketing strategies, customer contact, sending vouchers and advertising from FIOR Digital and its partner companies)
  
• Use of audio, video and photo data from public spaces (e.g. public events, trade fairs, etc.) for marketing and other representation purposes on our social media channels or website
  
• Review of referral program performance
  

5.4 Based on consent (Article 6 (1) (a) GDPR)

If you have given us your consent to process your personal data, the processing will only take place for the purposes set out in the declaration of consent and to the extent agreed therein. Any consent you have given can be withdrawn at any time without giving reasons and with effect for the future if you no longer agree to the processing. For example, with your consent, we process data for the following purposes:

• for using all functions of the mobile app (e.g. telephone permission to read SMS confirmations, camera to scan QR codes, etc.)
  
• Direct marketing and advertising (e.g. customer satisfaction surveys, newsletters, competitions and other promotional communications, etc.)
  
• Analysis and tracking on our website for advertising purposes
  
• Certain uses of audio, video and photo data (e.g. advertising films, interviews, etc.) for marketing and other representation purposes via various channels
• Automated authentication process when you verify yourself via Onfido Limited's service (“Onfido”) (identity verification)
• Application management system, recruitment process and processing of your application (e.g. voluntary storage of applicant data for 2 years, data transfer from your social media account when using the “Apply with LinkedIn” tool, see also point 9)
  

6. Special categories of personal data

Does FIOR Digital process special categories of personal data?
‍
No, FIOR Digital does not process any special categories of personal data from customers. This includes data that reveal racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership, as well as genetic and biometric data (Article 9 (1) GDPR).

7. Recipients of personal data

Who receives my personal data?
‍
The protection and confidentiality of your personal data is very important to FIOR Digital. For this reason, we only transfer your personal data to the extent described below or as part of an instruction at the time your data is collected. We neither sell nor otherwise share your personal data with third parties.

7.1 Data transfer to service providers

To a limited extent, we also transfer personal data to contract processors who provide services for us, such as authentication services (e.g. Onfido Limited), IT services (Amazon Web Services Inc.), customer support (Intercom Inc.), financial services (Volksbank Raiffeisenbank Bayern Mitte eG) and sending newsletters (e.g. Twilio Inc.). Contract processors may only use or share this data to the extent necessary to provide services for FIOR Digital or to comply with legal requirements. We contractually oblige such processors to ensure the confidentiality and security of your personal data that they process on our behalf.

7.2 Data transfer to public institutions and institutions

Your personal information may be transferred to public bodies or institutions (I) if we are required to do so by law or as part of legal proceedings, (II) if we believe that disclosure is necessary to prevent damage or financial loss, or (III) if it is related to an investigation of suspected or actual fraudulent or illegal activity.

7.3 Data transfer to third parties

Joint responsibility: If FIOR Digital acts as a joint controller together with other parties, we may provide these third parties with personal data, and the processing is always based on at least one of the legal bases set out in point 7 above. In addition, in the case of joint responsibility, we only transfer your personal data on the basis of a sufficient agreement with the other responsible parties (Art 26 GDPR).
Other third parties: FIOR Digital may transfer your personal data to other third parties with your consent for disclosure or for the purpose of fulfilling the contract or at the request of the customer even before the contract is concluded.

8. International data transfer

Will my data be transferred to third countries or international organizations?

Your personal information may be viewed, transferred to, and/or stored by employees or service providers outside the country in which you are currently located, and the data protection laws of such countries may be of a lower standard than those in the European Union. However, FIOR Digital will protect personal data in accordance with this privacy policy under all circumstances.
If personal data is processed in a third country (outside the European Union (EU) or the European Economic Area (EEA)) or is this done in connection with the use of third-party services or the disclosure and/or transfer of personal data to third parties, this is only done to the extent necessary to fulfill our (pre-) contractual obligations or on the basis of consent or a legal obligation or to protect legitimate interests. Subject to legal or contractual approvals, we only process personal data in a third country if the conditions of Art 44 ff GDPR are met. This means, for example, that the processing and transfer is carried out on the basis of special protective measures, such as in compliance with a code of conduct or a certification mechanism together with the binding and implementing obligation of the recipient in the third country to comply with the appropriate data protection measures and to comply with officially recognized special contractual obligations of the European Commission (so-called “standard contractual clauses”).
If you need more information regarding international data transfers, or if you would like a copy of the specific security measures for exporting your personal data, feel free to contact privacy@fior.digital.

9. Social media

Is my data processed on social media platforms and who is responsible in such cases?

Is my data processed on social media platforms and who is responsible in such cases?
FIOR Digital is present on various social media platforms (see below) to communicate with active customers, potential customers and interested social media users about FIOR Digital's services, products and other news. If you use such social media platforms, the general terms and conditions and the privacy policies of the platform operators also apply. We would like to point out that user data may also be processed outside the European Union. Due to different legal frameworks, this poses certain risks for users of these platforms (e.g. enforcement of the rights of data subjects may be difficult).
As part of the technical process of various social media platforms (e.g. Google, Facebook, Twitter, etc.), they can record your behavior in the background, for example when you click on content or visit websites and you are still logged into your social media account at the same time. Such information is collected by social media platforms and associated with your social media accounts, regardless of whether you click on content from that platform or not. By logging out of your account, you can prevent these companies from linking the collected information to your accounts. The activities of such social media platforms cannot be controlled by FIOR Digital and therefore we do not accept any liability for any damage that you may incur as a result of the use of your data by social media platforms.
Responsible person: FIOR Digital can only process personal data from social media users if users communicate directly with FIOR Digital via such platforms (e.g. number of visitors, posted articles, likes, direct messages, customer inquiries, comments, etc.). In such cases, FIOR Digital is then also responsible for processing the personal data collected in the process. In addition to such data processing by us, the operators of social media platforms in particular also process users' personal data. We have no influence on this data processing and we are therefore not responsible for it — such data processing is therefore carried out exclusively within the area of responsibility of social media platforms.
For a detailed explanation of the respective data processing and objection options (opt-out) of social media platforms, we refer to the respective privacy policy of the operators (see below). Requests for information and other data subject rights in connection with social media platforms must be asserted with the respective operator. This is because only operators have access to their users' personal data and can therefore take the necessary measures and provide information.

Our social media pages and channels as well as the links to the respective privacy statements:‍

Application via the LinkedIn button: If you use the option to apply with the social media sign-in button “Apply with LinkedIn” from the social network LinkedIn (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA), you allow FIOR Digital limited access to your LinkedIn profile. After clicking on the “Apply with LinkedIn” button, you will be redirected to LinkedIn to enter your LinkedIn login details. You can then select the data that you want to share with FIOR Digital. Only the data you have selected will be transferred to FIOR Digital. FIOR Digital does not receive any information about your login or login details on LinkedIn. You can also find more information in the Privacy statement from LinkedIn.

10. Newsletter

What is the legal basis for sending me electronic messages and how can I unsubscribe?

In our email newsletter (e.g. weekly update), we inform you about FIOR Digital's services and products. If you want to receive our newsletter, you must sign up with your email address. Newsletters and other electronic notifications are only sent by us with your express consent if you subscribe to the newsletter directly (double opt-in) or when registering for a FIOR digital account or, alternatively, if there is another legal basis for this (e.g. Section 107 (3) TKG). In the double opt-in process, we check whether you are also the owner of the email address provided or whether its owner agrees to receive electronic notifications. This procedure serves as proof of cases in which a third party misuses an e-mail address by registering to receive the newsletter without the actual knowledge of the person entitled to receive the newsletter.
The infrastructure of the Twilio, Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, USA service is used to send our e-mail newsletter. For more information about Sendgrid, visit the Privacy statement by Sendgrid.
You can unsubscribe from our newsletter at any time, e.g. by withdrawing your consent. You'll find a link to unsubscribe at the end of every newsletter. Please note, however, that if you simply unsubscribe, we will continue to process your personal data until you withdraw your consent to store the data so that we can prove that you have previously given consent to receive newsletters. Such processing is limited to the purpose of possible defense against claims and you have the right to request the deletion of your personal data.‍

11. Retention and deletion periods

How long will my personal data be processed (stored) and when will it be deleted?

If necessary, we store your personal data for the duration of the entire business relationship (from initiation to performance to termination of a contract) and in principle for 1 year after the end of the business relationship. In addition, we only store your data for a longer period of time, as part of legal storage and documentation obligations, to defend against legal claims or with your express consent.
The storage periods for data result from the legal storage periods or limitation periods. According to the Companies Code (UGB) and the Federal Tax Code (BAO), this is 7 years, according to the Financial Market Money Laundering Act (FM-GWG) 10 years, under the Equal Treatment Act (GIBG) half a year and in certain cases between 3 and 30 years according to ABGB, e.g. when data is required as evidence of legal disputes or as long as there are other legitimate interests in storage.
Unless otherwise expressly stated in this privacy policy, the personal data processed by us will be deleted as soon as it is no longer required for its processing purpose and the deletion does not conflict with any other legal storage requirements.‍

12. Rights of data subjects

What rights and options do I have regarding my data under the GDPR?

Right to information:
You have the option to request confirmation as to whether we process your personal data. If we process personal data about you, you have the right, within a reasonable period of time, to receive information from us about the personal data we have stored about you and to receive a copy of the processed data.

Right to rectification:
You have the right to request that incorrect personal data concerning you be corrected. With regard to the purposes of processing, you also have the right to have incomplete personal data completed, including through a supplementary statement from you.

Right to delete:
You have the right to request that FIOR Digital delete your personal data if one of the following reasons applies and no further processing of this data is necessary:‍

• the personal data is no longer required for the purposes for which it was collected
  
• You have withdrawn your consent on which the processing is based and there is no other legal basis or overriding legitimate interest in the processing
  
• the personal data was processed unlawfully; or
  
• The deletion of personal data is necessary to comply with a legal obligation under Union law or the law of the Member State to which the person responsible is subject

Requests for deletion of personal data must state the corresponding reason (Article 17 (1) GDPR).

Right to restrict processing:
You have the right to ask us to restrict processing if one of the following conditions is met

• You dispute the accuracy of the personal data (the restriction is for a period of time that enables FIOR Digital to verify the accuracy of the data)
  
• The processing of your data was unlawful and you object to the deletion of the data and instead request that their processing be restricted
  
• FIOR Digital no longer needs your personal data for processing purposes, but you still need them to assert, exercise or defend legal claims; or
  
• You have objected to the processing of your personal data and it has not yet been determined whether FIOR Digital's legitimate reasons outweigh yours

Right to data portability:
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You can also request that we transfer this data directly to a person responsible named by you, insofar as this is technically possible and the rights and freedoms of others are not affected. The right to data portability can only be exercised if the basis for processing is either your consent or a (pre-) contractual necessity and the processing has been automated. The right to data portability does not apply to processing that is necessary for the performance of tasks that is in the public interest or in the exercise of official authority that has been delegated to the person responsible.

Right to object:
You have the right to object to the processing of your personal data at any time if this is based on our legitimate interests. If you have objected to processing, we will no longer process your personal data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims. The objection has no influence on the lawfulness of the processing of your personal data based on legitimate interests that took place even before your objection.

contact:
To exercise any of the above rights, you can send an email to privacy@fior.digital. Please note that for such requests, we need further identification information from you (e.g. passport, identity card, etc.) to ensure that your personal data is only shared with you.

13. Objection to advertising

How can I object to the processing of my data for advertising purposes?

You can also object to any use of your personal data for advertising purposes. If you would like to object in principle to the processing of your data for advertising purposes, please contact us by e-mail at privacy@fior.digital. The objection has no influence on the lawfulness of the processing of your personal data based on legitimate interests that took place even before your objection.
Please note, however, that such an objection is only made against FIOR Digital and even after such an objection, you may still receive advertising about FIOR Digital from other providers on other websites over which we have no influence.‍

14. Automated decisions

Does FIOR Digital use my personal data for automated decision-making, including profiling?
‍
FIOR Digital does not use personal data for automated decision-making processes, including profiling within the meaning of Art 22 GDPR (e.g. decisions that have legal effect on data subjects or significantly affect them in a similar way and which are based exclusively on automated processing of personal data, including the creation of profiles).‍

15. Processing for other purposes

Is my personal data processed for purposes other than those for which it was collected?
‍
In principle, at FIOR Digital, we only process personal data for the purposes for which it was collected. In exceptional cases, however, we may process your personal data collected for a specific purpose for another purpose. In such a case, before the intended processing, we will inform you of the new purpose, the duration of storage, the exercise of data subject rights, the possibility of withdrawing consent, the existence of the right to file a complaint with the data protection authority and whether the provision of the data is necessary for legal or contractual reasons and what the consequences would be if the data is not provided and whether automated decision-making or profiling is used.

16. Supervisory authority

Which supervisory authority can I file a complaint with?
‍
You have the right to lodge a complaint with the competent supervisory authority if you think that your rights under the GDPR have been violated. In Austria, this is the data protection authority.

17. Declaration of consent

How do I get my consent and how can I withdraw my consent?

By ticking the appropriate box as part of the registration process or in the event of an update after logging into your FIOR Digital account, you expressly confirm that you have read the privacy policy and that you agree to the processing of your personal data as described there.
By ticking the respective separate box for news and updates via email (newsletter), you expressly agree that you would like to receive electronic messages as described in point 10.
You have the right to withdraw your consent at any time by contacting FIOR Digital GmbH, or by sending an email to privacy@fior.digital. Please note that if you withdraw your consent, we will no longer be able to provide you with all of our services and products. Withdrawing your consent has no effect on the lawfulness of processing your personal data based on consent even before you withdraw your consent.

18. Data security

How is my personal data protected?

Data security is very important to us and we are committed to protecting the information we collect. We have comprehensive administrative, technical, and physical measures to protect your personal information from accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use. These measures comply with the highest international safety standards and are regularly reviewed for their effectiveness and suitability to achieve the desired safety goals.
For example, we have implemented the following technical and organizational measures:

• SSL encryption of our websites from which we send personal data
  
• Ensuring the confidentiality, integrity, availability, and resilience of our systems and services
  
• Using encrypted systems
  
• Measures to quickly restore the availability of personal data in the event of a physical or technical incident
• Privacy by Design and Default measures on our platform, such as preventing user enumeration, including “user enumeration”
• Introduction of procedures for regular review, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure the security of data processing, such as the “bug bounty” program
• Internal IT security guidelines and IT security training
• Incident Management

19. Update to this privacy statement

How will I find out about changes to this privacy statement?
‍
FIOR Digital is committed to keeping the principles of data protection up to date. For this reason, we regularly review and update our privacy policy. This ensures that it is presented correctly and clearly on our website, contains appropriate information about your rights and our processing activities (including with regard to technical changes or business development), is implemented in accordance with applicable law and thus meets data protection requirements. We update this privacy statement from time to time as necessary to adapt it to current circumstances. If we make significant changes to this privacy policy, we will notify you after logging into your FIOR Digital account and will provide you with the updated version of the privacy policy. If required by applicable law, FIOR Digital will obtain your express consent to significant changes.

20. Contact

How can you contact us?
‍
If you have any further questions about this privacy statement or the processing of your personal data, please contact our data protection team: privacy@fior.digital