Scope

This EU Privacy Notice (“Notice”) describes the ways BitPay Inc. (“BitPay”, “we”, “us”, “our”) collects, stores, uses and protects personal data. BitPay’s services include Merchant processing services, websites, mobile applications, products, and other features, technologies or functionalities, including customer support (the “Services”) offered by us. This Notice applies to all processing of personal data on the website www.bitpay.com and all other BitPay sites on which it appears (the “Sites”).

The purpose of this Notice is to inform you about the processing of personal data by us and to inform you of your rights.

Responsibility

Compliant processing. BitPay complies with applicable United States federal and state regulations and European Economic Area (European Union + Norway, Iceland, Liechtenstein) (hereinafter “EEA”) data protection laws, such as the General Data Protection Regulation and its implementation acts (hereinafter “GDPR”).

BitPay as a controller. BitPay is considered the controller for processing personal data as described in this Notice.

BitPay as a processor. In principle, we control the processing of your personal data. However, in some cases, we may process your personal data on behalf of another party, who is the controller responsible for your personal data. This Notice does not relate to that part of our processing activities where we are acting on behalf of another controller. For such processing, the privacy notice of the relevant controller applies, and we encourage you to read that notice.

Third party websites. The Sites may include links to websites of third parties (for example, hyperlinks, banners or buttons). We are not responsible for the content of those websites, services provided by those third parties, or their compliance with applicable privacy legislation.

What is “personal data”?

Personal data is any information relating to an identified natural person or that can be used to identify a natural person directly or indirectly. A prime example of identifiable information is a person’s legal full name.

How we obtain personal data

Means of collection. We obtain your personal data in various ways:

• Provided by you. We obtain information provided by you, for example, if you contact us, sign up for our newsletter, or provide information to us in the course of using our Services. When you provide personal data to BitPay, please do not provide information that is irrelevant, inaccurate, and/or unnecessary for the provision of Services.
• Automatically collected. We obtain some information automatically when you visit our Sites, for example, via cookies. For more information, please see our Cookie Policy.
• Third parties. We may obtain information from third parties, such as our Merchants with which you do business.

Required provision. It may be that providing certain personal data to us is a statutory or contractual requirement, a requirement necessary to enter into a contract, or that you are otherwise obliged to provide. If that is the case, we will inform you thereof and will explain the possible consequences if you fail to provide such personal data to us.

Who are the data subjects?

There are several types of data subjects whose personal data we process:

• Visitors of our Sites;
• Merchants who sign up for our Services (“Merchants” means any business that uses our Services to process payments, including non-profits that use our Services to accept donations and “Aggregators” that use our Services as a payment services platform for their own Merchants);
• Shoppers of Merchants (“Shoppers” means individuals who indirectly interface with BitPay when paying a Merchant’s invoice that is forwarded by BitPay to a Merchant during checkout, when requesting a refund from a Merchant, when creating a BitPay account, or when making a donation to a non-profit);
• BitPay wallet holders who have downloaded and installed the BitPay app on their mobile device;
• Payees (e.g., employees, contractors, vendors or exchange customers) who request a payment (“Payout”) via cryptocurrency from a Merchant and create a BitPay account; and
• Partner employees (employees and other agents of our customers and vendors, including potential and former customers and vendors).

Details of data processing: What kind of personal data do we collect, why, and on what legal basis?

The categories of personal data we collect, the purposes, and the legal bases are set forth below. Our primary purpose for collecting personal data is to provide you with a secure, smooth, efficient, and customized experience. We use your personal data to:

• Provide our Services (including customer support);
• Process transactions and send notices about your transactions;
• Resolve disputes, collect fees, and troubleshoot problems;
• Communicate with you about our Services and business and to inform you of matters that are important for your account and/or use of the Sites. We also use your personal data to respond to any questions, comments or requests you filed with us and the handling of any complaints;
• Comply with applicable laws and regulations;
• Establish, exercise and defend legal claims;
• Monitor and report compliance issues;
• Customize, measure, and improve our business, the Services, and the content and layout of our website and applications (including developing new products and services; managing our communications; determining the effectiveness of our sales, marketing and advertising; analyzing and enhancing our products, services, websites and apps; ensuring the security of our networks and information systems; performing accounting, auditing, invoicing, reconciliation and collection activities; and improving and maintaining the quality of our customer services);
• Perform data analysis;
• Deliver targeted marketing, service update notices, and promotional offers based on your communication preferences, and measure the effectiveness of it. To approach you via email for marketing purposes, we request your consent, unless it is not required by law. You always have the option to unsubscribe from our mailings, e.g., via the unsubscribe link in our newsletter;
• Perform risk management, including comparing information for accuracy and verify it with third parties and protect against, identify and prevent fraud and other prohibited or illegal activity, claims and other liabilities; and
• Enforce our contractual terms.

We only use your personal data where we have a legal basis to do so:

• Consent. For some processing activities, we require your prior consent. This applies for example to some of our direct marketing activities which fall under the scope of the GDPR and ePrivacy rules. You may withdraw your consent at any time (see below).
• Performance of a contract. Some personal data we process about you is for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract with us.
• Legal obligation. In some cases, we have to process your personal data to comply with legal obligations, including those applicable to financial services institutions, such as under the Bank Secrecy Act and other anti-money laundering laws.
• Legitimate interest. In most cases where we process personal data in the context of our Services we rely on our legitimate interests in conducting our normal business as an online payments company as a legal basis for such processing.

Where we process personal data relating to criminal convictions and offenses, we will ensure that we have a lawful basis to do so.

The following sections provide you with some more information.

Specification of legitimate interests. Prior to processing your personal data on the basis of legitimate interests, we have assessed whether our legitimate business interests are not overridden by your rights and freedoms. You can contact us for information about the ‘balancing test’ that we conducted to rely on this legal basis. Please find our contact details below.

How we protect and store personal information

We take the security of our data seriously. We use administrative, technical, and physical security designed to safeguard personal data in our possession, and we maintain internal policies and procedures to address our data security. We have been audited and received a SOC 2 report addressing the security of our Services. However, we cannot guarantee the security of the data that we collect and store. We will notify relevant supervisory authorities and data subjects in the event of a data breach, if required under applicable law.

Data retention

In principle, we do not store your personal data any longer than is strictly necessary for processing purposes. We have a retention policy to ensure that your personal data is retained and deleted in accordance with applicable retention periods. Because we are a regulated financial institution in the United States, we retain personal data collected as a part of our customer due diligence and identification program, as required by applicable federal and state regulations.

For further information on our data retention policy, please find our contact details below.

How we share personal data with third parties and transfers outside the EEA

Third parties. We may share your personal data with the following third parties:

• Other BitPay entities, including to help detect and prevent potentially illegal acts and violations of our policies, and to guide decisions about our products, services and communications;
• Service providers who help with our business operations and to deliver our Services, such as:
  • Cloud service providers providing cloud infrastructure;
  • Providers of ID verification solutions and other due diligence solutions (such as KYC and anti-money laundering);
  • Providers of website analytics;
  • Providers of customer service solutions outside of the EEA;
  • Providers of marketing automation platforms in the United States
• Law enforcement, government officials, regulatory agencies, our banks, and other third parties pursuant to a subpoena, court order or other legal process or requirement if applicable to BitPay; or when we believe, in our sole discretion, that the disclosure of data is necessary to report suspected illegal or fraudulent activity or to investigate violations of our Terms of Use; and
• We may also share certain Shopper data with our Merchants, for example, in cases of suspected fraud or in connection with an ongoing investigation.

Transfers outside the EEA. BitPay is primarily located in the United States, and some of the third parties mentioned above may be located in the United States or other countries outside the EEA. We employ the following safeguards if the processing of personal data by us qualifies as a transfer of personal data outside the EEA and falls within the scope of the GDPR:

• We may transfer your personal data to countries that have been found to provide an adequate level of protection of personal data
• We may use specific contracts, including Standard Contractual Clauses. For example, we offer Standard Contractual Clauses to meet data transfer requirements in respect of third parties such as service providers

You can obtain a copy of such contracts or information about countries in which we have service providers by contacting us. Please find our contact details below.

Your rights

Under the GDPR and relevant implementation acts, individuals have statutory rights related to their personal data. For more information on your rights, please refer to this web page of the European Commission. Please note that rights are not absolute and may be subject to conditions.

One key right is the Right to object. You have the right to object to processing of your personal data where we are relying on legitimate interests as our legal basis (see above). Under certain circumstances, we may have compelling legitimate grounds that allow us to continue processing your personal data. Insofar as the processing of your personal data takes place for direct marketing purposes, including profiling for direct marketing, we will always honor your request.

Other rights are as follows:

• Right to withdraw consent. Insofar as our processing of your personal data is based on your consent (see above), you have the right to withdraw consent at any time.
• Right of access. You have the right to request access to your personal data.
• Right to rectification. You have the right to request rectification of the personal data that we hold about you.
• Right to erasure. You have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data in certain circumstances.
• Right to restriction. You have the right to request restriction of processing of your personal data.
• Right to data portability. In some cases, you have the right to request to transfer your personal data to you or to a third party of your choice.

How to exercise your rights. The exercise of the aforementioned rights is free of charge and can be carried out by visiting our Data Subject Rights Portal. (You can also contact us by email via the contact details below, but you will receive a reply email directing you to our Data Subject Rights Portal so it is easier to go straight to our portal).

Merchants can review and edit their personal data by logging into their account and reviewing their personal data under the Settings tab on their Merchant dashboard. If you wish to change information relating to your industry or company website, or if you wish to close your account, you can submit a request at https://support.bitpay.com. If you choose to close your BitPay account, we will mark your account in our database as "closed". We will retain the information in the account in accordance with the record retention principles outlined in this Privacy Notice and as required by applicable law.

Marketing

If you do not wish to receive marketing communications from us or participate in our ad customization programs, you can simply click the “unsubscribe” link at the bottom of an email you receive from us or you can send an email to marketing@bitpay.com.

Contact Information

Contact DPO. BitPay has appointed a Data Protection Officer. You may contact us with questions or concerns about our privacy policies or practices at dpo@bitpay.com. However, If you wish to submit a data privacy rights request, you may do so by visiting our Data Subject Rights Portal.

Complaints. Subject to applicable law, you also have the right to lodge a complaint with your local Data Protection Authority. If you believe we maintain your personal data within the scope of the GDPR, and if you believe we did not take action in respect of your data subject rights (as set out above) or you are not satisfied with the way in which we have handled your request, you may lodge a complaint with a supervisory authority or seek a judicial remedy. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is BitPay’s lead supervisory authority in the EU. However, we would always appreciate the chance to address your concerns before you approach the supervisory authority, so please contact our Data Protection Officer with questions or concerns by sending an email to dpo@bitpay.com or mail to: BitPay B.V., the representative of BitPay Inc. in the EU:

BitPay B.V.
Stadsplateau 7 WTC office 7
3521 AZ
Utrecht
Netherlands
Phone +44 808 169 7186