Finvex Spółka z Ograniczoną Odpowiedzialnością (KRS 0001142992), whose registered office is at UL. Hoża 86, m. 210, 00-682, Warsaw, Poland (hereinafter “Finvex,” “we,” “us,” or “our”), respects your privacy and is committed to protecting your personal data. This Privacy Policy (together with our Terms of Use) explains how we collect, use, and share information when you use our crypto payment gateway, crypto-fiat infrastructure, and digital asset services (collectively, the “Services”).
By accessing or using Finvex’s website (the “Site”) or Services, you acknowledge that you have read and agree to this Privacy Policy. If you do not agree, please refrain from using our Site or Services.

Finvex is a Polish-registered Virtual Asset Service Provider (VASP) focused on cryptocurrency exchange and payment solutions for businesses. We operate in compliance with applicable international and local data protection laws, including but not limited to the EU General Data Protection Regulation (GDPR) and relevant Polish data protection statutes. You may contact our support team at info@finvex.co for any inquiries regarding your personal data.

Personal Data: We may collect various types of personal information from you when you create an account, use our Services, or contact us. This information may include:

• Identity Data: Full name, date of birth, nationality, and government-issued identification numbers or documents (e.g., Passport, ID card, Driver’s License).
• Contact Data: Email address, telephone number, and physical address.
• Financial Data: Bank account details, credit/debit card information, and blockchain wallet addresses used for transactions.
• Biometric Data: If required for verification, we may collect biometric identifiers (e.g., a facial scan for identity verification).
• Technical Data: IP address, device information, browser type, operating system, and geolocation data.
• Usage Data: Details about how you use our Site and Services, including transaction history and site navigation patterns.

Non-Personal Data: We also gather statistical or aggregated data that does not directly identify you. For example, we may collect cookies and usage logs to understand how users interact with our Site. Cookies help us analyze web traffic and improve our Site’s performance and features. By using our Site, you agree to our use of cookies for the purposes described in this policy (you can manage your cookie preferences through your browser settings).

We use your personal information only for legitimate and specified purposes, including:

• Service Delivery: To create and manage your Finvex account, allow you to access our platform, and facilitate fiat-to-crypto, crypto-to-fiat exchanges, or digital asset transactions. For example, we need your identity and payment details to process transactions and execute your orders securely.
• Verification and Compliance: To verify your identity and fulfill our Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations under applicable laws. This may include using third-party verification providers and checking your data against sanctions or watchlists (see our AML & KYC Policy for details).
• Communication: To communicate with you about your account or transactions. For instance, we may send service updates, confirmations of orders, security alerts, and support responses. We may also reply to inquiries you send us via email or through customer support channels.
• Improvement and Analytics: To analyze Site usage (e.g., which pages are visited most) and improve our Services. We engage trusted service providers to help us understand user behavior and preferences (e.g., Google Analytics or similar tools). These third parties have access to data solely to perform tasks on our behalf and are contractually obligated to protect it.
• Marketing (Opt-In): To send you marketing communications about Finvex products, services, or promotions only if you have given consent. You have the right to opt out of marketing at any time by using the unsubscribe link in our emails or by contacting us. We will not use sensitive personal data for marketing without explicit consent.
• Legal Compliance and Security: To comply with legal obligations (such as record-keeping under AML laws) and to enforce our Terms of Use and other agreements. We may use data to prevent fraud, illicit activities, or unauthorized access to our Services. This includes using IP addresses to enforce geographic restrictions or detect suspicious logins (note: use of VPNs or proxy to hide your location is forbidden while using Finvex services).

We will not process your personal data in a manner incompatible with these purposes, and we will ask for your consent before using it for any new purpose not covered by this Privacy Policy.

We collect personal data from several sources:

• Directly from You: Information you provide during account registration, identity verification, transaction processing, or support inquiries.
• Your Use of Services: Data generated through your activity on our Site (transaction history, trade data, wallet balances) and interactions (e.g., chat with support).
• Third Parties: We may receive data from business partners or service providers, such as identity verification services, payment processors, banks, or analytics providers. For example, if you register or log in via a social network (Google, Facebook), we may receive basic profile info from those platforms.
• Public Blockchains: For crypto transactions, we may collect information from public blockchain networks (e.g., transaction hashes, wallet addresses) which can be linked to you when you transact via our Services.

Finvex treats your personal data with confidentiality. We do not sell your personal data. We may share information only as necessary for the purposes outlined in Section 4 and in accordance with data protection law:

• Affiliates and Service Providers: We share data with our subsidiaries, cloud storage providers, verification agencies, banking partners, payment processors, and other vendors who help us deliver the Services. These parties process data under strict instructions and must implement security measures equivalent to ours. For instance, we might share your name and ID with a KYC service to verify your identity, or transaction data with our banking partner to facilitate a wire transfer.
• Business Transactions: In the event of a merger, acquisition, restructuring, or asset sale, customer data may be transferred to the successor entity as part of the business transfer, under the condition that the recipient honors this Privacy Policy.
• Legal and Regulatory: We will disclose data to governmental authorities, regulators, or law enforcement if required by law or court order, or if necessary to comply with our legal obligations. Examples include providing information requested under Polish law or EU regulations, or cooperating with a lawful investigation into fraud or money laundering. Where permitted, we will notify you of such disclosures.
• Protection of Rights: We may share data to enforce our agreements or policies, to protect Finvex’s rights or property, or to prevent harm to any person. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.
• Any third party that receives access to personal data will be contractually bound to use it only for the agreed purpose and to protect it to standards equivalent to those of Finvex. If data is processed in jurisdictions outside your own, we will ensure adequate safeguards are in place in line with GDPR (e.g., Standard Contractual Clauses for EU data transfers).

We implement robust security measures to protect your data from unauthorized access, alteration, disclosure, or destruction:

• Encryption: All sensitive data (such as passwords, private keys, financial information) is encrypted at rest and in transit using industry-standard encryption (e.g., TLS for data in transit).
• Access Controls: Personal data is accessible only to authorized Finvex personnel or contractors who require access for their job duties and are bound by confidentiality obligations.
• 2FA and User Responsibilities: We highly encourage (and in some cases mandate) two-factor authentication for account access. Important: You are responsible for safeguarding your account credentials. Do not share your password or API keys. You must act only on your own behalf and not impersonate or misrepresent your identity. If you suspect any unauthorized access to your account, notify us immediately.
• Security Audits: We conduct regular security audits, penetration tests, and risk assessments on our systems. Our security practices are reviewed periodically and updated in light of legal and technological developments.
• Incident Response: In case of a data breach or security incident affecting your personal data, we will notify you and relevant authorities as required by law, and take immediate steps to mitigate the impact.
• Please note that while we strive to protect your data, no system can be 100% secure. Transmission of data via the internet inherently carries risk. You transmit data to us at your own risk, but once we receive it, we use strict procedures to secure it.

We retain personal information only as long as necessary for the purposes outlined or as required by law. Generally, this means:

• Account Data: As long as you maintain an account with us, we keep the data associated with your account.
• Transaction Records: Under AML and financial regulations (e.g., the Polish AML Act of 1 March 2018), we must retain certain transaction records and identification data for at least five years after the business relationship ends or after an occasional transaction is completed.
• Legal Requirements: If applicable laws require extended retention (for example, for tax or accounting purposes, or in case of ongoing disputes), we will retain the necessary data until the obligation is fulfilled.
• Deletion: When data is no longer needed, we will securely delete or anonymize it. Your right to request deletion is described below, but note that we cannot delete data that we are legally required to keep (see Section 9).

As a user of our Services and a data subject, you have specific rights under GDPR and other data protection laws. These include:

• Right of Access: You can request a copy of the personal data we hold about you. This is commonly known as a "data subject access request." A small fee might apply if requests are manifestly unfounded or excessive.
• Right of Correction: If any personal data we have is inaccurate or incomplete, you have the right to have it corrected or updated. You can typically update some information through your account settings or by contacting support.
• Right to Deletion: Also known as the "right to be forgotten." You may request deletion of your personal data and account. We will honor such requests provided that the data is not required for legal or regulatory compliance. For example, if you have conducted transactions, we may need to keep certain records to satisfy AML laws even if you close your account.
• Right to Restrict Processing: You can ask us to suspend processing of your personal data in certain scenarios, such as if you contest the accuracy of the data or object to our processing.
• Right to Data Portability: Where applicable, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to have that data transmitted to another service provider if technically feasible.
• Right to Object: You can object to our processing of your data where we rely on legitimate interests as the lawful basis, or to direct marketing (see “Marketing” in Section 4). If you object, we will consider whether we have compelling legitimate grounds to continue processing or if we need to cease the processing.
• Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. For instance, you can opt out of marketing emails by withdrawing your consent to marketing.

To exercise any of these rights, please contact us at privacy@finvex.co or through your account interface where applicable. We may need to verify your identity (to protect your data) before fulfilling your request. We will respond to legitimate requests within one month, or inform you if we need more time.

• If you believe that we have not complied with your data protection rights, you have the right to file a complaint with the Polish Data Protection Authority (UODO) or your local supervisory authority in the EU.

Finvex primarily stores and processes data within the European Economic Area (EEA). However, in providing our Services, your data might be transferred to and stored on servers in countries outside your jurisdiction. For example, if we utilize a U.S.-based cloud provider or if a verification partner is located in another country, your data may be processed there.
Whenever we transfer personal data internationally, we ensure appropriate safeguards are in place. For EEA users, this means we rely on adequacy decisions by the European Commission (if the country ensures an adequate level of data protection) or implement Standard Contractual Clauses (SCCs) and additional security measures for data transfers to non-EEA countries, as per Article 46 GDPR. Our goal is to ensure that your data receives a level of protection equivalent to that provided in your home jurisdiction.

• By using our Services and providing information to us, you consent to the transfer of your data across international borders in accordance with this Privacy Policy.

Our Site uses cookies and similar tracking technologies (like web beacons or pixel tags) to distinguish you from other users and to improve your experience.

• Types of Cookies: We use both session cookies (which expire when you close your browser) and persistent cookies (which stay on your device for a set period or until deleted). Cookies may be strictly necessary for the Site to function (e.g., to keep you logged in), or analytical/functional to remember your preferences and gather usage data.
• Third-Party Cookies: We may allow certain third parties to set cookies on our Site to provide us with analytics (e.g., Google Analytics) or to assist in advertising (though as of the last update, Finvex does not display third-party ads). These cookies are controlled by the third parties and subject to their privacy policies.
• Your Choices: On your first visit, you will see a cookie notice with options to accept or customize your cookie preferences. You can also adjust your browser settings to refuse some or all cookies. However, note that disabling certain cookies (especially strictly necessary ones) may affect the functionality of our Site or Services. For example, you might not be able to log in or use some features if cookies are disabled.
• More Information: For more details on what cookies we use and why, please refer to our Cookie Policy. By continuing to use our Site, you consent to our use of cookies as described.

Our Site may contain links to websites or resources operated by third parties (for example, a link to an article, partner services, or compliance resources). This Privacy Policy applies only to Finvex’s Site and Services. Once you click a third-party link, you will be directed away from our Site. We have no control over, and are not responsible for, the content, privacy practices, or operations of these third-party sites.
We encourage you to review the privacy policies of any site you visit through external links from our Site. Your interactions on third-party websites are governed by those third parties’ rules and policies, not Finvex’s.

Finvex may update or revise this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We reserve the right to modify this Policy at our sole discretion. If we make material changes, we will notify you by email (sent to the address specified in your account) or by placing a prominent notice on our Site. We will also update the “Last Updated” date at the top of this Policy.
It is important that you review any changes to the Policy. By continuing to use our Site or Services after those changes become effective, you agree to be bound by the revised Privacy Policy. If you do not agree with the changes, you should stop using our Services and may request deletion of your data (subject to legal requirements as noted).

If you have any questions, concerns, or comments about this Privacy Policy or our data practices, please contact us:

• Email: info@finvex.co
• Postal Mail: Data Protection Officer, Finvex Sp. z o.o., UL. Hoża 86, m. 210, 00-682 Warsaw, Poland

We will address your inquiries promptly and professionally. Your privacy matters to Finvex, and we aim to be transparent and responsive to your needs.