Cryp2Sale Global Privacy Policy

Last Updated: 12 December 2023

We care about your privacy

As a business headquartered in Europe, we are subject to certain regulations (among which, the European General Data Protection Regulation) that require us to comply with a number of obligations regarding your data.

In this document, you can learn everything about how we use your data: that we collect it from you and your actions, that we process only what we need in order to perform what you have asked or consented to (or what the law requires us to…), that we protect it with appropriate technology and that we will not share it with anyone, including law enforcement, unless we are forced to by laws and regulations.

The right to privacy is a basic human right. We will fight for yours.

0. Introduction

The “Cryp2Sale Group”, comprising the entities mentioned below as well as their parent companies, subsidiaries and affiliates, is committed to protecting the privacy of our Customers.

This privacy policy is issued on behalf of AIRFILL PREPAID AB, a limited company incorporated under the laws of Sweden and registration no. 559001-6035 (“Airfill”). Airfill is a data controller of the personal data collected through our websites www.cryp2sale.com and www.airfill.com (“Websites”), or through our mobile application Cryp2Sale, available on Apple and Android app stores (“App”).

This policy also applies to the following entities, to the extent personal data is collected on transactions involving them:

• For personal data collected in the context of the Bill Payment Services from El Salvador, Cryp2Sale, Sociedad Anónima de Capital Variable and with registration number 2021103271 (“Cryp2Sale ES”) is a joint data controller.
• For personal data collected in the context of the Bill Payment Services from any other jurisdiction, Airfill US LLC, a Delaware company with file number 5817333 (“Airfill US”) is a joint data controller.

When creating an account, or before acquiring a Product, we will ask you to review this Policy and accept its contents before proceeding. You should read this policy in full before proceeding.

If you don’t want us to collect, use or share your personal information as outlined in this Privacy Policy, or if you are under 18 years old and unsupervised by parents or legal guardians, please stop using our Websites or App.

In this policy you can find about:

• What personal data do we collect;
• Why do we process your personal data;
• When do we share your personal data;
• How do we protect your personal data;
• How can you exercise your data subjects rights; and
• How long do we keep your data?

Minors

International Transfers

1. What personal data do we collect?

We can collect your data directly (e.g., when you give it to us), indirectly (e.g., when someone else gives it to us) or through automated technologies (e.g., cookies).

Please find below an outline of the types of data that we may collect and how we collect it.

Data directly provided by you

Type of data

Description

Basic identification data

Email Address, Phone number

KYC customer data

Name, Address, Date of birth, Nationality, Country of residence, Gender, Government-issued identity document (e.g., passport, driver’s license, or state identification card), Social security number, Employment information (e.g., company name), Proof of residency, including visa information, Utility bills (for your billing address), Photographs and/or videos, Income/net assets/wealth verification statements, criminal offences and allegations, family members and their professional roles.

Professional data

Employer Identification Number (or comparable number issued by a government), Personal identification information for all material beneficial owners of your business, employer, and professional role.

Financial data

Tax identification number, Income/net assets/wealth verification statements

Wallet data

Wallet address, wallet provider.

Preferences data

Preferred coins, settings and preferences selected in Websites and/or App.

Transaction data

Data about the transactions made on our Websites and App, such as the amount, currency preferences, payment method, date, and/or timestamp, products purchased.

Customer Support data

Data provided by you during customer support exchanges, or in response to customer surveys.

Special categories of personal data

We may collect biometric data if, and only if, voluntarily provided by you in the context of an identification verification procedure. We do so by collecting a live selfie that is compared to the photography of the identity provided by you. We use our provider SumSub to process and store this data, and we do it to ensure that the person submitting the documents is indeed the owner of the documents, thereby increasing the level of safety and reliability of the verification. We do this with your express specific consent, given by you before the identity verification. You are also in full control of how and when the collection takes place. This data is used solely for this purpose, in the context of the anti-money laundering policy of Cryp2Sale.

In the course of your usage of the Cryp2Sale Card, we may have access to personal data related to your purchases with the card, from which special categories of personal data may be derived.

Data indirectly obtained about you

Data indirectly obtained includes any personal data shared by third parties, as well as publicly available data, advertising data, and analytic data derived from our services.

Data indirectly obtained about you

During your interactions with our affiliates, partners, or service providers, you may provide them with data that may be transmitted to us for the purposes outlined in this policy. Below are examples of such data:

• Basic information data: Described above.
• KYC customer data: Described above.
• Business and professional data: Described above.
• Financial data: Described above.
• Wallet data: Described above.
• Transaction data: Described above.
• Customer support data: Described above.

We may also receive data about you from a person who has submitted it for our referral program or through publicly available data, such as blockchain data or media reports about you.

Advertising data

We receive data from our advertising partners on your interactions with marketing and advertising content, such as clicks, actions, time spent, and more.

Analytics data

We receive data from our analytic providers about your usage of the Websites and App, including page clicks, actions, time spent, age group, geographic region, and survey responses.

Counterparty data

We may receive data from counterparties with whom you have interacted in relation to a product or service provided by us, about how you have interacted with them.

Transaction data

We may also receive transaction data from third parties with whom we offer products, such as the Cryp2Sale Card. This data is provided solely to display it in your transaction history.

Data automatically obtained about you

Device, browser, and app data

Our systems collect information about your device, its operating system, browser, additional features (such as plugins), the network you connect to, and your IP address.

Usage data

Our plugins and cookies collect information about your activities, such as what you view or click on our Sites and Apps, your usage of our services, diagnostic and troubleshooting data, service-related performance details, timestamps, crash data, website performance logs, and error messages or reports.

Special categories of personal data

We do not collect any special categories of personal data about you (e.g., race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, or genetic data) except as described above.

Important notice

The nature of some services requires you to give us personal data (e.g., your phone number or email to deliver a top-up or gift card). In those cases, we will only be able to provide the service if you provide us with that information, and we retain the ability to terminate your account if we no longer have the ability to process the personal data necessary to provide you with our products.

2. Why do we process your personal data?

We use your personal data for different purposes, better stated below:

Purpose/Activity

To open and maintain your account.

• Type of data: Basic information data, KYC customer data, Professional data, Biometric data
• Lawful basis: Performance of a contract with you; compliance with legal obligations; legitimate interests to start an ongoing customer relationship; your express consent when creating an account.

Purpose/Activity

To sell you the products and provide you with services.

• Type of data: Basic information data, KYC customer data, Preferences data, Wallet data, Transaction data
• Lawful basis: Performance of a contract with you; compliance with legal obligations; legitimate interests to conduct our business; your express consent when creating an account.

Purpose/Activity

To manage the Cryp2Sale store.

• Type of data: Preferences data, Transaction data, Customer support data
• Lawful basis: Legitimate interests to run our business, provide administration and IT services, ensure network security, prevent fraud, and conduct business restructuring; compliance with legal obligations; your express consent when creating an account.

Purpose/Activity

For advertisement, data analytics, and to provide recommendations.

• Type of data: Analytics data, Advertising data, Device, browser, and app data, Usage data, Counterparty data
• Lawful basis: Legitimate interests to study how users use our services and website, develop them, grow our business, and inform our marketing strategy; your express consent when creating an account.

Purpose/Activity

To comply with internal and external policies, guidelines, rules, and legislation.

• Type of data: Basic information data, KYC customer data, Professional data, Transaction data, Wallet data, Financial data, Publicly available data, Counterparty data, Device, browser, and app data
• Lawful basis: Compliance with legal obligations; legitimate interests to ensure a safe and credible platform.

3. When do we share your information?

3.1 General

Cryp2Sale works with multiple partners, providers, and other third parties to enable the products and provide customers with the Cryp2Sale service. For that end, Cryp2Sale shares certain information with third parties, as explained below.

Our group and our team

Your data may be shared with other entities of the Cryp2Sale Group if you wish to acquire products that are sold by other entities of the group. Your data may also be accessed by our employees and people who we may hire as contractors or freelancers.

• Airfill Prepaid AB: All data.
• Airfill US LLC: Basic information data, KYC data, Wallet data, Financial data, Transaction data.
• Cryp2Sale ES: Basic information data, KYC data, Wallet data, Financial data, Transaction data.

Our third parties

Your data may be received from or shared with (to the extent necessary) the following entities that provide services to/with Cryp2Sale, among others that Cryp2Sale from time to time engages to provide services:

• Slack and Clickup: Online workspaces and project management (Basic information data, Wallet data, Transaction data, Customer support data).
• Google: For analytics, email, and storage (All data minus biometric data).
• SumSub: KYC provider (Basic information data, KYC customer data, Professional data, Financial data, Biometric data).
• Microsoft and Mixpanel: For analytics (Basic information data, Wallet data, Transaction data, Usage data, Device, browser, and app data).
• Zendesk: For customer support (Basic information data, KYC customer data, Customer support data, Transaction data).
• Castle.io: For fraud prevention and transaction monitoring (Basic information data, Transaction data).
• Sendgrid and Customer.io: For email marketing (Basic identification information).
• Teamtailor: For recruitment (Basic identification data, Professional data).
• Meta, TikTok, Snapchat, Reddit, Quora, or Twitter/X: For social media advertising (Advertising data, Analytics data).
• Sentry and Scalyr: For performance monitoring (Basic identification data, Wallet data, Transaction data, Usage data, Device, browser, and app data).
• Rehive: For financial transactions management (Basic identification data, Transaction data, Wallet data).
• Striga and Wallester: For the Cryp2Sale Card.
• Perfect Gift and Sutton Bank®: For the Virtual Prepaid Visa® Card.

Your third parties

Your data may be shared with your third parties, as instructed or needed by you, in order to complete the services to you. This may include your wallet providers, your email provider, or others you may require us to engage with.

Public authorities and regulators, professional advisors, and other industry partners

Your data may be shared with regulators and law enforcement authorities, in response to legitimate requests made in the course of their activity. Your data may also be shared with professional advisors such as lawyers, cybersecurity or compliance consultants, to fulfill our compliance obligations, assist us in defining adequate courses of action, and detect, investigate or prevent illicit activity on our platform.

Corporate events

Your data may be shared in the context of a corporate event such as a purchase or sale of assets or of a company, a merger or spin-off, an acquisition or reorganization, a liquidation, or a simple change of control.

3.2 Specifically: Cooperation with law enforcement

Your personal data will only be disclosed to law enforcement authorities, or other government bodies, to the extent required by laws and regulations.

Cryp2Sale will not ordinarily share customer personal data unless required to do so by an appropriate legal instrument (e.g., a subpoena, a warrant, or the legal equivalent in the issuing country). Exceptional circumstances (such as a very urgent request that may save a human life, or avoid great harm) may determine a different reaction from our side, but only to the extent permitted by law.

3.3 Specifically: Cryp2Sale Card

Certain products may be offered, from time to time, together with third-party providers that may require Cryp2Sale to process your personal data in order to provide it. This is the case, for example, of the personal data collected in the context of the Cryp2Sale Card, offered together with Striga Technology OÜ and Wallester AS.

The joint data controllers for personal data connected with this product include:

• Striga Technology OÜ
• Wallester AS

As a rule, Cryp2Sale processes such data only upon the instructions of these third-party controllers and acts as a data processor. This includes, specifically, data on the purchases you make with the Cryp2Sale Card. This information is passed to Cryp2Sale from the joint data controllers for the sole purpose of showing it to you on your transaction history and is not processed for any other purpose.

However, Cryp2Sale also acts as a data controller with respect to some of the data processed in connection with the Cryp2Sale Cards, e.g., where Cryp2Sale processes personal data that is not processed by third-party data controllers (such as the password of your account) or where Cryp2Sale processes personal data for the functions entirely handled by Cryp2Sale (such as customer support, or to provide you with account management tools).

Relevant details for the Cryp2Sale Card

Purposes

To provide the Cryp2Sale Card according to the Terms and Conditions, and to monitor and store cardholder transactions in accordance with requirements provided for in the rules, procedures, laws, and regulations that are designed to prevent money laundering crimes.

Categories of Personal Data

• Basic information data
• KYC customer data
• Professional data
• Transaction data
• Wallet data
• Financial data
• Publicly available data
• Counterparty data
• Device, browser, and app data

4. How do we protect your personal data?

We are committed to protecting the privacy and confidentiality of your personal data. Access to your data is limited only to authorized Cryp2Sale officers, employees, contractors, or others who may require access to it in order to perform the services requested by you.

More specifically, we have implemented the following security measures:

• Staff dedicated to cyber and physical security, that designs, implements, and provides oversight to our information security program.
• The use of specialized technology such as host-based security tools, network defense monitors, and intrusion detection systems.
• Testing of the security and operability of products and services before they are introduced to the Internet, as well as ongoing scanning for publicly known vulnerabilities in the technology.
• Internal and external reviews of our Internet website and services.
• Monitoring of our systems infrastructure to detect weaknesses and potential intrusions.
• Implementing controls to identify, authenticate, and authorize access to various systems or sites.
• Protecting information during transmission through various means including, where appropriate, encryption.
• Providing Cryp2Sale personnel with relevant training and continually updating our security practices in light of new risks and developments in technology.

4.1 Specifically: your password

Customers are responsible for ensuring that their password is not shared or accessed by any other person, as well as for keeping their devices safe. Cryp2Sale highly recommends its customers to use the 2FA (two-factor authentication) feature made available to them.

We have in place the following security measures for your password:

• Our password strength validator checks for a minimum length, as well as the presence of uppercase and lowercase letters, numbers, and special characters.
• By hashing passwords, we ensure that even if a potential breach occurs, actual passwords will remain undisclosed.
• To further protect your account, we confirm the password reset token before allowing a password change.
• We notify users whenever their password is changed to ensure they are aware of any unauthorized modifications.

5. How can you exercise your data subject rights?

Under certain circumstances, you have the following rights under the data protection laws in relation to your personal data:

• Right to access, correct, or erase your personal data: This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it, correct any inaccuracies, or request (to the extent permitted by law) the deletion of your data.
• Object to the processing of your personal data: Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
• Request restriction of processing of your personal data: This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  • If you want us to establish the data’s accuracy.
  • Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims.
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal data: To you or to a third party.
• Withdraw consent: At any time where we are relying on consent to process your personal data.

If you wish to exercise any of the rights set out above, please contact us in writing at support@cryp2sale.com.

Important notice

Please note that when applicable exceptions apply, some or all of these rights may not be enforceable. This will be the case, for example, if we have reason to suspect you may have been using our platform for unlawful purposes. In these cases, we can either refuse to, for example, erase your personal data and transactions record, or agree to do it within a certain reasonable time period that would allow us to confirm or waive our suspicions.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unreasonable, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

6. How long do we keep your personal data?

We will keep your personal data for the time needed to fulfill the purpose for which it was collected, be it selling you products, complying with legal obligations, or protecting ours, yours, or others’ interests.

If you have an account with us, we will keep your data collected in relation to your account activity for as long as the account exists.

Compliance and regulatory requirements

• We will keep information that is collected and processed for compliance purposes (namely information connected with ongoing investigations, or processed in the context of our anti-money laundering policy), for a minimum of 5 years, in accordance with applicable legislation and our internal money laundering process. This includes basic information data, KYC customer data, financial data, transaction data, and certain device, browser, and app data.
• We will keep this information regardless of your request to delete it, if you have purchased products that require KYC or if you have exhibited suspicious behavior in your dealings with Cryp2Sale.

Tax purposes

• We will keep information that is relevant for tax purposes for a minimum of 7 years.

Job applications

• We will keep information about your application for a job at Cryp2Sale until the moment we fill out the position. Unless you authorize us to keep that information further for consideration for new job openings, we will delete it, and you will need to resubmit it again if you want to reapply.

Deletion requests

If you request us to delete your personal data, we will comply with that request to the extent possible. In certain circumstances, we may be forced by tax, anti-money laundering, or other compliance regulations and policies to keep your data despite your request. We will inform you of that circumstance if it applies.

7. Minors

Our website and services are not intended for children under 16 years of age.

We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information to us without parental consent. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information.

8. International transfers

To enable our platform and services, we may need to transfer and process your personal data in countries outside the European Economic Area (EEA), where Cryp2Sale is based. Although we strive to ensure that your personal data remains within the EEA whenever possible, certain third-party providers are located abroad, and therefore, in certain circumstances, transferring your personal data internationally is unavoidable.

When that happens, we rely on the following safeguards to ensure the protection of your data:

• Adequacy decisions: We rely on adequacy decisions from the European Commission, whenever possible, to enable the transfer of data to countries that are considered to have an adequate level of data protection.
• Standard Contractual Clauses (SCCs): We use the European Commission’s SCCs to enable the transfer of data to third countries in a lawful and secure manner.
• Exemptions under GDPR Article 49: We may rely on exemptions provided by the GDPR, such as sharing personal information when requested by law enforcement authorities or to connect with our suppliers in order to fulfill your order.

9. Miscellaneous

9.1 Questions and contact

If you have questions about this Privacy Policy and how we handle your data, please send an email to support@cryp2sale.com with your question.

9.2 Policy updates

As our platform evolves, we may need to modify our Privacy Policy from time to time. Any changes will be made on this page, and when significant, we will inform you.

If you wish to contact us for any matter related to the Cryp2Sale Global Privacy Policy or how we process your personal data, please contact us at support@cryp2sale.com.

10. Cookies Policy

This policy relates to the website www.cryp2sale.com, owned by AIRFILL PREPAID AB, a limited company incorporated under the laws of Sweden and registration no. 559001-6035 (“Cryp2Sale”), and explains how it deploys cookies and what options you have to control them (the “Cookie Policy”).

10.1 What are “cookies”?

Cookies are very small pieces of data, stored in text files on your computer or other device when websites are loaded in a browser. They are used mainly to “remember” you and your preferences. In many sites, they ensure a consistent and efficient experience for visitors and perform essential functions such as allowing users to register and remain logged in.

Cookies can be set by the site that you are visiting (known as “first party cookies”), or by third parties, such as those who serve content or provide advertising or analytics services on the website (“third party cookies”).

Websites may also contain other similar technologies such as “web beacons” or “pixels.” These are typically small transparent images that provide us with statistics for similar purposes as cookies. They are often used in conjunction with cookies, though they are not stored on your computer in the same way. As a result, if you disable cookies, web beacons may still load, but their functionality will be restricted. For the purposes of this policy, we will use “cookies” as also including “web beacons” or “pixels.”

10.2 What cookies does this website use?

The website uses third-party performance cookies. Through these cookies, we do not collect or process any of your data: we just enable the collection and processing of such data by third parties. Performance cookies collect information on how users interact with our website, including the number of visitors, time spent, and other analytical data.

We use these details to improve how our website functions, understand user interactions, and improve our advertising strategies.

Examples of cookies we may use include:

• AMP_TOKEN (Google Universal Analytics): Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight requests, or an error retrieving a Client ID.
• _ga: Used to distinguish unique users by assigning a randomly generated number as a client identifier. Included in each page request and used to calculate visitor, session, and campaign data for analytics reports.
• __cfduid (CloudFlare): Used to speed up page load times and override any security restrictions based on the visitor’s IP address. Does not contain user identification information.
• __fdp (Facebook): Used by Facebook to deliver a series of advertisement products such as real-time bidding from third-party advertisers.

Additionally, following the consent you provide for the use of the aforementioned cookies, we deploy a single cookie for the sole purpose of remembering such consent.

10.3 How can you control the use of cookies on this website?

A “cookie notice” appeared when you accessed our website, requesting your consent for the use of cookies. Your consent should be free, explicit, unambiguous, and properly informed by this Cookie Policy.

If you provide consent, you can opt-out at any time by clicking here. By doing so, you won’t share information with our analytics tools about events or actions that happen after the opt-out.

10.4 Contact Us

If you have any questions about our use of cookies or other related questions, please refer to our Privacy Policy. For any further questions, please contact us at support@cryp2sale.com.