Bitpanda Financial Services Privacy Policy

The current version of this Privacy Policy is: March 2021

1. About this Privacy Policy

Financial Services really appreciates the trust you place in us when using our services. For this reason, privacy and data security have an enormously high priority for us. It is very important to us that you feel safe during the usage of our services as well as over the course of all other business transactions with us. As soon as you make use of services of Financial Services, you entrust us with the processing of your personal data. Our approach hereby, is to give you the best possible experience with the usage of our services with the highest data security standards now and in the future.

Therefore, in this Privacy Policy, we want to transparently inform you which personal data we collect from you, how we process it and to whom we might forward it in detail. Furthermore, we would like to inform you which precautions we take to protect your personal data, which rights you have in this context and to whom you can turn for data protection concerns.

Regarding the terms used in this Privacy Policy, such as “Processing” or “Controller”, we refer to the definitions of the GDPR.

This Privacy Policy is drafted in English and German. In case of conflict the English version shall be the binding version.

2. About Financial Services

The Bitpanda Financial Services GmbH (hereinafter referred to as "Financial Services" or "we") with its business address at Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, registered in the commercial register of the Commercial Court of Vienna under FN 551181 k, offers the possibility to place orders through financial instruments by accepting and transmitting them via the website www.bitpanda.com and the mobile application ("Mobile App") (hereinafter collectively referred to as "Website" or "Platform"). Bitpanda Financial Services is a subsidiary of the Bitpanda GmbH and therefore part of the Bitpanda Group (the Group consists of the Bitpanda GmbH and its direct and indirect subsidiaries, the exact definition of the Bitpanda Group can be found in the Privacy Policy of the Bitpanda Group https://www.bitpanda.com/en/legal#terms).

3. Applicability:

To whom does this Privacy Policy apply?

This Privacy Policy applies to all persons who use services offered by Financial Services or interact otherwise with Financial Services (e.g. business partners, interested parties, service providers, etc.); generally, such persons hereinafter called "Client” or “you”.

Note: This privacy policy does not apply to persons residing in the Republic of Turkey. Bitpanda Financial Services does not provide its services in the Republic of Turkey due to the legal requirements of the Republic of Turkey. Bitpanda Financial Services therefore does not process the personal data of persons residing in the Republic of Turkey.

Additional services:For data processing in connection with the general usage of the platform www.bitpanda.com and all other services offered there, we refer to the privacy policy of the Bitpanda Group.

Financial services For information on data processing regarding the use of payment services offered by the Bitpanda Payments GmbH, we also refer to said Privacy Policy.

Cookies: For data processing in connection with cookies and similar technologies, please also check our cookie policy.

4. Financial services:

Which financial services does Financial Services offer?

Financial Services offers the following services (hereinafter referred to as "financial services"):

  • Acceptance and Transmission of Orders:  When accepting and transmitting orders, Financial Services brings the Customer together with the Product Manufacturer or a trading platform insofar as it forwards the Customer's order for the execution of a certain transaction to the Product Manufacturer or a trading platform.

  • 5. Minors:

    Are minors allowed to use the services of Financial Services?

    No, the financial services of Financial Services are not directed to people under the age of 18 years. Only persons of legal age are permitted to use the services of Financial Services. Therefore, we are not knowingly collecting personal data from minors. So, if you are under the age of 18 years, please do not use the services of Financial Services and do not provide any personal data to us.

    6. Controller: 

    Who is responsible for the data processing and who can you contact?

    Financial Services is controller and/or joint controller in the meaning of Art 4 para 7 GDPR and therefore responsible for the processing of your personal data in connection with payment services offered via the platform. We are aware that both the protection and the careful handling of your personal data are very important. Financial Services will solely use the personal data provided by you in compliance with the applicable data protection requirements, this Privacy Policy and your consent.

    Additionally, a group-wide uniform data protection strategy in the Bitpanda Group exists. Thus, Bitpanda GmbH, as parent company, acts as a central point of contact and service provider for all data protection issues concerning all services offered via the platform or the Mobile App.

    If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR, you can contact our privacy team: privacy@bitpanda.com Please note that for certain requests, we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.

    7. Data categories and sources: 

    Which personal data do we process and from which sources does the data originate?

    We process the personal data that we receive from you within the scope of the business relationship and usage of payment services. Furthermore, we might process data we receive within the Bitpanda Group and data we have received from credit agencies, debtor directories, business analysis providers (e.g. CRIF GmbH, KSV 1870 Holding AG, Dow Jones News GmbH, Factiva Limited, Sift Science Inc.) and from publicly accessible sources (e.g. commercial register, register of associations, land register, media, sanctions lists).

    When using our financial services or interacting with Financial Services, the following personal data might be processed:

    • Contact data: when using payments services or communicating with Financial Services we might process for example: name, address, telephone number, email, date of birth, photo of your Bitpanda account.

    • Verification data: to use our payment services your account has to be verified, therefore we might process for example: screenshots of national identity documents like passport, driving license or ID card and the identification data from these documents, also utility bill details for residence verification and video data from the video authentication process.

    • Financial data: for the performance of payment services we might process for example: bank details (IBAN, BIC), other payment service provider information, security credentials, payment details, transaction-ID and other sensitive payment data. In addition, data relating to the placing of orders for financial instruments (number of units purchased, amount, time of acquisition/termination and similar) will be processed.

    • Log data: during activities when using a payment service, we might process for example: IP-address, transaction data, deposit and withdrawal address, computer or mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, optionally form data, crash reports, performance data.

    • Company details:if you have a business account and you use payment services we might process for example: commercial register report, data of or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company.

    • Details to and proof of funds: if the proof of funds is necessary, we might process for example: banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds.

    • Support requests: if you contact our support, we might process for example: data provided in your request to the support team.

    • Recordings of telephone conversations and electronic communication: Pursuant to section 33 of the Austrian Securities Supervision Act (WAG), Financial Services is required to keep recordings of telephone calls and electronic communications at least in relation to transactions carried out in trading for its own account and the provision of services relating to the acceptance, transmission and execution of client orders. We will inform you of this in advance. It should be noted that orders are only accepted via the platform and not via telephone or email.

  • 8. Purpose and legal basis for using personal data: 

    For which purposes and on what legal basis do we process your personal data?

    All processing is performed in accordance with the GDPR, the Austrian Data Protection Act (DSG) and the Austrian Payment Service Provider Act (ZaDiG 2018). Generally, we process your personal data based on at least one of the legal bases listed below. Regarding the performance of payment services, we will process your personal data only with your explicit consent or if we are contractually obliged to do so towards you.

    If we ask you to provide any personal data not described in point 8, then such data and the purpose and legal basis for the collection and processing, will be communicated to the Client at the point of collecting the personal data.

    8.1. For the performance of contractual obligations (Art 6 para 1 lit b GDPR):

    Processing of personal data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract. The following data processing operations, for example, are covered by such contractual obligations:

    • performance of our payment services, all tasks necessary for the operation and administration of Financial Services;

    • account management (e.g. continuous updating of Client data); 

    • execution of your payment requests (e.g. payment processing, chargebacks, proof of purchase and selling);

    • client service and support requests (e.g. contacting because of complications, Zendesk);

    • video authentication process if you register for an account on our website (validation of identity);

    • analysis and improvement of the platform's quality and the general user experience (e.g. performance tracking on the platform);

  • 8.2. For compliance with legal obligations (Art 6 para 1 lit c GDPR):

    Processing of personal data might also be necessary for complying with various legal obligations (e.g. FM-GWG, ZaDiG 2018, BAO, UStG etc.). The following data processing operations, for example, are covered by such legal obligations:

    • contract management, accounting and invoicing;

    • compliance and risk management;

    • Know-Your-Customer measures;

    • monitoring for prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;

    • providing information to fiscal criminal authorities in the context of fiscal criminal proceedings or to prosecution in accordance with official orders;

    • consultation of credit agencies to determine creditworthiness and default risks;

    • recordings of telephone conversations and electronic communication.

  • 8.3. To protect legitimate interests (Art 6 para 1 lit f GDPR):

    Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of Financial Services or a third party. The following data processing operations are covered by such a legitimate interest:

    • prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;

    • risk management and risk minimisation e.g. through enquiries to credit agencies, debtor directories or providers of business analysis;

    • identification and examination of potentially defective or suspicious business cases and accesses to our websites (e.g. website analysis via Sift Science);

    • data transmission within the Bitpanda Group for internal administrative purposes (no sensitive payment data will be transmitted!);

    • account management and handling general client requests and inquiries;

    • measures for protecting our clients and partners, as well as safeguarding network and information security; also including measures from external data centres and service providers;

    • processing inquiries from authorities, lawyers, collection agencies in the course of legal prosecution and enforcement of legal claims in the context of legal proceedings;

    • market research, business management and continuing development of services and products;

    • direct marketing and advertising (e.g. performance of marketing strategies, targeting of Clients, dispatch of vouchers, advertisement from Financial Services);

  • 8.4. Based on your consent (Art 6 para 1 lit a GDPR):

    If you have given us your consent to process your personal data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Consent given may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing.

    Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.

    9. Recipients of personal data:

    Who receives your personal data?

    The protection and confidentiality of your personal data is important to Financial Services. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data is collected from you. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties.

    9.1. Data transfer within the Bitpanda Group:

    As part of the Bitpanda Group we might transmit data to a limited extent within the Bitpanda Group. This happens for internal administrative purposes to conduct internal administrative activities efficiently in a shared way or if a company of Bitpanda Group acts as service provider (processor) for Financial Services. In all these cases only those offices or employees will receive your personal data who need it to fulfil the contractual and legal obligations and legitimate interests. However, no sensitive payment data will be transmitted within the Bitpanda Group. If a company acts as a service provider for Financial Services, we contractually oblige this company to ensure the confidentiality and security of your personal data that they process on our behalf.

    9.2. Data transfer to processors:

    To a limited extent, we also transmit personal information to processors who perform services for us such as video authentication services (e.g. IDnow GmbH, youniqx Identity AG, Onfido Limited), IT services (Amazon Web Services Inc.), Client support (Zendesk Inc.), performance of contracts, account management, accounting, invoicing, and examination of defective or suspicious business cases (Sift Science Inc). Processors may only use or disclose this data to the extent necessary to perform services for us or to comply with legal rules. We contractually oblige these processors to ensure the confidentiality and security of your personal data that they process on our behalf.

    9.3. Data transfer to public bodies and institutions:

    We might also transfer your personal data (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.

    9.4. Data transfer to other third parties:

    If Financial Services acts together with other parties as joint controller (e.g. processing data for jointly determined purposes within the Bitpanda Group), we provide those parties with personal data if applicable and based on at least one of the legal bases listed above under Point 8. In case of a joint controllership, we transmit your personal data only based on a sufficient agreement with our partners (Art 26 GDPR).


    Other third parties: Financial Services might transfer your personal data to any other person with your consent to the disclosure or the purpose of performing a contract or in order to take steps at the request of the data subject prior to entering into a contract. Financial Services may disclose your personal data to other third parties with your consent to disclosure or for the purpose of fulfilling the contract or at the Customer's request even before the contract is concluded. Any such transfer of data shall take place in particular for the processing of financial services with regard to banks or other payment service providers, as well as with regard to the Bitpanda GmbH, provided that said disclosure is necessary for the implementation of orders.

    10. International data transfer:

    Is data transferred to third countries or international organisations?

    Your personal data may be accessed by staff or suppliers in, transferred to, and/or stored at, a destination outside the country in which you are located, whose data protection laws might be of a lower standard than those in the European Union. However, Financial Services will in all circumstances safeguard personal data as set out in this Privacy Policy.

    If we process personal data in a third country (outside the European Union (EU) or the European Economic Area [EEA]) or if this occurs in the context of the use of third-party services or disclosure and/or transfer of personal data to third parties, we shall only transfer personal data to the performance of our (pre)contractual obligations, based on your consent, a legal obligation or our legitimate interests. Subject to legal or contractual authorisations, we process or have personal data processed in a third country only where the conditions of Art 44 et seq GDPR are met. This means, for example, that processing and transferring is carried out based on special safeguards, such as the officially recognised setting of adequate level of data protection corresponding to the EU (e.g. for the USA by the EU/US Privacy Shield) or compliance with officially recognised special contractual obligations (known as “Standard Contractual Clauses”) issued by the European Commission pursuant to the review procedure under Article 93 (2).

    Please contact privacy@bitpanda.com if you need further information regarding the international data transfer or if you would like to see a copy of the specific safeguards applied to the export of your personal data.

    11. Retention and deletion periods:

    For how long is my personal data processed (stored) and when will it be deleted?

    We retain your personal data, as far as necessary, for the duration of the entire business relationship (from initiation through performance to termination of a contract), and in principal 1 year after termination of the business relationship. Beyond this we retain your data only for a longer period, in accordance with statutory retention and documentation obligations, to defend legal claims or with your explicit consent.

    The retention period is thus determined by the statutory retention periods or limitation periods. In accordance with the Austrian Enterprise Code (UGB) and the Federal Tax Code (BAO) 7 years, in accordance with the Financial Market Money Laundering Act (FM-GWG) and the Payment Service Provider Act (ZaDiG 2018) 5 years, in accordance with the Equal Treatment Act (GIBG) half a year and in certain cases between 3 and 30 years according to the Austrian General Civil Code (ABGB) e.g. if data are required as evidence for legal disputes or for as long as there are other legitimate interests in retention.

    Unless expressly stated in this Privacy Policy, personal data processed by us shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations.

    12. Data subject rights:

    What rights and options under GDPR do I have?

    Right of access: 

    You have the right to request confirmation from us as to whether we are processing personal data concerning you. Where personal data concerning you is being processed, you have the right, to receive information from us within a reasonable time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing. Please use this link if you are logged into your account to submit such a data access request. 

    Right to rectification:

    You shall have the right to request the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

    Right to erasure:

    You shall have the right to request from the erasure of personal data concerning you from Financial Services, where one of the following grounds applies and if no further processing is required:

    • the personal data is no longer necessary in relation to the purposes for which it was co

    • you withdraw your consent on which the processing was based and where there is no other legal basis or overriding legitimate interest for the processing;

    • the personal data has been unlawfully processed; or

    • erasure of the personal data is required for compliance with a legal obligation under European Union or Member State law to which the Controller is subject.

  • Requests for the erasure of personal data must include the respective ground (Art 17 para 1 GDPR).

    Right to restriction of processing:

    You shall have the right to request the restriction of processing from us where one of the following conditions applies:

    • you contest the accuracy of the personal data (the restriction shall be put in place for a period which enables Financial Services to verify the accuracy of the personal data);

    • the processing of your personal data was unlawful, and you oppose the erasure of your personal data and request instead the restriction of their use;

    • Financial Services no longer requires your personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims; or

    • You have objected to processing of your personal data and it has not yet been determined whether the legitimate grounds of Bitpanda override your own.

  • Right to data portability:

    You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer this data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

    Right to object:

    You have the right to object to the processing of your personal data at any time if the processing is based on our legitimate interests. If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defense of legal claims. The objection does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal.

    Contact: To exercise one of the above-mentioned rights you can send an email to privacy@bitpanda.com or a letter to Bitpanda Financial Services GmbH, Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria. Please note that for such requests we require further identification data from you (e.g. passport, ID card, etc), in order to ensure that your personal data is only shared with you.

    13. Objection Advertisement:

    How can I object to the processing of my data for advertising purposes?

    You can also object to any use of your personal data for advertising purposes. Please contact us via email privacy@bitpanda.com if you want to generally object to the processing of your data for advertising purposes. The objection does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal.

    Please keep in mind, however, that such an objection will only be made to the Bitpanda Group and that even after such an objection you might still receive advertising about Bitpanda from other providers on other websites over which we have no control.

    14. Automated decision-making:

    Does Financial Services use my personal data for automated decision-making including profiling?

    Financial Services does not use personal data for automated decision-making including profiling within the meaning of Art 22 GDPR (e.g. decisions producing legal effects concerning data subjects, or otherwise significantly affecting them, based solely on automated processing of personal data, including profiling).

    15. Processing for other purposes:

    Is my personal data processed for purposes other than those for which the personal data was collected?

    As a general principle of Financial Services, we only process personal data for the purposes for which they were collected. In exceptional cases, however, we might process your personal data which we have collected for one specific purpose for another purpose. In this case, we will inform you before the intended processing about this purpose, the period for which your personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to file a complaint with the data protection authority, whether provision of the data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.

    16. Supervisory authority:

    With which supervisory authority can I file a complaint?

    You have the right to file a complaint to the competent supervisory authority, if you think your rights have been violated under the GDPR. In Austria, this is the Data Protection Authority (Datenschutzbehörde).

    17. Declaration of consent:

    How do I give my consent and how can I withdraw my consent?

    By checking the respective box as a part of the registration process or in case of an update after the login into your Bitpanda account or when requesting a service of Financial Services, you expressly confirm that you have read the Privacy Policy and that you agree to the data processing as described therein.

    You have the right to withdraw your consent at any time to the Bitpanda Financial Services GmbH, Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, or via email to privacy@bitpanda.com. Please keep in mind that we might not be able to provide all our services to you anymore, if you withdraw your consent. The withdrawal of your consent does not affect the lawfulness of processing your personal data based on consent before your withdrawal.

    18. Data Security:

    How is my personal data protected?

    The security of data is very important to Financial Services and we are committed to protecting data we collect. We maintain comprehensive administrative, technical and physical measures designed to protect your personal data against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. These measures meet the highest international safety standards and are regularly reviewed regarding their effectiveness and suitability for achieving the intended safety objectives.

    We have implemented the following technical and organisational measures for example:

    • SSL encryption on our websites from which we transfer personal data;

    • two-factor authentication (2FA) for our platform; 

    • ensuring the confidentiality, integrity, availability and resilience of our systems and services;

    • use of encrypted systems;

    • pseudonymisation and anonymisation of personal data;

    • entry, access and transfer control for our offices and systems;

    • measures for rapid recoverability of the availability of personal data in the event of a physical or technical incident;

    • measures for privacy by design and default on our platform like e.g. prevention of user enumeration;

    • implementation of procedures for regular review, assessment and evaluation of the effectiveness of the technical and organisational measure to ensure the security of the processing like e.g. our bug bounty programme;

    • internal IT security guidelines and IT security trainings; 

    • incident-response management.

  • Please also make sure that you use the two-factor authentication (2FA) for your Bitpanda account, keep your access data confidential and protect your computer against unauthorised access.

    19. Updates to this Privacy Policy:

    How will I find out about changes to this Privacy Policy?

    We, Financial Services, are committed to keeping the principles of data protection up to date. For this reason, we regularly review and update our Privacy Policy. This is to ensure that it is correctly and clearly displayed on our website, contains appropriate information about your rights and our processing activities (also with regard to technical changes or business development) and is implemented in accordance with applicable law, thus complying with data protection requirements. We update this Privacy Policy from time to time when required, in order to take current circumstances into account. If we make significant changes to this Privacy Policy, we will notify you after you have logged in to your account and provide you with the updated version of the Privacy Policy. If it is required by applicable law, Financial Services will obtain your express consent to significant changes.

    20. How to contact us?

    Thank you for reading our Privacy Policy!

    If you have any further questions about this Privacy Policy or the processing of your personal data, please contact our privacy team: privacy@bitpanda.com