• Home
  • Legal
  • Bitpanda General Terms and Conditions

Bitpanda Privacy Policy

The current version of this Privacy Policy is: March 2021

1. About this Privacy Policy

Privacy and the security of transactions are core elements of cryptocurrencies, blockchain technology and its whole global movement. Bitpanda really appreciates the trust Clients have in us when trading cryptocurrencies and other digital assets on our platform. For this reason, privacy and data security have an enormously high priority for the Bitpanda group. It is very important to us that you feel safe during your visit to our website and while using our services as well as over the course of all other business transactions with us. As soon as you make use of products and/or services of Bitpanda, you entrust us with the processing of your personal data. Bitpanda wants to give you the best possible experience with our platform to ensure that you enjoy the usage of our products and services now and in the future. That’s why we want to understand the user behaviour on our platform in order to improve it continuously. Thus, besides being needed for our provided services, it is also necessary for improving usability to process your personal data.

Therefore, in this Privacy Policy, we want to transparently inform you which personal data we collect from you, how we process it and to whom we might forward it in detail. Furthermore, we would like to inform you which precautions we take to protect your personal data, which rights you have in this context and to whom you can turn for data protection concerns.

Regarding the terms used in this Privacy Policy, such as “Processing” or “Controller”, we refer to the definitions of the GDPR.

This Privacy Policy is drafted in English and German. In case of conflict the English version shall be the binding version.

2. About Bitpanda Group

Bitpanda GmbH and its direct and indirect subsidiaries (hereinafter referred to as "Bitpanda" or "Bitpanda Group" or "we") offer via its websites www.bitpanda.com, exchange.bitpanda.com and its mobile application (“Mobile App”) (together hereinafter referred to as "website" or “platform”) services and products related to buying and selling cryptocurrencies and other digital assets as well as payment and IT services.

Bitpanda GmbH with its business address at Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, registered in the commercial register of the Commercial Court of Vienna under FN 423018k is the parent company and is the content provider of the Platform as well as responsible for the offer of cryptocurrencies on it. 

Bitpanda Group consists of the following companies which are all subsidiaries of Bitpanda GmbH:

  • Bitpanda Metals GmbH: has its business address at Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 511923 d, and offers trading with precious metals via the platform www.bitpanda.com.

  • Bitpanda Payments GmbH: has its business address at Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 501412x, and offers different payment services via the platform www.bitpanda.com.

  • Bitpanda UK Limited: has its business address at 68 Hanbury Street, E1 5JL, London, United Kingdom, is registered in the Companies House under company number 11106704, and acts as a service provider for the Bitpanda Group.

  • Pantos GmbH: has its business address at Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 481562 f, and develops new blockchain applications and offers its own cryptocurrency via the platform www.bitpanda.com, see also www.pantos.io.

  • Bitpanda Customer Care GmbH: has its business address at Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 523486 h and acts as a service provider for the Bitpanda Group.

  • Bitpanda Financial Services GmbH: has its business address at Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 551181 k and acts as a service provider for the Bitpanda Group and provides the reception and transmission of orders in accordance with the Austrian Securities Supervision Act 2018 (Wertpapieraufsichtsgesetz 2018 or “WAG”).

  • Bitpanda Asset Management GmbH: has its business address at Friedrich-Ebert-Anlage 36, 60325 Frankfurt am Main, Germany and is registered in the commercial register of the Commercial Court of Frankfurt am Main under HRB 121696.

  • Bitpanda Teknoloji A.Ş.: has its business address at Esentepe Mahallesi Kir Gülü Sk. Metrocity is Merkezi D, Block Apt. No 4/4, Şişli, Istanbul, Turkey, is registered in the Trade Register of Istanbul under 243948-5 and is a service provider for the Bitpanda Group.

  • Bitpanda Issuance GmbH: has its business address at Friedrich-Ebert-Anlage 36, 60325 Frankfurt am Main, Germany registered in the commercial register of the District Court of Charlottenburg under HRB 226876B, and is a service provider for the Bitpanda Group.

  • Bitpanda Technology UK Limited: has its business address 21 Holborn Viaduct, EC1A2DY, London, United Kingdom, registered in the commercial register under 13515477, and is a service provider for the Bitpanda Group.

3. Applicability:

To whom does this Privacy Policy apply?

This Privacy Policy applies to all persons who use Bitpanda's services, the website, the apps or interacts otherwise with the Bitpanda Group (e.g. business partners, interested parties, service providers, etc.); generally, such persons hereinafter called "Client” or “you”.

Payment services: For data processing in connection with the usage of payment services offered by Bitpanda Payments GmbH, we also refer to their privacy policy.

Digital securities: For data processing in connection with the reception and transmission of orders regarding digital securities offered by Bitpanda Financial Services GmbH, we also refer to their privacy policy.

Cookies: For data processing in connection with cookies and similar technologies, please also check our cookie policy.

4. Minors:

Are minors allowed to use Bitpanda’s services?

No, the products and services of Bitpanda are not directed to people under the age of 18 years. Only persons of legal age are permitted to use the services of Bitpanda and register for an account. Therefore, we are not knowingly collecting personal data from minors. So, if you are under the age of 18 years, please do not use Bitpanda’s platform and do not provide us with any personal data.

5. Controller: 

Who is responsible for the data processing and who can you contact?

Bitpanda is aware that both the protection and the careful handling of your personal data are very important. Bitpanda will solely use the personal data provided by you in compliance with the applicable data protection requirements, this Privacy Policy and your consent.

Generally, each company of the Bitpanda Group is a controller and/or joint controller in the meaning of Art 4 para 7 GDPR and therefore responsible for the processing of personal data in connection with the services provided by the specific company (for the different services see Point 2).

Due to the high data security standards in the Bitpanda Group, Bitpanda considers it necessary to implement a group-wide uniform data protection strategy. Thus, Bitpanda GmbH, as parent company, acts as a central point of contact for all data protection issues concerning all services offered by the Bitpanda Group via the platform or the Mobile App.

If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR, you can contact our privacy team: privacy@bitpanda.com Please note that for certain requests, we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.

6. Data categories and sources: 

Which personal data do we process and from which sources does the data originate?

We process the personal data that we receive from you within the scope of the business relationship and usage of our Website. Furthermore, we might process data we receive within the Bitpanda Group and data we have received from credit agencies, debtor directories, business analysis providers (e.g. CRIF GmbH, KSV 1870 Holding AG, Dow Jones News GmbH, Factiva Limited, Sift Science Inc.) and from publicly accessible sources (e.g. commercial register, register of associations, land register, media, sanctions lists).

When using Bitpanda's services or interacting with Bitpanda, the following personal data might be processed:

  • Contact data: when creating a new user account or communicating with Bitpanda, we might process for example: name, address, telephone number, email, date of birth, photo for the account, etc.

  • Verification data: when an account is verified, also depending on the level of verification, therefore we might process for example: screenshots of national identity documents, like passport, driving licence, ID card, and identification data from these documents, utility bill details for residence verification, data about status of political exposed persons, video data from the video authentication process, biometric data for verification (see point 8), etc.

  • Financial data: over the course of purchase and sale transactions, we might process for example: bank details (IBAN, BIC), payment service provider information, payment details, transaction-ID, etc.

  • Log data: during activities on the website, we might process for example: IP-address, transaction data, deposit and withdrawal address, computer or mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, identification cookies (e.g. for the Affiliate and Tell-a-Friend programme), optionally form data, crash reports, performance data, third-party cookies, etc.

  • Mobile app data: when using the Mobile App, we might process for example: IP-address, transaction data, deposit and withdrawal address, mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, optionally form data, crash reports, performance data and only with your explicit consent, data from: camera, microphone, storage, telephone (read SMS confirmation).

  • Company details: if you use a business account we might process for example: commercial register reports, data of or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company, etc.

  • Details to and proof of funds: if proof of funds is necessary, we might process for example: banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds, if exceeding the daily/monthly or general limits on Bitpanda or upgrading to Bitpanda Plus “High Limit Service or OTC Service” (more info see https://www.bitpanda.com/plus). In order to determine Client's purpose for using the above-mentioned services or trading volume additional information on recent, past or planned business or personal activities of business or private Clients or other data to determine the Client’s intentions, if necessary, can be processed, as requested by Bitpanda or provided by the Client.

  • Support requests: if you contact our support, we might process for example: personal data provided to the support team when you submit a request to Bitpanda's support team or any other member of the Bitpanda team.

  • Marketing data: if you visit our website or social media sites (like the Facebook Fanpage) or during the usage of the Mobile App, we might process statistical and marketing data for example: number of visitors, frequency, clicks, time, places, target groups, data from cookies and similar technologies (Pixels, ClearGIFs, etc.), consumer’s behaviour, interests and preferences, data about market research and target groups surveys, etc.; for social media see also point 11 and for cookies our Cookie Policy

  • Photo, video and audio data: When we attend or organise events or fairs or hold interviews with people, we may take photos and other recordings of such events and might process photo, video and audio data. However, we will always inform you separately about such recordings.

  • Hiring data: if you apply for a job on our website or via LinkedIn, we might process data which is necessary for the recruitment process, for example: contact data, curriculum vitae, qualifications, police clearance certificate, credit report, national identity documents like passport, driving licence and the data from all these documents, links to your portfolio or social media platforms, etc.

 7. Purpose and legal basis for using personal data: 

For which purposes and on what legal basis do we process your personal data?

All processing is performed in accordance with the GDPR and the Austrian Data Protection Act (DSG). We process your personal data based on at least one of the legal bases listed below. If Bitpanda were to ask for the provision of any other personal data not described above, then such data and the purpose and legal basis for the collection and processing will be communicated to the Client at the point of collecting the personal data.

7.1. For the performance of contractual obligations (Art 6 para 1 lit b GDPR):

Processing of personal data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract. The following data processing operations, for example, are covered by such contractual obligations:

  • general performance of our services, all tasks necessary for the operation, performance and administration of Bitpanda and its platform;

  • account management (e.g. continuous updating of Client data); 

  • execution of your orders (e.g. payment processing, chargebacks, proof of purchase and selling); 

  • performance of the Affiliate programme and the Tell-a-Friend programme; 

  • Client service and support requests (e.g. contacting because of complications, Zendesk);

  • video authentication process if you register for an account on our website (validation of identity);

  • analysis and improvement of the platform's quality and the general user experience (e.g. performance tracking on the platform);

  • data security and IT-security on our website and safeguarding our network (e.g. prevention of identity theft and defective or suspicious accesses to our websites);

  • application processing and data transmission for the Bitpanda Debit Card (see point 9.4.);

  • data processing and data transmission to precious metals vendors for the transferral of ownership of precious metals to you in accordance with your order;

  • recruitment process for new employees.

7.2. For compliance with legal obligations (Art 6 para 1 lit c GDPR):

Processing of personal data might also be necessary for complying with various legal obligations (e.g. 5. AMLD, ZaDiG 2018, GewO 1994, etc.). The following data processing operations, for example, are covered by such legal obligations:

  • contract management, accounting and invoicing;

  • compliance and risk management;

  • Know-Your-Customer measures like video authentication process (validation of identity) and proof of funds;

  • monitoring for prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;

  • providing information to fiscal criminal authorities in the context of fiscal criminal proceedings or to prosecution in accordance with official orders;

  • consultation of credit agencies to determine creditworthiness and default risks.

7.3. To protect legitimate interests (Art 6 para 1 lit f GDPR):

Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of Bitpanda or a third party. The following data processing operations are covered by such a legitimate interest:

  • prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;

  • risk management and risk minimisation e.g. through enquiries to credit agencies, debtor directories or providers of business analysis;

  • identification and examination of potentially defective or suspicious business cases and accesses to our websites (e.g. website analysis via Sift Science);

  • data transmission within the Bitpanda Group for internal administrative purposes;

  • account management and handling general Client requests and inquiries;

  • measures for protecting our Clients and Partners, as well as safeguarding network and information security; also measures to protect our employees, Clients and property of Bitpanda e.g. through video surveillance (erasing cycle 72 h) and from external data centres and service providers;

  • processing inquiries from authorities, lawyers, collection agencies in the course of legal prosecution and enforcement of legal claims in the context of legal proceedings;

  • market research, business management and continuing development of services and products;

  • processing statistical data, performance data and market research data via the website, the Mobile App or social media platforms (e.g. Facebook, Instagram, LinkedIn, YouTube, etc.);

  • processing Client preferences (e.g. language, region) via cookies on our website (see also our Cookie Policy;

  • direct marketing and advertising (e.g. performance of marketing strategies, targeting of Clients, dispatch of vouchers, advertisement from Bitpanda and its partner companies);

  • use of audio, video and photo data from public spaces (e.g. public events, fairs, etc.) for marketing and other representation purposes on our social media channels or our website;

  • performance tracking of the Affiliate programme and the Tell-a-Friend programme.

7.4. Based on your consent (Art 6 para 1 lit a GDPR):

If you have given us your consent to process your personal data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. For example, with your consent we are processing data for the following purposes:

  • for the use of all functions of the Mobile App (e.g. telephone permission to read SMS confirmation, camera to scan barcodes, microphone for commands, etc.);

  • direct marketing and advertising (e.g. Client satisfaction surveys, newsletters, sweepstakes and other advertising communications);

  • website analysis and tracking for advertising purposes (see also our Cookie Policy;

  • Certain uses of audio, video and photo data (e.g. commercials, interviews, etc.) for marketing and other representational purposes via various channels;

  • Automated authentication process when you verify yourself using the service (“Onfido”) of Onfido Limited (validation of identity);

  • application management system, recruitment process and handling your application (e.g. voluntary retention of application data for 2 years, data transfer from your social media account when using the tool “Apply with LinkedIn” see point 11).

Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.

8. Special categories of personal data: 

Does Bitpanda process special categories of personal data?

No, generally Bitpanda does not process special categories of Clients' personal data of. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data (Art 9 para 1 GDPR). However, there is one exception to this when you voluntarily perform the verification of your account using the automated authentication process (Onfido) of our service provider Onfido Limited (3 Finsbury Avenue, London EC2M 2PA). 

With this verification method, in addition to the actual verification data (e.g. screenshots of ID documents and identification data from these, residence, status of politically exposed persons, video data, etc.), biometric data (e.g. personal data resulting from specific technical processing in connection with the physical, physiological or behavioral characteristics of a person and enabling the unique identification of a person, e.g. facial images, dactyloscopic data) is also collected. Such processing of biometric data takes place exclusively on the basis of your express consent, which you may revoke at any time.

The biometric data will be processed solely by our processor Onfido Limited for the purpose of verification and will be erased completely within 30 days after performing the identification. Bitpanda only receives the positive or negative verification result with other verification data and does not process biometric data from Clients itself at any time.

9. Recipients of personal data: 

Who receives your personal data?

The protection and confidentiality of your personal data is important to Bitpanda. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data is collected from you. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties.

9.1. Data transfer within the Bitpanda Group:

Within the Bitpanda Group, those offices or employees will receive your personal data who need it to fulfil the contractual and legal obligations and legitimate interests. We transfer personal data for the purpose of our daily business operations like account management and other operations requested by you as well as to conduct internal administrative activities efficiently in a shared way and to maintain as well as improve our products and services.

9.2. Data transfer to processors:

To a limited extent, we also transmit personal information to processors who perform services for us such as video authentication services (e.g. IDnow GmbH, youniqx Identity AG, Onfido Limited), IT services (Amazon Web Services Inc.), Client support (Zendesk Inc.), improvement of our website (Hotjar Limited); performance of contracts, account management, accounting, invoicing, examination of defective or suspicious business cases (Sift Science Inc), application management (Lever Inc.) and sending out newsletters (e.g. UAB MailerLite). Processors may only use or disclose this data to the extent necessary to perform services for us or to comply with legal rules. We contractually oblige these processors to ensure the confidentiality and security of your personal data that they process on our behalf. 

9.3. Data transfer to public bodies and institutions:

We might also transfer your personal data (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.

9.4. Data transfer to other third parties:

Joint Controllership: If Bitpanda acts together with other parties as joint controller (e.g. processing data for jointly determined purposes within the Bitpanda Group), we provide those parties with personal data if applicable and based on at least one of the legal bases listed above under Point 7. In case of a joint controllership, we transmit your personal data only based on a sufficient agreement with our partners (Art 26 GDPR).

Other third parties: Bitpanda might transfer your personal data to any other person with your consent to the disclosure or the purpose of performing a contract or in order to take steps at the request of the data subject prior to entering into a contract, especially in regard of Bitpanda Payments GmbH and/or Bitpanda Metals GmbH, as far as the disclosure is necessary for the processing of payment services (privacy policy of Bitpanda Payments GmbH) or the purchase and sale of precious metals.

Bitpanda debit card: To offer the Bitpanda debit card, Bitpanda cooperates with UAB Finansinės paslaugos (“Contis”), with the company code 304406236, registered in the Register of Legal Entities of the Republic of Lithuania, having a head office at Mėnulio g. 11-101, Vilnius, Lithuania. If you order the Bitpanda debit card via our website we will transfer your personal data as required to process your application for the Bitpanda debit card (such as verification data, contact data, financial data) to Contis. Contis will process your personal data to issue the Bitpanda debit card and will create and manage an account with Contis for you. Contis is an independent data controller. For further information as to the type of personal data we share with Contis and the uses made by them of that data, you should also read the privacy policy of Contis which is available here on the website of Contis.

10. International data transfer:

Is data transferred to third countries or international organisations?

Your personal data may be accessed by staff or suppliers in, transferred to, and/or stored at, a destination outside the country in which you are located, whose data protection laws might be of a lower standard than those in the European Union. However, Bitpanda will in all circumstances safeguard personal data as set out in this Privacy Policy.

If we process personal data in a third country (outside the European Union (EU) or the European Economic Area [EEA]) or if this occurs in the context of the use of third-party services or disclosure and/or transfer of personal data to third parties, we shall only transfer personal data to the performance of our (pre)contractual obligations, based on your consent, a legal obligation or our legitimate interests. Subject to legal or contractual authorisations, we process or have personal data processed in a third country only where the conditions of Art 44 et seq GDPR are met. This means, for example, that processing and the transfer is carried out based on special safeguards, such as the adherence to a code of conduct or certification mechanism together with binding and enforceable commitments from the recipient in the third country to apply the appropriate safeguards to protect the data or compliance with officially recognised special contractual obligations published by the European Commission (known as “Standard Contractual Clauses”).

Please contact privacy@bitpanda.com if you need further information regarding the international data transfer or if you would like to see a copy of the specific safeguards applied to the export of your personal data.

11. Social Media presence: 

Are data processed on social media platforms and who is responsible in such cases?

General: Bitpanda maintains social media presence on different platforms (see below) in order to communicate with its active Clients, prospective Clients and interested social media users about Bitpanda’s services, products and other news. When you access such social media platforms, the general terms and conditions, as well as the privacy policies of these operators, additionally apply. We would like to point out that user data may also be processed outside the European Union. This can result in risks for users due to different legal frameworks (e.g. it could make it more difficult to enforce data subject rights).

As part of the technical process of different social media platforms (e.g. Google, Facebook, Twitter, etc.), these platforms will know when you click on content or a website you are visiting, if you are logged in to your social media account at the same time. Such information is collected by social media platforms and assigned to your social media accounts, regardless of whether you click on content of this platform or not. By logging out from your accounts, you can prevent such companies from associating the information collected with your accounts. The activities of those companies are not controlled by Bitpanda and therefore, we do not assume any liability for damages that you may incur through the use of your data by these companies. For more information regarding tracking, cookies and similar technologies as well as opt-out possibilities, have a look at our Cookie Policy.

Controller: Bitpanda can only process personal data of social media users if they communicate directly with Bitpanda via such platforms (e.g. number of visitors, posted articles, likes, direct messages, Client inquiries, comments, etc.). In such cases, Bitpanda is also responsible for the processing of personal data gathered thereby. In addition to the data processing by us, other providers, in particular operators of social networks and platforms, also process personal user data. We have no influence on this data processing and are not responsible for it - the data processing takes place exclusively in the area of responsibility of the other providers.

For a detailed explanation of the respective processing and the possibilities of objection (opt-out) by providers of social media networks, we refer to the respective privacy policies of the providers (see below). In the case of requests for information and the assertion of data subject rights regarding data processing by other providers, we point out that these can be asserted with the below-mentioned providers. Only the providers have access to the data of the users and can directly take appropriate measures and give information.

Our social media pages and channels and links to their privacy policies: 

Our social media pages and channels

Privacy Policy

Instagram

Link

Facebook

Link

LinkedIn

Link

Twitter

Link

Telegram

Link

YouTube

Link

Reddit

Link

Pinterest

Link

VK

Link


Facebook Insights: Bitpanda maintains a Facebook Fanpage (“Fanpage”) and uses the associated analytic tool “Facebook Insights”. With this tool, Bitpanda receives anonymous statistical evaluations about its Fanpage (e.g. number of visitors, frequency, target groups, etc.). For the processing of personal data in this context Bitpanda and Facebook Ireland Limited (“Facebook”) are joint controllers (Art 4 para 7 GDPR) and therefor jointly responsible for the data processing. A corresponding agreement is in place between Bitpanda and Facebook in accordance with 26 para 1 GDPR, which can be accessed via this link. However, Bitpanda does not store any of this data, the data is solely stored by Facebook and processed via Insights. For all questions and inquiries regarding Facebook Insight, Facebook acts as single point of contact and can be contacted via this link.

Apply with LinkedIn Button: When using the opportunity to apply for jobs via the social sign-in button “Apply with LinkedIn”, provided by the social network LinkedIn (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA) you permit Bitpanda to access your LinkedIn profile. After clicking on the button “Apply with LinkedIn” you will be directed to LinkedIn to enter your LinkedIn access data. You can select the data you want to share with Bitpanda and only the data you choose is transferred to Bitpanda. Bitpanda will not receive any information about your login or access data on LinkedIn. For further information please also see the privacy policy from LinkedIn.

12. Newsletter:

What’s the legal basis for electronic notifications and how to unsubscribe?

In our email newsletter (e.g. coin-update), we inform you about Bitpanda’s services and products. If you would like to receive our newsletter, you have to subscribe with your email address. We send newsletters and other electronic notifications only with your expressly consent if you’ve subscribed for it (double opt-in) or which is recorded during registration for a Bitpanda account, or where there is a legal basis to do so (e.g. Art. 107 para 3 of the Austrian Telecommunications Act [TKG]). With the double opt-in procedure, we check whether you are the holder of the email address given or if its holder agrees with receiving electronic notifications. This procedure serves as proof in case a third party misuses an email address through registering to receive the newsletter without the knowledge of the entitled party. 

Our Newsletter is performed by UAB MailerLite (J. Basanavičiaus 15, LT-03108 Vilnius, Lithuania) and in the newsletter so-called web beacons (also called ClearGIFs or tracking pixels) might be used. Such web beacons provide us with a better understanding of our Clients' interactions with the newsletter. They fulfil a similar function as cookies, but they are not visible to users. Information can be obtained via web beacons, in particular about whether an email was opened and whether the user’s system is capable of receiving HTML emails.

You may unsubscribe from our newsletter, e.g. by withdrawing your consent, at any time. You can unsubscribe when you are logged into your account and furthermore you will find a link to unsubscribe at the end of each notification. Please note that we will continue to process your personal data until you withdraw your consent to the storage of the data, so that we can prove consent previously given to receive newsletters. The processing of this data is limited to the purpose of a possible defence against claims and you shall have the right to request the deletion of your personal data.

13. Retention and deletion periods:

For how long is my personal data processed (stored) and when will it be deleted?

We retain your personal data, as far as necessary, for the duration of the entire business relationship (from initiation through performance to termination of a contract), and in principal 1 year after termination of the business relationship. Beyond this we retain your data only for a longer period, in accordance with statutory retention and documentation obligations, to defend legal claims or with your explicit consent. 

The retention period is thus determined by the statutory retention periods or limitation periods. In accordance with the Austrian Enterprise Code (UGB) and the Federal Tax Code (BAO) 7 years, in accordance with the Financial Market Money Laundering Act (FM-GWG) 10 years, in accordance with the Equal Treatment Act (GIBG) half a year, and in certain cases between 3 and 30 years according to the Austrian General Civil Code (ABGB) e.g. if data is required as evidence for legal disputes or for as long as there are other legitimate interests in retention.

Unless expressly stated in this Privacy Policy, personal data processed by us shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations.

14. Data subject rights:

What rights and options under GDPR do I have?

Right of access: 

You have the right to request confirmation from us as to whether we are processing personal data concerning you. Where personal data concerning you is being processed, you have the right, to receive information from us within a reasonable time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing. Please use this link if you are logged into your account to submit such a data access request. 

Right to rectification:

You shall have the right to request the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure:

You shall have the right to request from Bitpanda the erasure of personal data concerning you, where one of the following grounds applies and if no further processing is required:

  • the personal data is no longer necessary in relation to the purposes for which they were collected;

  • you withdraw your consent on which the processing was based and where there is no other legal basis or overriding legitimate interest for the processing;

  • the personal data have been unlawfully processed; or

  • erasure of the personal data is required for compliance with a legal obligation under European Union or Member State law to which the Controller is subject.

Requests for the erasure of personal data must include the respective ground (Art 17 para 1 GDPR).

Right to restriction of processing:

You shall have the right to request from us the restriction of processing where one of the following conditions applies:

  • you contest the accuracy of the personal data (the restriction shall be put in place for a period which enables Bitpanda to verify the accuracy of the personal data);

  • the processing of your personal data was unlawful, and you oppose the erasure of your personal data and request instead the restriction of their use;

  • Bitpanda no longer requires your personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims; or

  • You have objected to processing of your personal data and it has not yet been determined whether the legitimate grounds of Bitpanda override your own.

Right to data portability:

You shall have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object:

You have the right to object to the processing of your personal data at any time if the processing is based on our legitimate interests. If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defence of legal claims. The objection does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal.

Contact: To exercise one of the above-mentioned rights you can send an email to privacy@bitpanda.com or a letter to Bitpanda GmbH, Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria. Please note that for such requests we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.

15. Objection Advertisement:

How can I object to the processing of my data for advertising purposes?

You can also object to any use of your personal data for advertising purposes. Please contact us via email privacy@bitpanda.com if you want to generally object to the processing of your data for advertising purposes. The objection does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal.

You also have the possibility to directly opt-out from tracking and the setting of cookies for advertisement purposes with our Cookie Banner (please see also our Cookie Policy). Furthermore, you may unsubscribe from our newsletter using this link.

Please keep in mind, however, that such an objection will only be made to the Bitpanda Group and that even after such an objection you might still receive advertising about Bitpanda from other providers on other websites over which we have no control.

16. Automated decision-making:

Does Bitpanda use my personal data for automated decision-making including profiling?

Bitpanda does not use personal data for automated decision-making including profiling within the meaning of Art 22 GDPR (e.g. decisions producing legal effects concerning data subjects, or otherwise significantly affecting them, based solely on automated processing of personal data, including profiling).

17. Processing for other purposes:

Is my personal data processed for purposes other than those for which the personal data was collected?

As a general principle of Bitpanda, we only process personal data for the purposes for which they were collected. In exceptional cases, however, we might process your personal data which we have collected for one specific purpose for another purpose. In this case, we will inform you before the intended processing about this purpose, the period for which your personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to file a complaint with the data protection authority, whether provision of the data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.

18. Supervisory authority:

With which supervisory authority can I file a complaint?

You have the right to file a complaint to the competent supervisory authority, if you think your rights have been violated under the GDPR. In Austria, this is the Data Protection Authority (Datenschutzbehörde).

19. Declaration of consent:

How do I give my consent and how can I withdraw my consent?

By checking the respective box as a part of the registration process or in case of an update after the login into your Bitpanda account, you expressly confirm that you have read the Privacy Policy and that you agree to the data processing as described therein.

By checking the respective separate box for news and updates per email (newsletter) you expressly consent that you agree to receive electronic communication as described above in point 12.

You have the right to withdraw your consent at any time to Bitpanda GmbH, Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria, or via email to privacy@bitpanda.com. Please keep in mind that we might not be able to provide all our services to you anymore, if you withdraw your consent. The withdrawal of your consent does not affect the lawfulness of processing your personal data based on consent before your withdrawal.

20. White Label Solution (only applicable for customers of White Label Solution Partners)

Bitpanda offers its own white label solution. This allows the offer of Bitpanda products to customers of certain partners. For this, the infrastructure of Bitpanda is used. Furthermore, to provide the service it is necessary that personal data is transferred between Bitpanda and their partners. Section 20 is only applicable to the data processing of customers of white label solution partners. 

What categories of personal data will be processed and exchanged?

 Bitpanda will receive any personal data which is necessary to open a verified account and process them in its role as Controller. Among this data will be name, address, verification data and KYC data (please refer to 6.). Furthermore, Bitpanda is required to share personal data with the concerned White Label partner, when it is necessary for providing the service (please refer to section 9).

What’s the purpose of it and what’s the legal basis? 

For the fulfillment of the service, it is necessary to process personal data for the performance of the contract. Furthermore, the processing of, for example, KYC data is necessary due to a legal obligation (please refer to section 7).

What data we don’t get:

We won’t receive any data which is not necessary for providing the services of Bitpanda. In other words, all data, which is solely necessary for the main service of the partner, won't be transferred to Bitpanda.

Current White-Label-Partners:

Partner Address
Privacy Notice

Lydia Solutions SAS

14 Avenue de l’Opéra, 75001 Paris

https://support.lydia-app.com/l/en/article/6ogzqxbjos-lydia-personal-data-protection-policy


21. Data Security:

How is my personal data protected?

The security of data is very important to Bitpanda and we are committed to protecting data we collect. We maintain comprehensive administrative, technical and physical measures designed to protect your personal data against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. These measures meet the highest international safety standards and are regularly reviewed regarding their effectiveness and suitability for achieving the intended safety objectives.

We have implemented the following technical and organisational measures for example:

  • SSL encryption on our websites from which we transfer personal data;

  • two-factor authentication (2FA) for our platform; 

  • ensuring the confidentiality, integrity, availability and resilience of our systems and services;

  • use of encrypted systems;

  • pseudonymisation and anonymisation of personal data;

  • entry, access and transfer control for our offices and systems;

  • measures for rapid recoverability of the availability of personal data in the event of a physical or technical incident;

  • measures for privacy by design and default on our platform like e.g. prevention of user enumeration;

  • implementation of procedures for regular review, assessment and evaluation of the effectiveness of the technical and organisational measure to ensure the security of the processing like e.g. our bug bounty programme;

  • internal IT security guidelines and IT security trainings; 

  • incident-response management.

Please also make sure that you use the two-factor authentication (2FA) for your Bitpanda account, keep your access data confidential and protect your computer against unauthorised access.

22. Updates of this Privacy Policy:

How will I find out about changes to this Privacy Policy?

We, Bitpanda, are committed to upholding the principles of data protection up to date. For this reason, we regularly review and update our Privacy Policy. This is to ensure that it is correctly and clearly displayed on our website, contains appropriate information about your rights and our processing activities (also with regard to technical changes or business development) and is implemented in accordance with applicable law, thus complying with data protection requirements. We update this Privacy Policy from time to time when required, in order to take current circumstances into account. If we make significant changes to this Privacy Policy, we will notify you after the login into your account and provide you with the updated version of the Privacy Policy. If it is required by applicable law, Bitpanda will obtain your express consent to significant changes.

23. How to contact us?

Thank you for reading our Privacy Policy! 

If you have any further questions about this Privacy Policy or the processing of your personal data, please contact our privacy team: privacy@bitpanda.com