PRIVACY POLICY


February 2024 - Version 3.1

Legal notice


Bitstack, a simplified joint-stock company with a share capital of €13,333.30, is registered with the R.C.S. of Aix-En-Provence under number 899 125 090 and located at 100 impasse des Houillères -Le Pontet, 13590 Meyreuil, France.

Bitstack is registered with the Financial Markets Authority as a Digital Asset Service Provider ("PSAN") for the activities of digital asset custody and buying/selling digital assets against legal tender, under number E2021-027.

The publication director is Mr. Alexandre Roubaud.

Contact: hello@bitstack-app.com


The website is hosted by Namecheap.

The application is exclusively available through the Apple App Store and Google Play Store.

1. Preamble

The Company believes that trust is the crucial element for fruitful and lasting relationships. In this regard, the protection of personal data and the privacy of its current or potential customers ("Users") is no exception.

This is why the Company pays particular attention to collecting and processing their personal data with the utmost care and in strict compliance with the applicable legal framework.

To inform as transparently as possible, the Company has drafted the following privacy notice. It aims to explain in detail why and how Users' personal data are processed when they browse the bitstack.fr website ("the Site") or the mobile application (collectively "the Platform") or use the services offered by the Company ("the Services").

2. Scope and Purpose of this Privacy Notice


This privacy notice ("Privacy Policy") aims to inform you, as a User, about how the Company, as the data controller, processes information that can identify you directly or indirectly ("Personal Data") when you use the Site.

This policy, accessible at any time on the Platform, is the only applicable policy and prevails over all previous versions.

3. Categories of Data, Processing Purposes, and Legal Bases


When a User uses the Services, the Company processes their Personal Data for various purposes detailed below, each duly legitimized by a valid legal basis.


Navigation Information. To enrich the User experience, the Company wants to understand their interactions with the Services. Therefore, the Company needs to analyze various navigation information collected through Cookies to analyze the performance related to the use of the Services.


For this, the Company relies on its legitimate interest in (i) understanding how its Platform is navigated by Users; and (ii) improving the Platform if necessary.


Correspondence and Communications. The Company collects and processes Personal Data to respond to any questions, requests, or feedback that Users may submit to the Company, whether initiated by the latter or not.


Thus, the collection and processing of Personal Data through this means can only occur following a question, request, or feedback directly sent by mail or email to the Company. Outside of this situation, Personal Data will never be collected through this means.


This processing involves the collection of the following categories of Personal Data: (i) identification data (i.e., the information provided, including name and email address) and (ii) the content of the messages you send to the Company.


This processing is based on the Company's legitimate interest in managing its relationships with Users.


Account Management. Users must create an account on the Platform to access the Services, requiring a significant Know Your Customer (KYC) procedure. To manage this account, and especially to allow Users to access content reserved for account holders only, the Company collects and processes various Personal Data.


For individuals: first and last names; date and place of birth; age; nationality; socio-professional category; business sector; income; tax notice; home address; email address; IP address; digital asset wallet details; copy of an official identity document; username and password to access the account.


For legal entities: trade name; corporate name; registration number; registered office address; email address of the individual representing the legal entity; IP address; digital asset wallet details; mobile phone number of the individual representing the legal entity; copy of up-to-date statutes; copy of a document identifying the legal entity, such as a Kbis extract less than 3 months old for French companies, a certificate of legal validity or a certificate of incorporation for foreign companies, and an extract from the Official Journal confirming its declaration to the prefecture for associations; names, first names, address of the individual representing the legal entity if this individual is not a legal representative; first names, last names, date and place of birth of the legal representative; copy of an official identity document of the individual representing the legal entity and the beneficial owners; business sector; turnover; tax package or financial situation; username and password to access the account.


The legal basis for this processing lies in the necessity for the Company (i) to execute a contract to which the User is a party and (ii) to comply with its obligations in the fight against money laundering and terrorist financing (AML/CTF).

Collection of Contacts and Images of Contacts. When a User decides to synchronize their address book with Bitstack, the Company collects the following information related to the User's contacts: names, email addresses, phone numbers, and, where applicable, images associated with these contacts. These data are used to enrich the user experience on the Platform and facilitate interaction between Users and their contacts.

The legal basis for this processing is based on the User's consent, which is sought at the time of synchronization of their address book with the Platform. The User has the right to withdraw their consent at any time, which will result in the cessation of contact data processing and their deletion.


Order Management. The Company collects Personal Data necessary for order management and billing, under the following conditions:


For individuals: bank details, account number, first and last names; email address; IP address; and digital asset wallet details.


For legal entities: bank details, account number, name, registration number, email address; IP address; and digital asset wallet details.


The legal basis for this processing lies in the necessity to execute a contract to which the User is a party.


Payment and Withdrawal Management. Payment and withdrawal management is carried out by an external provider to the company, under the conditions specified below (4. Recipients of Personal Data). For the operation of the Service, Users must consent to the collection of Personal Data by external providers to the Company, which will be transmitted to Bitstack. These data are the User's bank details and information on their account collected as part of the round-up savings service, in accordance with the Company's terms and conditions of sale.


The legal basis for this processing lies in (i) the necessity to execute a contract to which the Users are parties as soon as they become customers of the Company (management of payments, withdrawals, and subscriptions) as well as in (ii) compliance with legal obligations related to the fight against payment card fraud.


Users are never obliged to provide Personal Data that the Company may request. However, the Company draws their attention to the fact that if they refuse, access to the Services may be limited, suspended, or even impossible.


In any case, and regardless of the purpose sought by the processing in question, the Company will adhere to a strict data minimization principle and will therefore only collect and process Personal Data necessary for the aforementioned purposes.

4. Recipients of Personal Data


The Company shares Personal Data with service providers and third-party suppliers who assist the Company in achieving the objectives specified in this Privacy Policy and participate in the provision of Services. As subcontractors of the Company, these providers and suppliers may have access to Personal Data solely for the purpose of carrying out the tasks assigned to them. The Company ensures that its subcontractors offer sufficient guarantees for the execution of the mission and comply with applicable laws and regulations.


Where applicable, the Company shares Personal Data with competent courts and any other governmental and/or public authority requesting access to Personal Data, to the extent that this is legally permitted.


In any case, the Company only discloses Personal Data to the aforementioned recipients based on a strict need-to-know basis and only to the extent necessary to achieve duly identified processing objectives.


If the Company believes it is not necessary to retain the User's Personal Data in its active database, the Company will archive them and ensure that access is limited to a restricted number of people who genuinely need to access the Personal Data.

5. Retention Periods


The Company retains Personal Data for a limited period that cannot exceed under any circumstances the time required to achieve the objectives described in Article 3 of this privacy policy.

Navigation Information. The retention period for Cookies is specified below in accordance with the provisions of Article 9 of this privacy policy.


Correspondence and Communications. Personal Data resulting from questions, requests, or feedback from Users are not kept for more than five (5) years after the last contact initiated by the User.


Account Management. The Company will retain Personal Data until the account is closed. However, if the Company needs to keep Personal Data for evidence purposes beyond the closure date of your online account, the applicable maximum retention period will then comply with legal prescription periods.


Order Management. Regarding order management, Personal Data will be kept for the duration of the business relationship and ten (10) years after that period for accounting obligations.


Payment Management. Personal Data are retained:

  • In case of a purchase and sale operation, until the service is performed;

  • In case of a subscription, until the last payment due date, if the subscription does not provide for automatic renewal.


Concerning the retention of evidence to manage any potential claims, the data are kept for a period of 13 months following the debit date. The data thus retained for evidence must be kept in an intermediate archive and only be used in case of a dispute over the transaction.


If the Company believes it is not necessary to retain Personal Data in the Company's active database, they will be archived, and the Company will ensure that access is limited to a restricted number of people who genuinely need to access the Personal Data.


6. Transfer of Personal Data


Personal Data may be processed outside the territory of the European Union. In this situation, the Company takes all necessary precautions and alternatively or cumulatively ensures that (i) an adequacy decision has been made by the European Commission regarding the destination country; (ii) contractual clauses adopted by the European Commission or the supervisory authority have been signed with the recipient; (iii) the recipient adheres to an approved code of conduct or certification mechanism.


7. User Rights


As a data subject, you have various rights concerning the processing of Personal Data. These are as follows:

  • Right to request access to Personal Data from the Company and their rectification or erasure;

  • Right to request restriction of processing concerning you;

  • Right to object to the processing of Personal Data;

  • Right to data portability;

  • Right to give instructions concerning the use of Personal Data after the User's death;

  • Right to lodge a complaint with the National Commission for Data Protection (CNIL), the competent supervisory authority.


To exercise their rights or for any questions about the protection of Personal Data, Users must make the request accompanied by proof of identity by mail addressed to Bitstack SAS, 100 impasse des Houillères - Le Pontet, 13590 Meyreuil, France or by email at hello@bitstack.fr.


The Company strives to respond without undue delay and no later than one (1) month after receiving the request. The Company reserves the right to extend this period to three (3) months in the case of a complex request.


The Company is committed to protecting Personal Data and complying with the applicable legal framework for data protection.


That is why the Company collaborates with Users. Thus, you agree to inform the Company if the Personal Data that Users have shared with the Company become obsolete or inaccurate.


Furthermore, if you provide the Company with information that directly or indirectly identifies any other individual (e.g., Users have sent a request to the Company and share Personal Data concerning another individual in the email), you declare and guarantee that, before sharing this information with the Company, these other individuals have received this privacy policy and, where applicable, have consented to the processing of their data.


8. Security


The Company commits to taking appropriate technical and organizational measures to ensure the security and confidentiality of the processed Personal Data.


9. Cookies


You are informed that information called Cookies may be transmitted to the User's browser or device by the Service when using the Site. Upon first browsing the Site, a "Cookies" banner may appear and ask you to accept, refuse, or configure Cookies.


The maximum retention period for Cookies is thirteen (13) months from the moment they are placed on the User's browser or device. At the end of this period, new consent will be required.


You can accept, refuse, and delete some or all Cookies.


You are informed that refusing certain Cookies may affect the provision of the Service and navigation on the Site.


The Company informs you that Cookies can be configured in the browser's help menu, at the following URLs: Google; Mozilla Firefox; Safari; Edge, and Opera.