1. About KVX
1.1 KVX is a cryptocurrency exchange that aims to be the preferred platform for direct access to cryptocurrency investment tools – not only for retail and institutional traders but also for people who are new to any type of investment.
1.2 KVX.com UAB is a limited liability company pursuant to Lithuanian laws, registered with the State Enterprise Centre of Registers (SECR) under registration number 306125960. KVX has its corporate seat at Gedimino Avenue 44a. Vilnius, 01110, LTU.
2.1 Privacy and security are essential for cryptocurrencies and blockchain technology. KVX values the trust our clients place in us when trading cryptocurrencies and other digital assets on our platform. Therefore, data protection and data security are very important to KVX.
“Account” means a unique account created for You to access our Service or parts of our Service.
“Company” (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to KVX.com UAB, registered with the State Enterprise Centre of Registers (SECR) under registration number 306125960. KVX has its corporate seat at Gedimino Avenue 44a. Vilnius, 01110, LTU. For the purpose of the GDPR, the Company is the Data Controller.
“Country” refers to the Republic of Lithuania.
“Account” means a unique account created for You to access our Service or parts of our Service.
“Cookies” are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
“Data Controller”, for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
“Device” means any device that can access the Service such as a computer, a cell phone or a digital tablet.
“Personal Data” is any information that relates to an identified or identifiable individual. For the purposes of GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
“Service” refers to the products and services listed on our Website.
“Service Provider” means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. For the purpose of the GDPR, Service Providers are considered Data Processors.
“Usage Data” refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
“Website” refers to KVX.COM, accessible from https://kvx.com/
“You” means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.
5.1 KVX.com UAB is a controller and/or joint controller within the meaning of Article 4(7) GDPR and is therefore responsible for the processing of personal data in relation to the services provided by the respective companies See (Different Service Point 2).
5.2 If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR, you can contact our privacy team: [email protected]. Please note that for certain requests, we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.
6. Data categories and sources
6.1 We process the personal data that we receive from you within the scope of the business relationship and usage of our Website. Furthermore, we might process data we receive from the customer, business, and blockchain analysis providers (we conduct an internal risk assessment of each such provider) and from publicly accessible sources (e.g. commercial register, register of associations, land register, media, sanctions lists).
6.2 Types of Data Collected
6.2.1 Personal Data While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to: – Email address
– First name and last name
– Phone number
– Address, State, Province, ZIP/Postal code, City
6.2.2 Usage Data – Usage Data is collected automatically when using the Service.
– Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
– When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
– We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
7. Purpose and legal basis for using personal data
7.1 All processing is performed in accordance with the GDPR and the Law of the Republic of Lithuania on the Legal Protection of Personal Data (Data Protection Law). We process your personal data based on at least one of the legal bases listed below. If KVX were to ask for the provision of any other personal data not described above, then such data and the purpose and legal basis for the collection and processing will be communicated to the Client at the point of collecting the personal data.
7.2 For the performance of contractual obligations (Art 6 para 1 lit b GDPR): – Processing of personal data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract. The following data processing operations, for example, are covered by such contractual obligations:
– general performance of our services, all tasks necessary for the operation, performance and administration of KVX and its platform;
– account management;
– execution of your orders;
– authentication process if you register an account on our website (identity validation);
– analysis and improvement of the platform’s quality and the general user experience;
– data security and IT-security on our website and safeguarding our network;
– data processing and data transmission to precious metals vendors for the transferral of ownership of precious metals to you in accordance with your order;
– recruitment process for new employees.
7.2.1 For compliance with legal obligations (Art 6 para 1 lit c GDPR): Processing of personal data might also be necessary for complying with various legal obligations (e.g. 6AMLD). The following data processing operations, for example, are covered by such legal obligations: – contract management, accounting, and invoicing;
– compliance and risk management;
– Know-Your-Customer measures like video authentication process (identity validation) and proof of funds;
– monitoring for prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;
– providing information to fiscal criminal authorities in the context of financial criminal proceedings or to prosecution in accordance with official orders;
– consultation of credit agencies to determine creditworthiness and default risks.
7.2.2 To protect legitimate interests (Art 6 para 1 lit f GDPR): Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of KVX or a third party. The following data processing operations are covered by such a legitimate interest:
– prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;
– risk management and risk minimisation e.g. through enquiries to credit agencies, debtor directories or providers of business analysis;
– identification and examination of potentially defective or suspicious business cases and accesses to our websites (e.g. website analysis via Sift Science);
– account management and handling general Client requests and inquiries;
– measures for protecting our Clients and Partners, as well as safeguarding network and information security; also measures to protect our employees, Clients and property of KVX e.g. through video surveillance (erasing cycle 72 h) and from external data centres and service providers;
– processing inquiries from authorities, lawyers, collection agencies in the course of legal prosecution and enforcement of legal claims in the context of legal proceedings;
– market research, business management and continuing development of services and products;
– processing statistical data, performance data and market research data via the website, the Mobile App or social media platforms (e.g. Facebook, Instagram, LinkedIn, YouTube, etc.);
– direct marketing and advertising (e.g. performance of marketing strategies, targeting of Clients, dispatch of vouchers, advertisement from KVX and its partner companies);
– use of audio, video and photo data from public spaces (e.g. public events, fairs, etc.) for marketing and other representation purposes on our social media channels or our website;
– performance tracking of the Affiliate programme and the Tell-a-Friend programme;
– testing and optimisation of procedures and models for analysing requirements, business management, product development and direct customer engagement;
– process and quality management measures.
7.2.3 Based on your consent (Art 6 para 1 lit a GDPR): If you have given us your consent to process your personal data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect if you no longer agree to the processing. For example, with your consent we are processing data for the following purposes: – for the use of all functions of the Mobile App (e.g. telephone permission to read SMS confirmation, camera to scan barcodes, microphone for commands, etc.);
– direct marketing and advertising (e.g. Client satisfaction surveys, newsletters, sweepstakes, and other advertising communications);
– Certain uses of audio, video and photo data (e.g. commercials, interviews, etc.) for marketing and other representational purposes via various channels;
– Automated authentication process when you verify yourself using the service (SumSub) of SumSub (validation of identity);
– application management system, recruitment process and handling your application (e.g. voluntary retention of application data for 2 years, data transfer from your social media account when using the tool “Apply with LinkedIn” see point 11).
Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.
8. Disclosure of your personal data
8.2 Law enforcement Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
8.3 Other legal requirements The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
– Comply with a legal obligation
– Protect and defend the rights or property of the Company
– Prevent or investigate possible wrongdoing in connection with the Service
– Protect the personal safety of Users of the Service or the public
– Protect against legal liability
9. Global data transfer
9.1 If we process Personal Data in a third country (other than the EU or the EEA) or this relates to the use of Third Party Services or disclosure and/or transfer of Personal Data to third parties, we only transfer personal data to fulfill our contractual (prior) obligations based on your consent, legal obligations or our legitimate interests. In accordance with our legal or contractual authority, we only process or process personal data in third countries where the requirements of Article 44 GDPR et seq. This means, for example, that processing and transfers are carried out under certain guarantees. For example, compliance with codes of conduct or authentication mechanisms and appropriate safeguards to protect data by recipients in third countries, or officially recognized special contractual obligations published by the European Commission (so-called Compliance with the “Standard Contractual Clauses”).
9.2 Please contact [email protected] if you need further information regarding the international data transfer or if you would like to see a copy of the specific safeguards applied to the export of your personal data.
10. Retention and erasure periods
10.2 Personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania for up to 8 (eight) years. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority.
11. Data subject rights
11.1 Right of access: You have the right to request confirmation from us as to whether we are processing personal data concerning you. Where personal data concerning you is being processed, you have the right, to receive information from us within a reasonable time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing. Please use this link if you are logged into your account to submit such a data access request.
11.2 Right to rectification: You shall have the right to request the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
11.3 Right to erasure: You shall have the right to request from KVX the erasure of personal data concerning you, where one of the following grounds applies and if no further processing is required:
– the personal data is no longer necessary in relation to the purposes for which they were collected;
– you withdraw your consent on which the processing was based and where there is no other legal basis or overriding legitimate interest for the processing;
– the personal data have been unlawfully processed, or
– erasure of the personal data is required for compliance with a legal obligation under European Union or Member State law to which the Controller is subject.
– Requests for the erasure of personal data must include the respective ground (Art 17 para 1 GDPR).
11.4 Right to restriction of processing: You shall have the right to request from us the restriction of processing where one of the following conditions applies: – you contest the accuracy of the personal data (the restriction shall be put in place for a period which enables KVX to verify the accuracy of the personal data);
– the processing of your personal data was unlawful, and you oppose the erasure of your personal data and request instead the restriction of their use;
– KVX no longer requires your personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims; or
– You have objected to the processing of your personal data and it has not yet been determined whether the legitimate grounds of KVX override your own.
11.5 Right to data portability: You shall have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
11.6 Right to object: You have the right to object to the processing of your personal data at any time if the processing is based on our legitimate interests. If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or unless the processing is for the assertion, exercise or defence of legal claims. The objection does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal.
11.7 Contact: To exercise one of the above mentioned rights you can send an email to [email protected] or a letter to KVX.com UAB, Gedimino Avenue 44a. Vilnius, 01110, LTU. Please note that for such requests we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.
12. Processing for other purposes
12.1 As a general principle of KVX, we only process personal data for the purpose for which it was collected. However, in exceptional cases, personal data collected for a specific purpose may be processed for another purpose. In this case, we will inform you of this purpose, the retention period for your personal data, the exercise of your data subject rights, the possibility of withdrawing your consent and the existence of your right to object to data protection prior to the intended processing. authority, whether the provision of the data is based on legal or contractual reasons, whether the reasons were required, what are the consequences if not provided, whether automated decision-making or profiling is performed.
13. Supervisory authority
13.1 You have the right to file a complaint to the competent supervisory authority if you think your rights have been violated under the GDPR. In Lithuania, this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, website available at https://vdai.lrv.lt/).
14. Declaration of consent
14.2 You have the right to withdraw your consent at any time to KVX.com UAB, Gedimino Avenue 44a. Vilnius, 01110, LTU, or via email to [email protected]. Please keep in mind that we might not be able to provide all our services to you anymore if you withdraw your consent. The withdrawal of your consent does not affect the lawfulness of processing your personal data based on consent before your withdrawal.
15. Data Security
15.1 Data security is very important to KVX and we are committed to protecting the data we collect. We take extensive administrative, technical and physical measures to protect your personal information from accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. These measures correspond to the highest international safety standards and are regularly checked for their effectiveness and suitability for achieving the intended safety goals.
15.2 We have implemented several technical and organisational measures to secure your personal data (e.g. two-factor authentication (2FA) for our platform; use of encrypted systems; entry, access and transfer control for our offices and systems; implementation of procedures for regular review, assessment and evaluation of the effectiveness of the technical and organisational measure to ensure the security of the processing). Please also make sure that you use the two-factor authentication (2FA) for your KVX account, keep your access data confidential, and protect your computer against unauthorised access.
17. How to contact us