Privacy
policy.

STATUS · DRAFT · PENDING LEGAL REVIEW
EFFECTIVE · ON LAUNCH
CONTROLLER · COINMOOVE
DATA OFFICER · [email protected]

01In plain English

We collect what regulators require, what the product needs, and nothing else. We don't sell your data. We don't run a behavioural ad model. If a third party touches your data, we name them below and explain why.

This page explains in detail. Skim the headings, read the sections that apply to you, and write to [email protected] if anything reads unclearly.

02Who we are

CoinMoove is the trading name of the company operating this service. Incorporation and licensing details — including the registered legal entity, jurisdiction, and any applicable virtual-asset service provider (VASP) registration — will be published here in full ahead of public launch.

For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR, CoinMoove is the controller of personal data described in this policy. Our Data Protection Officer can be reached at [email protected].

03What personal data we collect

Information you give us

  • Identification: name, date of birth, nationality, government-issued ID, residential address, photograph (selfie liveness).
  • Business identification (for merchants): company name, registration number, articles of association, beneficial-owner declarations, proof of address.
  • Contact: email address, phone number, and any details you choose to put in a support request.
  • Financial: bank account details, blockchain addresses you nominate for settlement or refunds, billing information.

Information we collect automatically

  • Device & usage: IP address, browser type, OS, time-zone, pages visited, dashboard actions, API request metadata.
  • Transactional: details of each payment processed through your account, including amounts, asset, network, counterparty addresses, and timestamps.
  • Cookies: as described in our cookie policy.

Information from third parties

  • Identity verification: data from Onfido, Sumsub, and IDnow used to verify the documents you submit.
  • Sanctions & PEP screening: data from Refinitiv World-Check and ComplyAdvantage.
  • On-chain analytics: risk scoring from Chainalysis and TRM Labs applied to inbound transaction addresses.
  • Banking partners: account confirmation, anti-fraud flags from our settlement partners.

04Why we collect it

  • To verify your identity and the identity of your business (KYC/KYB).
  • To screen transactions against sanctions, terrorist-financing, and fraud lists (KYT, Travel Rule).
  • To operate the platform: process payments, settle funds, calculate fees, generate invoices, send webhooks.
  • To support you: respond to enquiries, debug integration issues, recover lost access.
  • To meet legal obligations: respond to lawful requests from regulators, courts, and tax authorities.
  • To prevent abuse: detect account takeover, money-laundering typologies, and platform misuse.
  • To improve the product: aggregated and de-identified analytics about how features are used.
  • To communicate: service notices, security alerts, product updates (you can opt out of marketing at any time).

05Legal bases (GDPR Art. 6)

We rely on the following lawful bases:

  • Contract (Art. 6(1)(b)): to provide the services you ask for under our Terms of Service.
  • Legal obligation (Art. 6(1)(c)): AML directives 2015/849 and 2018/843, MiCA Regulation 2023/1114, EU Travel Rule (TFR 2023/1113), tax-reporting laws, and equivalent national regimes.
  • Legitimate interest (Art. 6(1)(f)): fraud prevention, network security, product analytics, and direct marketing to existing customers. We've balanced these against your rights and documented the assessment internally; ask if you'd like a copy.
  • Consent (Art. 6(1)(a)): non-essential cookies, optional newsletters. You can withdraw consent at any time without affecting prior processing.

Where we process information that constitutes a special category (e.g., biometric data from the selfie liveness check), we rely on Article 9(2)(g) GDPR — substantial public interest in preventing financial crime, supported by EU and national law.

06How long we keep your data

We don't keep data longer than we need to. Specific periods:

  • KYC / KYB records: 5 years after end of the business relationship (EU AML Directive).
  • Transaction records: 5 years after the transaction (EU AML Directive); 10 years for tax-relevant items in some jurisdictions.
  • Support correspondence: 3 years after resolution.
  • Marketing data: until you opt out, plus 30 days for suppression-list integrity.
  • Server & security logs: 90 days for application logs; 12 months for security-relevant logs.
  • Cookies: see cookie policy for individual lifetimes.

07Who we share data with

We share personal data with a small number of carefully selected processors and counterparties, under written data-protection agreements:

  • Infrastructure: a major EU-region cloud provider, plus a CDN with an EU-only data plane. Hosting & content delivery.
  • Identity verification: a regulated EU/EEA KYC provider for document and liveness verification.
  • Sanctions, PEP & on-chain analytics: established commercial screening providers, refreshed in near real time.
  • Custody: a qualified crypto-asset custodian (segregated wallets, not commingled with operating capital).
  • Banking partners: regulated credit institutions or EMIs in our settlement currencies.
  • Communications: transactional email and SMS providers used solely for service notifications.
  • Analytics: a privacy-preserving, self-hosted analytics tool. No third-party trackers.
  • Professional advisors: our auditors, tax advisors, and external counsel, where strictly required.

The specific named partners under each category will be disclosed in this section ahead of public launch and will be available on request to existing merchants under NDA.

We may also share data with regulators, courts, and law-enforcement bodies where compelled by law. Where the law permits, we will inform you before disclosing.

We do not sell personal data. We do not use it to train AI models. We do not share it with advertisers.

08International transfers

Most processing happens in the European Economic Area. Where we transfer data outside the EEA — for example, to certain on-chain analytics or screening providers based in the United States — we rely on:

  • The European Commission's Standard Contractual Clauses (2021/914); and
  • Where applicable, the EU–US Data Privacy Framework certifications of our recipients;
  • Supplemented by technical and organisational measures (encryption in transit and at rest, pseudonymisation, access controls).

A copy of the SCCs in force for a given transfer is available on request from [email protected].

09Your rights

You have the following rights under the GDPR (and equivalent rights under the UK GDPR and most jurisdictions where we operate):

  • Access: a copy of the personal data we hold about you.
  • Rectification: correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): deletion where we no longer need the data, subject to our legal retention obligations.
  • Restriction: pause processing while a dispute is resolved.
  • Portability: a machine-readable copy of the data you gave us.
  • Objection: object to processing based on legitimate interests, including profiling for risk-scoring.
  • Withdraw consent: for processing that relies on consent.
  • Lodge a complaint: with your national data-protection supervisory authority. Within the EU, you may find the relevant authority at edpb.europa.eu.

To exercise any right, write to [email protected]. We respond within one month (extendable to three for complex requests). We do not charge a fee unless the request is manifestly unfounded or excessive.

10Cookies & tracking

We use a small number of strictly-necessary cookies and one privacy-preserving analytics tool. We do not use cookies for advertising. Full details in our cookie policy.

11Security

We follow the ISO 27001 framework and SOC 2 Type II controls. In summary:

  • TLS 1.3 in transit; AES-256-GCM at rest; field-level encryption for KYC documents.
  • Multi-factor authentication required for all administrative access; hardware-key for production.
  • Quarterly penetration tests by an independent firm.
  • 24/7 security operations centre; published runbooks for incident response.
  • Bug-bounty programme open to the public via [email protected].

In the event of a personal-data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, in accordance with Article 33 GDPR.

12Children

CoinMoove is not directed at, nor available to, persons under 18. We do not knowingly collect data about minors. If you become aware that a minor has provided us with personal data, please contact [email protected] so we can delete it.

13Changes to this policy

We may amend this policy from time to time. Material changes are announced in the dashboard and by email at least 30 days before they take effect. Historical versions are archived and available on request.

14Contact

For any privacy question, write to:

Data Protection Officer · CoinMoove
[email protected]

Registered-office details, EU and UK Article 27 representatives, and full controller information will be added here ahead of public launch.